How to create a anonymous file share in Windows 2012
  02-09-2018 · 2 minute read · 415 words

After a few months of running a completely anonymous file share where files could be listed and writable by following the following guide by Nikola Radosavljevic, our security team wasn’t happy with completely anonymous file shares with both write and list ability. Security by obscurity, so it was my job to revise the share permissions and refresh my memory on how this all worked.

Group policy changes with gpedit.msc

To allow anonymous/guest access going back to Nikola’s guide above I navigated to:

Navigate to Computer Configuration => Windows Settings => Security Settings => Local Policies => Security Options and made the following changes:

- Accounts: Guest account status – change to Enabled 
- Network access: Let Everyone permissions apply to anonymous users – change to Enabled
- Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled
- Network access: Shares that can be accessed anonymously – enter name of share you created in the text field.

Steps to creating the share

  1. Create the folder you want to share.
  2. Right click on the folder Properties and click on the Sharing tab. Check off Share this folder click on Permissions. You should add the Everyone group to the groups of users. I had Full Control, Change, Read checked off but you could probably get away with lower level permissions if needed.
  3. Once you are done with that click on the Security tab and also add the Everyone group to the folder. You can choose the level of permissions you are comfortable with.

Deviation from Niola’s original guide.

These were changes that weren’t necessary to get anon working.

  • Since we enabled Network access: Let Everyone permissions apply to anonymous users - change to Enabled we don’t need to add the Anonymous User + guest user as shown in the guide.

Important notes

  • There are two sets of permissions, share level permissions + NTFS level permissions. You can find out more about this here
  • The permissions you set when you are sharing the folder under Advanced Sharing are known as the share level permissions.
  • The permissions under Security are the NTFS level permissions.

Mistakes I made.

If you want a user to be able to read the contents of a share or write to it, you also have to give them permissions under the Security tab of the folder which are NTFS permissions. I spent a bit of time getting frustrated at why I kept getting access denied when trying to mount the share.

windows   smb  

comments powered by Disqus