After a few months of running a completely anonymous file share where files could be listed and writable by following the following guide by Nikola Radosavljevic, our security team wasn’t happy with completely anonymous file shares with both write and list ability. Security by obscurity, so it was my job to revise the share permissions and refresh my memory on how this all worked.
Group policy changes with gpedit.msc
To allow anonymous/guest access going back to Nikola’s guide above I navigated to:
Navigate to Computer Configuration => Windows Settings => Security Settings => Local Policies => Security Options
and made the following changes:
- Accounts: Guest account status – change to Enabled
- Network access: Let Everyone permissions apply to anonymous users – change to Enabled
- Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled
- Network access: Shares that can be accessed anonymously – enter name of share you created in the text field.
Steps to creating the share
- Create the folder you want to share.
- Right click on the folder
Properties
and click on the Sharing tab. Check offShare this folder
click onPermissions
. You should add theEveryone
group to the groups of users. I hadFull Control, Change, Read
checked off but you could probably get away with lower level permissions if needed. - Once you are done with that click on the
Security
tab and also add theEveryone
group to the folder. You can choose the level of permissions you are comfortable with.
Deviation from Niola’s original guide.
These were changes that weren’t necessary to get anon working.
- Since we enabled
Network access: Let Everyone permissions apply to anonymous users - change to Enabled
we don’t need to add the Anonymous User + guest user as shown in the guide.
Important notes
- There are two sets of permissions, share level permissions + NTFS level permissions. You can find out more about this here
- The permissions you set when you are sharing the folder under
Advanced Sharing
are known as the share level permissions. - The permissions under
Security
are the NTFS level permissions.
Mistakes I made.
If you want a user to be able to read the contents of a share or write to it, you also have to give them permissions under the Security
tab of the folder which are NTFS permissions. I spent a bit of time getting frustrated at why I kept getting access denied when trying to mount the share.
comments powered by Disqus