After a few months of running a completely anonymous file share where files could be listed and writable by following the following guide by Nikola Radosavljevic, our security team wasn’t happy with completely anonymous file shares with both write and list ability. Security by obscurity, so it was my job to revise the share permissions and refresh my memory on how this all worked.
Group policy changes with gpedit.msc
To allow anonymous/guest access going back to Nikola’s guide above I navigated to:
Computer Configuration => Windows Settings => Security Settings => Local Policies => Security Options and made the following changes:
- Accounts: Guest account status – change to Enabled - Network access: Let Everyone permissions apply to anonymous users – change to Enabled - Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled - Network access: Shares that can be accessed anonymously – enter name of share you created in the text field.
Steps to creating the share
- Create the folder you want to share.
- Right click on the folder
Propertiesand click on the Sharing tab. Check off
Share this folderclick on
Permissions. You should add the
Everyonegroup to the groups of users. I had
Full Control, Change, Readchecked off but you could probably get away with lower level permissions if needed.
- Once you are done with that click on the
Securitytab and also add the
Everyonegroup to the folder. You can choose the level of permissions you are comfortable with.
Deviation from Niola’s original guide.
These were changes that weren’t necessary to get anon working.
- Since we enabled
Network access: Let Everyone permissions apply to anonymous users - change to Enabledwe don’t need to add the Anonymous User + guest user as shown in the guide.
- There are two sets of permissions, share level permissions + NTFS level permissions. You can find out more about this here
- The permissions you set when you are sharing the folder under
Advanced Sharingare known as the share level permissions.
- The permissions under
Securityare the NTFS level permissions.
Mistakes I made.
If you want a user to be able to read the contents of a share or write to it, you also have to give them permissions under the
Security tab of the folder which are NTFS permissions. I spent a bit of time getting frustrated at why I kept getting access denied when trying to mount the share.
comments powered by Disqus