Creating network share with anonymous access

I needed to create a network share on Windows server machine which would require no authentication whatsoever from users. This post is intended to serve me as a reminder, since googling the solution every time eats easily away hours.

Settings which need to be changed of course depend on version of Windows of network share host. This post describes how to do it on a Windows 2012 R2.

Rougly what needs to be done is:

  • network share should be created
  • share permissions need to be set
  • security settings need to be changed

In more words:

  1. Share a folder by opening folder properties, navigating to Sharing tab and clicking
    Advanced Sharing…
    2015-03-10_18-34-08
  2. Enable sharing and click Permissions
    2015-03-10_18-34-35
  3. Add Everyone (should already be there), Guest and ANONYMOUS LOGON and give them Read access
    2015-03-10_18-35-07
  4. Open Group Policy Editor (hit Ctrl+R, type gpedit.msc and hit enter)
  5. Navigate to Computer Configuration → Windows Settings → Security Options
    2015-03-10_18-50-30
  6. Change following:
    • Accounts: Guest account status – change to Enabled
    • Network access: Let Everyone permissions apply to anonymous users – change to Enabled
    • Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled
    • Network access: Shares that can be accessed anonymously – enter name of share you created in the text field
      2015-03-10_18-49-23

This let me access the share \\<MachineName>\Share without providing any login information.

Running Windows 8.1? With how similar these two OSs seem, you’d expect this would be enough. However, it is not. For Windows 8.1, Microsoft recommends using Home groups. It is still possible to get conventional file share working, but I have not had time to try this out and it doesn’t seem a good security practice. I’ll just refer you to a find I stumbled upon on MS Technet Forums. Essentially what it suggests is using LanMan level 1 compatibility mode which would allow OS to accept LM authentication (in addition to NTLMv2). I’m not going to pretend to understand what kind of repercussions this has on machine security so I won’t recommend you to do it outside of your home LAN, and maybe not even there if it’s exposed over WiFi.

2015-03-11_13-07-44

  • Vitorio

    Thanks Nikola! You saved my day with this post. I’m relaying your instructions on my blog https://vitoriodelage.wordpress.com/2016/04/07/creating-an-anonymous-smb-network-share/ Is that OK for you?

  • Boris Gjenero

    Thank you. This let Kodi on my Raspberry Pi access Windows 7 shares. Logins as Guest were failing, and anyways, needing to log in as Guest is very silly.

    Seems like “Restrict anonymous access to Named Pipes and Shares” is not needed. The name certainly implies it’s not needed because we’re talking about shares here. The Guest user isn’t needed with these settings, so I disabled it. You can also set RestrictAnonymous to 1: https://support.microsoft.com/en-us/kb/246261 . I don’t know why I wasn’t able to accomplish this simply by adding ANONYMOUS LOGON permissions, and why “Let Everyone permissions apply to anonymous users” was needed instead.

  • Boris Gjenero

    This also works in Windows 10 build 14393.10 (Anniversary Update). I had a folder with read access granted to everyone on an NTFS partition from before. First I used the Advanced Sharing button on the Sharing tab of folder properties to give it a share name. Then I opened Group Policy Editor, enabled “Network access: Let Everyone permissions apply to anonymous users” and added the share to “Network access: Shares that can be accessed anonymously”. That was enough; anonymous access worked from Kodi.

  • robross0606

    This no longer appears to work after upgrading to Windows 10 Anniversary Edition for me. No matter what I do I cannot get a share that previously worked fine to accept anonymous logon anymore. I’ve tried just about everything I can find on the web with no dice. From what I’m reading, this may have something to do with logging on using Microsoft Accounts on the machine which hosts the share. Another thing to note here is that this no longer works for non-windows clients (OSX, LInux CIFS, etc.) attempting to access the share.

  • Michael A

    Hi I have followed the above steps but on my client it gives the error ‘Logon failure: the user has not been granted the requested login type at this computer.’
    Is there any way to resolve that?

    I’m using Windows 7 SP1 (on both host and client machines)

  • Cor

    This is awesome Nikola! Finally I’ve been able to get my network share exactly how I wanted it.
    Everyone can just go to \Cor and find all my shared folder without having to authenticate. They can also read anything I’ve shared with everyone/guest/anonymous. And the folders not shared with those accounts remain inaccessible to them. That’s great. Thanks a lot.

    Just this isn’t clear yet: how does one authenticate in order to access the ‘password protected’ shared folders?

    • Herman Yanush

      Definitely not awesome. To do an obvious thing you need to change FOUR settings in the group policies and even enter the name of the share. Why should they be restricted by default? How in the world creating a share can harm my computer? The next thing is that in the computer I was asked to create a share (glad that my computer is already on linux for several years) the settings about pipes and shared resources have NO VALUES! Are they enabled or disabled? Linux is waaaay better in this aspect.

      • I’m also not certain this instructions are valid for Windows 10 or not. Likely there is an easier way to do file sharing, but people are increasingly relying on Dropbox and other file sharing services for such purposes. Those who need more likely have a doman server and a sysadmin who sets everything up.

        Why this is so difficult I don’t know. I suppose it has something to do with how security is implemented in the protocol (remember SMB exploit everyone talked and is still talking about, linked to WannaCry outbreak).

  • Thank you, this worked for me on Server 2012. My client has a CNC that runs on DOS and this solved the problem of connecting it to the server. Thanks!

  • tHE_uKER

    On step 5, the path within Policy editor is missing two nodes.
    It’s even visible in the screenshot you provide.
    The right path is
    Computer Configuration → Windows Settings → Security Configuration → Local Policies → Security Options
    Good guide though.

  • xanda escuyer

    We’ve got the same requirement but are running Windows 7 Home Premium (x64). This means no access to group policy editors and other tools consoles that come with the Professional and Ultimate editions.
    The system has password protected sharing disabled and has folder permissions set the same as in this example, yet clients still cannot access the shared folders using Guest – or any standard account that is not password protected. Even when a password is set for the Guest account, client requests are refused e.g. Mac OS X client is denied with “This file server does not allow Guest access”.
    We essentially have two issues:-
    i) Guest access to file/folder sharing is denied.
    ii) Passwords are required at all times for clients requesting folder sharing access.
    Ostensibly the system is configured to allow both to succeed so it appears the issue is a deeper one.
    The system was working fine until recently: it allowed non-password and Guest access to the resources. However it appears to have gone awry after some recent updates to Windows (the only change we can see).
    If anyone could shed some light we’d be very grateful. Thanks.