Creating network share with anonymous access

I needed to create a network share on Windows server machine which would require no authentication whatsoever from users. This post is intended to serve me as a reminder, since googling the solution every time eats easily away hours.

Settings which need to be changed of course depend on version of Windows of network share host. This post describes how to do it on a Windows 2012 R2.

Rougly what needs to be done is:

  • network share should be created
  • share permissions need to be set
  • security settings need to be changed

In more words:

  1. Share a folder by opening folder properties, navigating to Sharing tab and clicking
    Advanced Sharing…
    2015-03-10_18-34-08
  2. Enable sharing and click Permissions
    2015-03-10_18-34-35
  3. Add Everyone (should already be there), Guest and ANONYMOUS LOGON and give them Read access
    2015-03-10_18-35-07
  4. Open Group Policy Editor (hit Ctrl+R, type gpedit.msc and hit enter)
  5. Navigate to Computer Configuration → Windows Settings → Security Options
    2015-03-10_18-50-30
  6. Change following:
    • Accounts: Guest account status – change to Enabled
    • Network access: Let Everyone permissions apply to anonymous users – change to Enabled
    • Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled
    • Network access: Shares that can be accessed anonymously – enter name of share you created in the text field
      2015-03-10_18-49-23

This let me access the share \\<MachineName>\Share without providing any login information.

Running Windows 8.1? With how similar these two OSs seem, you’d expect this would be enough. However, it is not. For Windows 8.1, Microsoft recommends using Home groups. It is still possible to get conventional file share working, but I have not had time to try this out and it doesn’t seem a good security practice. I’ll just refer you to a find I stumbled upon on MS Technet Forums. Essentially what it suggests is using LanMan level 1 compatibility mode which would allow OS to accept LM authentication (in addition to NTLMv2). I’m not going to pretend to understand what kind of repercussions this has on machine security so I won’t recommend you to do it outside of your home LAN, and maybe not even there if it’s exposed over WiFi.

2015-03-11_13-07-44