Creating network share with anonymous access

I needed to create a network share on Windows server machine which would require no authentication whatsoever from users. This post is intended to serve me as a reminder, since googling the solution every time eats easily away hours.

Settings which need to be changed of course depend on version of Windows of network share host. This post describes how to do it on a Windows 2012 R2.

Rougly what needs to be done is:

  • network share should be created
  • share permissions need to be set
  • security settings need to be changed

In more words:

  1. Share a folder by opening folder properties, navigating to Sharing tab and clicking
    Advanced Sharing…
    2015-03-10_18-34-08
  2. Enable sharing and click Permissions
    2015-03-10_18-34-35
  3. Add Everyone (should already be there), Guest and ANONYMOUS LOGON and give them Read access
    2015-03-10_18-35-07
  4. Open Group Policy Editor (hit Ctrl+R, type gpedit.msc and hit enter)
  5. Navigate to Computer Configuration → Windows Settings → Security Options
    2015-03-10_18-50-30
  6. Change following:
    • Accounts: Guest account status – change to Enabled
    • Network access: Let Everyone permissions apply to anonymous users – change to Enabled
    • Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled
    • Network access: Shares that can be accessed anonymously – enter name of share you created in the text field
      2015-03-10_18-49-23

This let me access the share \\<MachineName>\Share without providing any login information.

Running Windows 8.1? With how similar these two OSs seem, you’d expect this would be enough. However, it is not. For Windows 8.1, Microsoft recommends using Home groups. It is still possible to get conventional file share working, but I have not had time to try this out and it doesn’t seem a good security practice. I’ll just refer you to a find I stumbled upon on MS Technet Forums. Essentially what it suggests is using LanMan level 1 compatibility mode which would allow OS to accept LM authentication (in addition to NTLMv2). I’m not going to pretend to understand what kind of repercussions this has on machine security so I won’t recommend you to do it outside of your home LAN, and maybe not even there if it’s exposed over WiFi.

2015-03-11_13-07-44

  • Vitorio

    Thanks Nikola! You saved my day with this post. I’m relaying your instructions on my blog https://vitoriodelage.wordpress.com/2016/04/07/creating-an-anonymous-smb-network-share/ Is that OK for you?

    • http://nikolar.com/ Nikola Radosavljević

      No problem. Feel free to share

  • Boris Gjenero

    Thank you. This let Kodi on my Raspberry Pi access Windows 7 shares. Logins as Guest were failing, and anyways, needing to log in as Guest is very silly.

    Seems like “Restrict anonymous access to Named Pipes and Shares” is not needed. The name certainly implies it’s not needed because we’re talking about shares here. The Guest user isn’t needed with these settings, so I disabled it. You can also set RestrictAnonymous to 1: https://support.microsoft.com/en-us/kb/246261 . I don’t know why I wasn’t able to accomplish this simply by adding ANONYMOUS LOGON permissions, and why “Let Everyone permissions apply to anonymous users” was needed instead.

  • Boris Gjenero

    This also works in Windows 10 build 14393.10 (Anniversary Update). I had a folder with read access granted to everyone on an NTFS partition from before. First I used the Advanced Sharing button on the Sharing tab of folder properties to give it a share name. Then I opened Group Policy Editor, enabled “Network access: Let Everyone permissions apply to anonymous users” and added the share to “Network access: Shares that can be accessed anonymously”. That was enough; anonymous access worked from Kodi.

  • robross0606

    This no longer appears to work after upgrading to Windows 10 Anniversary Edition for me. No matter what I do I cannot get a share that previously worked fine to accept anonymous logon anymore. I’ve tried just about everything I can find on the web with no dice. From what I’m reading, this may have something to do with logging on using Microsoft Accounts on the machine which hosts the share. Another thing to note here is that this no longer works for non-windows clients (OSX, LInux CIFS, etc.) attempting to access the share.

  • Michael A

    Hi I have followed the above steps but on my client it gives the error ‘Logon failure: the user has not been granted the requested login type at this computer.’
    Is there any way to resolve that?

    I’m using Windows 7 SP1 (on both host and client machines)

  • Cor

    This is awesome Nikola! Finally I’ve been able to get my network share exactly how I wanted it.
    Everyone can just go to \Cor and find all my shared folder without having to authenticate. They can also read anything I’ve shared with everyone/guest/anonymous. And the folders not shared with those accounts remain inaccessible to them. That’s great. Thanks a lot.

    Just this isn’t clear yet: how does one authenticate in order to access the ‘password protected’ shared folders?