Creating network share with anonymous access

I needed to create a network share on Windows server machine which would require no authentication whatsoever from users. This post is intended to serve me as a reminder, since googling the solution every time eats easily away hours.

Settings which need to be changed of course depend on version of Windows of network share host. This post describes how to do it on a Windows 2012 R2.

Rougly what needs to be done is:

  • network share should be created
  • share permissions need to be set
  • security settings need to be changed

In more words:

  1. Share a folder by opening folder properties, navigating to Sharing tab and clicking
    Advanced Sharing…
  2. Enable sharing and click Permissions
  3. Add Everyone (should already be there), Guest and ANONYMOUS LOGON and give them Read access
  4. Open Group Policy Editor (hit Ctrl+R, type gpedit.msc and hit enter)
  5. Navigate to Computer Configuration → Windows Settings → Security Options
  6. Change following:
    • Accounts: Guest account status – change to Enabled
    • Network access: Let Everyone permissions apply to anonymous users – change to Enabled
    • Network access: Restrict anonymous access to Named Pipes and Shares – change to Disabled
    • Network access: Shares that can be accessed anonymously – enter name of share you created in the text field

This let me access the share \\<MachineName>\Share without providing any login information.

Running Windows 8.1? With how similar these two OSs seem, you’d expect this would be enough. However, it is not. For Windows 8.1, Microsoft recommends using Home groups. It is still possible to get conventional file share working, but I have not had time to try this out and it doesn’t seem a good security practice. I’ll just refer you to a find I stumbled upon on MS Technet Forums. Essentially what it suggests is using LanMan level 1 compatibility mode which would allow OS to accept LM authentication (in addition to NTLMv2). I’m not going to pretend to understand what kind of repercussions this has on machine security so I won’t recommend you to do it outside of your home LAN, and maybe not even there if it’s exposed over WiFi.


22 thoughts on “Creating network share with anonymous access

  1. Thank you. This let Kodi on my Raspberry Pi access Windows 7 shares. Logins as Guest were failing, and anyways, needing to log in as Guest is very silly.

    Seems like “Restrict anonymous access to Named Pipes and Shares” is not needed. The name certainly implies it’s not needed because we’re talking about shares here. The Guest user isn’t needed with these settings, so I disabled it. You can also set RestrictAnonymous to 1: . I don’t know why I wasn’t able to accomplish this simply by adding ANONYMOUS LOGON permissions, and why “Let Everyone permissions apply to anonymous users” was needed instead.

  2. This also works in Windows 10 build 14393.10 (Anniversary Update). I had a folder with read access granted to everyone on an NTFS partition from before. First I used the Advanced Sharing button on the Sharing tab of folder properties to give it a share name. Then I opened Group Policy Editor, enabled “Network access: Let Everyone permissions apply to anonymous users” and added the share to “Network access: Shares that can be accessed anonymously”. That was enough; anonymous access worked from Kodi.

    1. Hi there. I’m trying this on new Windows 10 1803 and it doesn’t work. Any way to do this? Thank you!

      1. Works for me from smbclient in Raspbian Stretch accessing Windows 10 Pro Version 1709 (OS Build 16299.371) on same LAN. Some Windows 10 update had disabled “Network access: Let Everyone permissions apply to anonymous users” and I had to re-enable that. Rebooting was not needed after changing the setting. Share names were still listed in “Network access: Shares that can be accessed anonymously”, on separate lines in the dialog for changing it and separated with commas in the list of settings. “Network access: Restrict anonymous access to Named Pipes and Shares” is still enabled; I guess that doesn’t matter. Also “Accounts: Guest account status” is Disabled. This is anonymous access, without logging in, and the guest account ought to be irrelevant.

        1. I made the same configuration as you but if i try to access the shared dir from another win10 it always ask the password.

          1. I’m not sure that Windows supports anonymous access as a client. Try to access it from something else.

  3. This no longer appears to work after upgrading to Windows 10 Anniversary Edition for me. No matter what I do I cannot get a share that previously worked fine to accept anonymous logon anymore. I’ve tried just about everything I can find on the web with no dice. From what I’m reading, this may have something to do with logging on using Microsoft Accounts on the machine which hosts the share. Another thing to note here is that this no longer works for non-windows clients (OSX, LInux CIFS, etc.) attempting to access the share.

  4. Hi I have followed the above steps but on my client it gives the error ‘Logon failure: the user has not been granted the requested login type at this computer.’
    Is there any way to resolve that?

    I’m using Windows 7 SP1 (on both host and client machines)

      1. Thank you for the quick response, I went to network and sharing center, turned off password protected sharing and now I get further. I am able to connect and see the shares but it gave the error: You do not have permission to access \

        I have since updated the NTFS permission of the shared folder to include full access for Guest and now it is working.

  5. This is awesome Nikola! Finally I’ve been able to get my network share exactly how I wanted it.
    Everyone can just go to \Cor and find all my shared folder without having to authenticate. They can also read anything I’ve shared with everyone/guest/anonymous. And the folders not shared with those accounts remain inaccessible to them. That’s great. Thanks a lot.

    Just this isn’t clear yet: how does one authenticate in order to access the ‘password protected’ shared folders?

    1. Definitely not awesome. To do an obvious thing you need to change FOUR settings in the group policies and even enter the name of the share. Why should they be restricted by default? How in the world creating a share can harm my computer? The next thing is that in the computer I was asked to create a share (glad that my computer is already on linux for several years) the settings about pipes and shared resources have NO VALUES! Are they enabled or disabled? Linux is waaaay better in this aspect.

      1. I’m also not certain this instructions are valid for Windows 10 or not. Likely there is an easier way to do file sharing, but people are increasingly relying on Dropbox and other file sharing services for such purposes. Those who need more likely have a doman server and a sysadmin who sets everything up.

        Why this is so difficult I don’t know. I suppose it has something to do with how security is implemented in the protocol (remember SMB exploit everyone talked and is still talking about, linked to WannaCry outbreak).

  6. On step 5, the path within Policy editor is missing two nodes.
    It’s even visible in the screenshot you provide.
    The right path is
    Computer Configuration → Windows Settings → Security Configuration → Local Policies → Security Options
    Good guide though.

  7. We’ve got the same requirement but are running Windows 7 Home Premium (x64). This means no access to group policy editors and other tools consoles that come with the Professional and Ultimate editions.
    The system has password protected sharing disabled and has folder permissions set the same as in this example, yet clients still cannot access the shared folders using Guest – or any standard account that is not password protected. Even when a password is set for the Guest account, client requests are refused e.g. Mac OS X client is denied with “This file server does not allow Guest access”.
    We essentially have two issues:-
    i) Guest access to file/folder sharing is denied.
    ii) Passwords are required at all times for clients requesting folder sharing access.
    Ostensibly the system is configured to allow both to succeed so it appears the issue is a deeper one.
    The system was working fine until recently: it allowed non-password and Guest access to the resources. However it appears to have gone awry after some recent updates to Windows (the only change we can see).
    If anyone could shed some light we’d be very grateful. Thanks.

  8. There is no need to change Guest account status to Enabled. Probably adding Shares that can be accessed anonymously is enough.

Comments are closed.