NT AUTHORITY\ANONYMOUS LOGON with write access to SMB Share

Question

I have just setup a fresh standalone Windows 2019 Server (Core) in a lab environment (i.e. for my own learning). In part, this is because I was interested in looking into null session configurations from a security perspective.

While doing this, I created a share that I intended to have write access from a null session. However, I am only able to get read access to that share, even when the ANONYMOUS LOGON is granted full access to both the share and shared directory ACLs.

I have noticed, when setting EveryoneIncludesAnonymous registry to 1, I do get write access, however I dont understand why this is needed as I have explicitly already given ANONYMOUS LOGON full access.

Is there some additional check that is in-place I have missed? Any help would be appreciated in understanding this.

See command outputs below to see my configuration:

PS C:\Users\Administrator> Get-SmbShare -Name test1

Name  ScopeName Path                     Description
----  --------- ----                     -----------
test1 *         C:\inetpub\wwwroot\test1 anon share in iis root for testing

PS C:\Users\Administrator> Get-SmbShareAccess -Name test1

Name  ScopeName AccountName                  AccessControlType AccessRight
----  --------- -----------                  ----------------- -----------
test1 *         NT AUTHORITY\ANONYMOUS LOGON Allow             Full
test1 *         Everyone                     Allow             Full

PS C:\Users\Administrator> Get-Acl C:\inetpub\wwwroot\test1\ | Format-List -Property Owner,AccessToString

Owner          : NT AUTHORITY\ANONYMOUS LOGON
AccessToString : NT AUTHORITY\ANONYMOUS LOGON Allow  FullControl
                 BUILTIN\IIS_IUSRS Allow  ReadAndExecute, Synchronize
                 BUILTIN\IIS_IUSRS Allow  -1610612736
                 NT SERVICE\TrustedInstaller Allow  FullControl
                 NT SERVICE\TrustedInstaller Allow  268435456
                 NT AUTHORITY\SYSTEM Allow  FullControl
                 NT AUTHORITY\SYSTEM Allow  268435456
                 BUILTIN\Administrators Allow  FullControl
                 BUILTIN\Administrators Allow  268435456
                 BUILTIN\Users Allow  ReadAndExecute, Synchronize
                 BUILTIN\Users Allow  -1610612736
                 NT AUTHORITY\ANONYMOUS LOGON Allow  FullControl
                 CREATOR OWNER Allow  268435456

PS C:\Users\Administrator> reg query HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa /v everyoneincludesanonymous

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    everyoneincludesanonymous    REG_DWORD    0x0

Then trying to copy file to the share fails:

$ smbclient  -U '%' '\\192.168.56.20\test1'
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Feb 28 08:21:29 2020
  ..                                  D        0  Fri Feb 28 08:21:29 2020
  somefile.txt                        A       22  Fri Feb 28 08:21:09 2020

                8247551 blocks of size 4096. 6341661 blocks available
smb: \> put test
NT_STATUS_ACCESS_DENIED opening remote file \test

After setting EveryoneIncludeAnonymous to 0x1 it works. To me, this suggests there is some additional check performed by the LanManServer, but I dont know where.

$ smbclient  -U '%' '\\192.168.56.20\test1'
Try "help" to get a list of possible commands.
smb: \> put test
putting file test as \test (0.3 kb/s) (average 0.3 kb/s)

EDIT (Update with registry values)

C:\Windows\system32>reg query hklm\system\currentcontrolset\control\lsa\

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    auditbasedirectories    REG_DWORD    0x0
    auditbaseobjects    REG_DWORD    0x0
    Bounds    REG_BINARY    0030000000200000
    crashonauditfail    REG_DWORD    0x0
    fullprivilegeauditing    REG_BINARY    00
    LimitBlankPasswordUse    REG_DWORD    0x1
    NoLmHash    REG_DWORD    0x1
    Security Packages    REG_MULTI_SZ    ""
    Notification Packages    REG_MULTI_SZ    scecli
    Authentication Packages    REG_MULTI_SZ    msv1_0
    SecureBoot    REG_DWORD    0x1
    LsaPid    REG_DWORD    0x260
    LsaCfgFlagsDefault    REG_DWORD    0x0
    ProductType    REG_DWORD    0x7
    disabledomaincreds    REG_DWORD    0x0
    everyoneincludesanonymous    REG_DWORD    0x1
    forceguest    REG_DWORD    0x0
    restrictanonymous    REG_DWORD    0x0
    restrictanonymoussam    REG_DWORD    0x1

C:\Windows\system32>reg query hklm\system\currentcontrolset\services\lanmanserver\parameters

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\lanmanserver\parameters
    EnableAuthenticateUserSharing    REG_DWORD    0x0
    NullSessionPipes    REG_MULTI_SZ    
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\system32\srvsvc.dll
    ServiceDllUnloadOnStop    REG_DWORD    0x1
    autodisconnect    REG_DWORD    0xf
    enableforcedlogoff    REG_DWORD    0x1
    enablesecuritysignature    REG_DWORD    0x0
    requiresecuritysignature    REG_DWORD    0x0
    restrictnullsessaccess    REG_DWORD    0x1
    NullSessionShares    REG_MULTI_SZ    test1
    RejectUnencryptedAccess    REG_DWORD    0x1
    Guid    REG_BINARY    A8BD872570049045A692E9384049A8D1

Answer 1

You need to enable that in Group Policies.

Network access: Let Everyone permissions apply to anonymous users

in

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Anonymous tokens do not include the Everyone Group SID unless the system default has been overridden by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous registry value to DWORD=1.

Source: https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateanonymoustoken