17

How do I create a truly anonymous read/write network share in Windows Server 2008?

That is ...

  • no login dialog shown
  • no domain credentials required

... so that any Windows machine can get to this share no matter who is logged in, whether the machine is on a domain or not?

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92

2 Answers2

17

I was able to get a rudimentary anonymous share going by setting the share and filesystem permissions to:

  • Everyone (full control)
  • Guests (full control)
  • ANONYMOUS LOGON (full control)

After that, in the Local Security Policy under Local Policies > Security Options I had to modify

Network access: Shares that can be accessed anonymously

by adding my share to it, like so:

sharename

At that point I was able to get to \\servername\sharename anonymously.

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
  • 2
    Can't say I'd ever done it via that route. That's more sensible than my posting because it doesn't radically decrease the server's security. I'm blowing away my answer on that basis and upvoting you. – Evan Anderson May 22 '11 at 09:31
  • @evan I'm not 100% sure this is entirely correct so I want to hear others' opinions on it – Jeff Atwood May 22 '11 at 09:35
  • It's better than enabling the "Guest" account, IMO, because it's really easy (especially with abuse of the "Everyone" principal in permissions) to "leak" access to "Guests". Having said that, enabling the "Guest" account is a bit faster to do than this. I'm not sure that's a positive thing, though. I've spent a lot of time in my life trying to get people *not* to enable the "Guest" account. – Evan Anderson May 22 '11 at 09:36
  • 4
    i tried both but i still get unknown user name or password error. What more do i need to do? i am having a win2k8 server r2 box – Anirudh Goel Jan 30 '12 at 13:38
  • 1
    +1 for actually giving the text to put in the parameter, since the format doesn't seem to be documented anywhere – rakslice Jul 31 '13 at 19:19
  • Make sure you put each sharename on a new line when you're configuring the policy for more than one share. Comma delimiting it doesn't work (even though it is shown like that in the list with all policies) – dvdvorle May 26 '15 at 06:06
  • had to turn off "password protected sharing" to get this to work, under advanced sharing settings – Dan Nov 08 '17 at 00:57
4

You need to enable the "Guest" account on the Windows Server machine. After you do that, assuming the remote user isn't attempting to logon with a user account that's valid on the Windows Server machine, you'll get what you're looking for. It can be a pain, though, because you'll get logon dialogs on the remote computers if the user account being used on the remote computer matches an account that's valid on the Windows Server machine. The standard "workaround" for that is to rename the local "Administrator" account on the Windows Server machine to something else and refrain from creating any addt'l user accounts.

You'll need, obviously, appropriate share and filesystem permissions on the shared folder.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 1
    that's a great point about the account overlaps, if you happen to "accidentally" match an account on the target machine. Would not have thought of that. Another point to consider: if the account attempting to get to this anonymous share is, say, `LOCAL SYSTEM` or `NETWORK SERVICE` .. those accounts are just plain banned from touching the network, period, so it doesn't ultimately matter what the permissions are. (I undeleted this post because I still think it is useful..) – Jeff Atwood May 22 '11 at 09:32
  • @JeffAtwood Jeff, can you please provide a source as to why `NETWORK SERVICE` and `LOCAL SYSTEM` do not work when trying to connect to a workgroup-shared folder? For security reasons? Is there a way of disabling it? – Alexandru Oct 05 '15 at 18:06