47

I have a directory shared on my computer, which is part of the domain. Is it possible to set up the share so that a user logged on to a different machine which is not part of the domain can access my share? From the machine not on the domain, I can browse to the share, but it asks for credentials, and I just want to allow anonymous access.

Jeremy
  • 903
  • 2
  • 9
  • 19

13 Answers13

29

To do what you want you'll have to enable the "Guest" account on the computer hosting the files and then grant the "Everyone" group whatever access you want.

"Guest" is a user account, but its enabled / disabled status is interpreted by the operating system as a boolean "Allow unauthenticated users to connect?" Permissions still control the access to files, but you open things up a LOT by enabling Guest.

Don't do this on a domain controller computer, BTW, because you'll be Guest on all DCs...

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
25

In my case, enabling the Guest account and adding Everyone did not help (with a share on an older box with Windows Server 2008 SP2 in a domain and a Windows Server 2012 R2 machine from outside of the domain).

After following the excellent guide posted by Nikola Radosavljevic, anonymous access finally worked in my scenario.

Summary of steps:

  • Adding Everyone, Guest and ANONYMOUS LOGON to the permissions of the share.
  • Open the Group Policy Editor (e.g. by running gpedit.msc)
    • Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
    • Accounts: Guest account status: Enabled
    • Network access: Let Everyone permissions apply to anonymous users: Enabled
    • Network access: Restrict anonymous access to Named Pipes and Shares: Disabled
    • Network access: Shares that can be accessed anonymously: YOUR_SHARE_NAME

Update (Windows Server 2016)

I would like to draw your attention to the comment by @Schneider as he pointed out, that on more recent systems fewer steps are necessary.

Update (May 2020)

@mrtumnus pointed out that the path in the group policy editor's tree could also be:

  • Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options

I have checked this on Windows Server 2019 and could not find this tree item. If anyone could provide more details regarding in which situation the setting is located at a different place, I am willing to add this information.

CodeFox
  • 351
  • 1
  • 4
  • 5
  • 1
    This is sad, It is still not working for me after 5 recepies and 10 holes opened. I will close all holes and use dropbox to share folder on local network. Thx windows 7 sharing! – watbywbarif Oct 27 '15 at 11:21
  • This works for me, although it feels a bit shady. – Arve Systad Aug 02 '16 at 13:39
  • 2
    @ArveSystad I wouldn't say it is shady. It requires modifying the default group policy because the default policy prevents enabling guest/anon access. As I recall in the early days the defaults were to allow these types of things by default, and even enable this type of access by default. If there were no valid use cases for this, the ability to do it would be removed completely. But since there are some cases where it makes sense, you can do it but have to know how to explicitly enable this type of guest/anon access to files. – Thomas Carlisle Sep 15 '16 at 16:19
  • On Windows 10 I didn't need to set anything in the Group Policy Editor for it to work. I did have to reboot the client machine though. – Matthew Lock Sep 29 '16 at 09:55
  • 5
    There is **no need** to add Guest and ANONYMOUS LOGON to share permissions if you Enable the "Let Everyone permissions..." setting. Also there is **no need** to disable the "Restrict anonymous access..." setting. Tested myself on Windows Server 2016 RTM. – Schneider Oct 14 '16 at 03:07
  • 1
    @Schneider Confirmed, thanks for this! Interesting that "Accounts: Guest account status: Enabled" is still required even though the guest account isn't directly added to the permissions. Also noted that if "Encrypt data access" is turned on for the share (or server), anonymous access does not seem to be possible. – NReilingh Sep 24 '18 at 02:25
  • 1
    Guest account status [aside](https://www.isunshare.com/windows-10/4-ways-to-enable-and-disable-built-in-guest-on-windows-10.html), Windows editions without gpedit [can](https://www.windows-security.org/151955434e33de892bf85d2bee7cb624/network-access-let-everyone-permissions-apply-to-anonymous-users) find the [knobs](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares) above on `HKLM\System\CurrentControlSet\Control\Lsa` and `HKLM\System\CurrentControlSet\Services\LanManServer\Parameters` – mirh Feb 20 '20 at 16:32
  • Logging in as the Guest account does not make you anonymous. Thus "Network access: Let Everyone permissions apply to anonymous users" doesn't need to be enabled and "Network access: Shares that can be accessed anonymously" does not need to contain your share name. Something that hasn't been mentioned here is that your share folder needs to allow "Everyone" read permissions to the folder (in Properties, Security). – PinkDraconian Aug 03 '22 at 19:55
13

Enabling the Guest account is not recommended. Baz and djangofan are correct; you have to give the anonymous user permission to the share and the folder. (Security permissions in the sharing and folder tab, assuming you don't have a Home version of Windows.)

An interesting gotcha: Giving 'Everyone' access doesn't work, even though you'd think it would. In the permissions dialog in the sharing tab, you specifically have to include the anonymous user. On Windows 7, that's the local ANONYMOUS LOGON user.

  • 7
    I have allowed "Anonymouse logon" in sharing permissions and in security, but still remote user gets "username/password" dialog? – watbywbarif Oct 27 '15 at 09:20
4

I solved this by mapping a network drive to the domain share then connect with different credentials using a local account. Didn't have to enable the guest account or allow anonymous access.

Tim
  • 41
  • 1
  • 1
    This is a great answer and somewhat not obvious. Windows REALLY wants some sort of credentials and even after all of that which leaves tons of vulnerabilities, it still did not work. I was able to get this to work by opening the share and putting in the AD user name for authentication, then map and save credentials. – Rob Feb 18 '20 at 21:49
4

In the security tab and share tab give anonymous the desired read/write access. Then anyone should be able to access the share.

Alexandre Rondeau
  • 105
  • 2
2

Here is an alternative method that I use to accomplish this in Windows 10 Pro. This method involves enabling the Public folder sharing functionality built into Windows, creating a new Shared folder and setting the Sharing and NTFS permissions identical to the Public folder under the Users directory. Then disabling the Public share. This method does not modify any local security policies or registry settings (that I have seen posted all over the Internet)

  1. Open “Network and Sharing Center” and click on the “Advanced sharing settings” link.
  2. Expand "All Networks".
  3. Check “Turn on sharing so anyone with network access can read and write files in the Public folders”
  4. Click “Turn off password protected sharing”.
  5. Create the “Shared” folder on the drive of your choice on whatever drive you choose.
  6. Enable the share by clicking the “Advanced Sharing…” button.
  7. Set the Share permission to “Everyone”, “Full Control”.
  8. Set the Security [NTFS] permissions the same as the “Public” folder under the C:\Users directory.
  9. For “Interactive”, “Service” and “Batch” set the 2 special permissions to match the permissions in Advanced Security Settings, Show Advanced Permissions.
  10. Optional: Turn off sharing on the “Users” directory that was enabled when the Public Folder sharing was enabled.
  11. Optional: If multiple subnets/VLANs need to access the file share, go into the Windows Defender Firewall, Advanced Firewall Settings, click on “Inbound Rules” and filter by the File and Printer sharing group and profile type. Under the Scope tab, modify each Inbound firewall rule and change "localsubnet" under "Remote IP Address" to include the additional subnets that need access to the share.
  12. Test access to the newly created “Shared” folder.
  13. Check in “Computer Management” for the Session status. It shows as "Guest" is the account used to authenticate.
  14. Repeat the process for multiple shared folders with Anonymous access.

Advanced Permissions

Advanced Permissions

Advanced Permissions

Mike
  • 21
  • 3
1

Windows 10 Pro 1909 here. I could not get a truly anonymous share to work, no matter what. But that might not be really necessary, since Guest shares still work and they accept any username with a blank password:

1) Enable the Guest account.

2) Add Guest or Everyone permissions to both the share AND the files inside. Remember that Guest is a member of Everyone group, along with all other users, so you don't have to give explicit permissions to Guest if Everyone is already allowed, but Users and Authenticated Users do not include Guest.

3) Open the Group Policy Editor (gpedit.msc) and browse to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment, locate policy Deny access to this computer from the network and REMOVE Guest from the list.

When connecting to the share:

net use Z: \\Server\Share "" /user:Any will work.

net use Z: \\Server\Share "" /user:"" will not work.

Mauricio_BR
  • 11
  • 1
1

Do you really want to give unauthenticated access to files? If it's a small group of users, you could create local accounts for them on the machine, create a group, and give that group access to only that one folder. If it's a web server in a DMZ, maybe setting up a web front end would be better so you can better security than "Everyone has access to do whatever to these files".

Dustin
  • 457
  • 1
  • 4
  • 12
1

When you want to login without using the domain your in just type \ (backslash) before the useraccountname. Then you will see that the domain that is visible in the login dialog disappears.

Eric Feurich
  • 11
  • 1
  • The original question actually stated that he was after "anonymous" access (which requires leveraging the guest account, but does not involve entering a username to authenticate). Still, this is very useful to know - I've always used "localhost\username" but this is much easier. – JimNim Mar 28 '18 at 15:35
0

I would try to toggle the "simple file sharing" setting in the Windows Explorer settings and see how that changes things. Then , on top of that, edit the permissions for your share to allow non-domain, non-authenticated users.

djangofan
  • 4,172
  • 10
  • 45
  • 59
  • How do I edit permissions to allow non-domain, non-authenticated users? I haven't seen these options in the folder permissions dialog before. Also, this is on a windows 2003 server, Is there a simple file sharing option? – Jeremy Aug 07 '09 at 21:59
  • Ok, on that folder that you are sharing you need to add a group called "EVERYONE" to the share and file permissions. Grant them the permissions that you require (going to guess read/write/modify). – djangofan Aug 10 '09 at 14:31
0

Boiled it down to this:

On the file server Give anonymouse Share and NTFS rights as needed (Read in my case)

Create GPO and apply to file server Computer - Windows - Security - Local - Security

Accounts:Guest account status - Enabled

Accounts: Rename administrator account - SomeNameOfYourChoise

Accounts: Rename Guest account - SomeNameOfYourChoise

Network access: Shares that can be accessed anonymously: YourShareName

Network access: Sharing and security model for local account from “Classic-local users authenticate as themselves” to “Guest only-local users authenticate as Guest”.

LME062
  • 11
  • 1
0

On my Windows 10 machine I've checked all proposed solutions to find out what is actually necessary.

Here is list of steps that are actually needed:

  1. Enable Guest account

  2. Easy way: Advanced sharing -> permissions -> add guest (I know You can use everyone after you enable policy that effectively makes Guest part of everyone group)

  3. Easy way: Right click folder -> properties -> security -> edit -> add -> type Guest, enter

  4. And I have not seen this here, but it worked like a charm for me - go to Control Panel\All Control Panel Items\Network and Sharing Center\Advanced sharing settings and there set: "Turn OFF password protected sharing" This worked for me every time

Castaglia
  • 3,239
  • 3
  • 19
  • 40
Tomek
  • 101
  • 1
-1

I had this problem with Windows Server 2012. After a lot of searching i found this page: No-password file share still requires login

For the lazy. - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options. Change “Network access: Let Everyone permissions apply to anonymous users” to Enabled.

that fixed it for me when nothing else was working.

Community
  • 1
Jake
  • 9
  • 1