How to Implement Truly Anonymous SMB Share with Full Read/Write Access in Windows Server 2008


3 views

When we talk about "anonymous" network shares in Windows environments, we're referring to SMB shares that don't require authentication credentials. This is particularly useful for:

  • Public file drop locations
  • Cross-domain file exchange
  • Temporary data transfer points
  • Kiosk-style systems

Here's the complete technical process to achieve anonymous access:


# 1. Enable Guest access in Local Security Policy
secedit /export /cfg before.ini
(Get-Content before.ini) -replace "EnableGuestAccount=0","EnableGuestAccount=1" | Out-File after.ini
secedit /configure /db secedit.sdb /cfg after.ini

# 2. Modify registry for null session access
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "YOURSHARENAME" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RestrictNullSessAccess /t REG_DWORD /d 0 /f

The critical NTFS and Share permissions setup:


:: Command line alternative to GUI
net share ANONSHARE=C:\Public /GRANT:Everyone,FULL /UNLIMITED
icacls C:\Public /grant Everyone:(OI)(CI)F /T

Ensure these ports are open in Windows Firewall:

  • TCP 445 (SMB)
  • TCP 139 (NetBIOS)
  • UDP 137-138 (NetBIOS name resolution)

netsh advfirewall firewall add rule name="SMB Anonymous" dir=in action=allow protocol=TCP localport=445,139
netsh advfirewall firewall add rule name="NetBIOS Anonymous" dir=in action=allow protocol=UDP localport=137-138

Verify from a client machine using PowerShell:


$cred = New-Object System.Management.Automation.PSCredential ("Anonymous", (New-Object System.Security.SecureString))
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\server\ANONSHARE" -Credential $cred -Persist

While anonymous shares are convenient, consider these security measures:


# Enable SMB signing (mitigates some attack vectors)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbServerConfiguration -EncryptData $true -Force

# Implement IP restrictions if possible
netsh advfirewall firewall add rule name="SMB IP Restrict" dir=in action=allow protocol=TCP localport=445 remoteip=192.168.1.0/24

For logging anonymous access attempts, configure audit policies in gpedit.msc under:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Creating a truly anonymous SMB share on Windows Server 2008 requires bypassing several security mechanisms that Microsoft enabled by default. The primary obstacles are:

  • The default requirement for SMB authentication
  • NTFS permissions inheritance
  • Share-level access restrictions

1. Enable Anonymous Access in Local Security Policy

First, we need to modify the local security policy to allow anonymous access:

1. Open "Local Security Policy" (secpol.msc)
2. Navigate to: Local Policies → Security Options
3. Find "Network access: Let Everyone permissions apply to anonymous users" and enable it
4. Find "Network access: Shares that can be accessed anonymously" and add your share name

2. Configure Share Permissions

For the specific share you're creating:

1. Right-click the folder → Properties → Sharing tab
2. Click Advanced Sharing → Permissions
3. Add "Everyone" with Full Control
4. Remove all other entries

3. Set NTFS Permissions

Even more important than share permissions:

1. Right-click folder → Properties → Security tab
2. Click Edit → Add → type "Everyone"
3. Grant Full Control
4. Click Advanced → Disable inheritance
5. Remove all inherited permissions
6. Check "Replace all child object permissions"

4. Registry Tweaks (Optional but Recommended)

For maximum compatibility with all clients:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"RestrictNullSessAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000000

To test if your configuration works properly:

# From a client machine (PowerShell):
$cred = New-Object System.Management.Automation.PSCredential ("Anonymous", (New-Object System.Security.SecureString))
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\server\share" -Credential $cred -Persist

While this setup achieves the goal of anonymous access, be aware of these risks:

  • No audit trail of who accessed/modified files
  • Potential for abuse if share is internet-accessible
  • Possible violation of corporate security policies

For slightly better security while maintaining ease of access, consider using a dedicated service account instead of full anonymous access.

If clients still get prompted for credentials:

  • Double-check both share AND NTFS permissions
  • Ensure the share name matches exactly what you entered in security policy
  • Verify the server service is restarted after changes
  • Check firewall settings (TCP 445 must be open)