How to Implement Truly Anonymous SMB Share with Full Read/Write Access in Windows Server 2008


11 views

When we talk about "anonymous" network shares in Windows environments, we're referring to SMB shares that don't require authentication credentials. This is particularly useful for:

  • Public file drop locations
  • Cross-domain file exchange
  • Temporary data transfer points
  • Kiosk-style systems

Here's the complete technical process to achieve anonymous access:


# 1. Enable Guest access in Local Security Policy
secedit /export /cfg before.ini
(Get-Content before.ini) -replace "EnableGuestAccount=0","EnableGuestAccount=1" | Out-File after.ini
secedit /configure /db secedit.sdb /cfg after.ini

# 2. Modify registry for null session access
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /d "YOURSHARENAME" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v RestrictNullSessAccess /t REG_DWORD /d 0 /f

The critical NTFS and Share permissions setup:


:: Command line alternative to GUI
net share ANONSHARE=C:\Public /GRANT:Everyone,FULL /UNLIMITED
icacls C:\Public /grant Everyone:(OI)(CI)F /T

Ensure these ports are open in Windows Firewall:

  • TCP 445 (SMB)
  • TCP 139 (NetBIOS)
  • UDP 137-138 (NetBIOS name resolution)

netsh advfirewall firewall add rule name="SMB Anonymous" dir=in action=allow protocol=TCP localport=445,139
netsh advfirewall firewall add rule name="NetBIOS Anonymous" dir=in action=allow protocol=UDP localport=137-138

Verify from a client machine using PowerShell:


$cred = New-Object System.Management.Automation.PSCredential ("Anonymous", (New-Object System.Security.SecureString))
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\server\ANONSHARE" -Credential $cred -Persist

While anonymous shares are convenient, consider these security measures:


# Enable SMB signing (mitigates some attack vectors)
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbServerConfiguration -EncryptData $true -Force

# Implement IP restrictions if possible
netsh advfirewall firewall add rule name="SMB IP Restrict" dir=in action=allow protocol=TCP localport=445 remoteip=192.168.1.0/24

For logging anonymous access attempts, configure audit policies in gpedit.msc under:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Creating a truly anonymous SMB share on Windows Server 2008 requires bypassing several security mechanisms that Microsoft enabled by default. The primary obstacles are:

  • The default requirement for SMB authentication
  • NTFS permissions inheritance
  • Share-level access restrictions

1. Enable Anonymous Access in Local Security Policy

First, we need to modify the local security policy to allow anonymous access:

1. Open "Local Security Policy" (secpol.msc)
2. Navigate to: Local Policies → Security Options
3. Find "Network access: Let Everyone permissions apply to anonymous users" and enable it
4. Find "Network access: Shares that can be accessed anonymously" and add your share name

2. Configure Share Permissions

For the specific share you're creating:

1. Right-click the folder → Properties → Sharing tab
2. Click Advanced Sharing → Permissions
3. Add "Everyone" with Full Control
4. Remove all other entries

3. Set NTFS Permissions

Even more important than share permissions:

1. Right-click folder → Properties → Security tab
2. Click Edit → Add → type "Everyone"
3. Grant Full Control
4. Click Advanced → Disable inheritance
5. Remove all inherited permissions
6. Check "Replace all child object permissions"

4. Registry Tweaks (Optional but Recommended)

For maximum compatibility with all clients:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"RestrictNullSessAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000000

To test if your configuration works properly:

# From a client machine (PowerShell):
$cred = New-Object System.Management.Automation.PSCredential ("Anonymous", (New-Object System.Security.SecureString))
New-PSDrive -Name Z -PSProvider FileSystem -Root "\\server\share" -Credential $cred -Persist

While this setup achieves the goal of anonymous access, be aware of these risks:

  • No audit trail of who accessed/modified files
  • Potential for abuse if share is internet-accessible
  • Possible violation of corporate security policies

For slightly better security while maintaining ease of access, consider using a dedicated service account instead of full anonymous access.

If clients still get prompted for credentials:

  • Double-check both share AND NTFS permissions
  • Ensure the share name matches exactly what you entered in security policy
  • Verify the server service is restarted after changes
  • Check firewall settings (TCP 445 must be open)