How to Configure Anonymous SMB Access on Windows Server 2008 R2 for Domain/Non-Domain Mixed Environments


3 views

When dealing with SMB shares in mixed domain/non-domain environments, the authentication prompt issue is particularly frustrating. Despite following standard documentation, many administrators (myself included) hit this wall where Windows stubbornly demands credentials even after all apparent configuration changes.

After extensive testing, I've found these additional configuration steps essential:

# PowerShell to verify anonymous access settings
Get-SmbShare -Name "YourShareName" | Select *
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EncryptData

Key registry modifications often required:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters]
"RestrictNullSessAccess"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"everyoneincludesanonymous"=dword:00000001

Even with share-level permissions correctly set, NTFS permissions often block anonymous access. This two-layered security frequently causes confusion:

# Using icacls to verify permissions
icacls "C:\YourShareFolder" /grant "ANONYMOUS LOGON":(OI)(CI)(RX)
icacls "C:\YourShareFolder" /grant "Everyone":(OI)(CI)(RX)

Server 2008 R2's default SMB2/SMB3 implementation handles authentication differently than older versions. For legacy compatibility:

# Enable SMB1 protocol (if absolutely necessary)
Set-SmbServerConfiguration -EnableSMB1Protocol $true -Force

These Group Policy settings often override local configurations:

  • Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → "Network access: Let Everyone permissions apply to anonymous users" → Enabled
  • Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → "Access this computer from the network" → Add "ANONYMOUS LOGON"

To properly test anonymous access without cached credentials interfering:

net use * /delete /y
net use \\server\share "" /user:anonymous

If you still receive prompts after these configurations, check for these common pitfalls:

  • User Account Control (UAC) virtualized paths
  • DFS namespace configurations
  • Antivirus real-time protection blocking
  • Network-level authentication requirements

When working with mixed-environment debugging setups (particularly symbol servers), anonymous SMB access becomes critical. Here's what actually works on Server 2008 R2:

First, ensure these registry values are set (create if they don't exist):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000000
"EveryoneIncludesAnonymous"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters]
"NullSessionShares"=hex(7):73,00,68,00,61,00,72,00,65,00,6e,00,61,00,6d,00,65,00,00,00,00,00
"NullSessionPipes"=hex(7):00,00
"RestrictNullSessAccess"=dword:00000000

For modern administration, use PowerShell to configure the share:

# Create the share with anonymous access
New-SmbShare -Name "Symbols" -Path "C:\Symbols" -FullAccess "ANONYMOUS LOGON","Guest" -FolderEnumerationMode AccessBased

# Verify share permissions
Get-SmbShareAccess -Name "Symbols" | Format-Table -AutoSize

# Set NTFS permissions
$acl = Get-Acl "C:\Symbols"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("ANONYMOUS LOGON","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path "C:\Symbols" -AclObject $acl

These policies must be configured (either locally or via GPO):

  • Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options:
    • "Network access: Let Everyone permissions apply to anonymous users" - Enabled
    • "Network access: Restrict anonymous access to Named Pipes and Shares" - Disabled
    • "Network access: Shares that can be accessed anonymously" - Add your share name

Ensure these ports are open in Windows Firewall:

netsh advfirewall firewall add rule name="SMB Anonymous" dir=in action=allow protocol=TCP localport=445,139

From your test server (2003 R2), use this command to verify:

net use \\server\symbols /user:"" ""

For Visual Studio symbol server configuration, add this to your _NT_SYMBOL_PATH:

srv*C:\SymbolCache*\\server\symbols

If you still encounter issues:

  1. Check the security event logs for authentication failures
  2. Use Process Monitor to watch for access denied errors
  3. Test with both FQDN and NETBIOS names
  4. Verify that NTLM v1 is enabled if connecting from older systems