2

I need to create a Windows file share and configure it so that the files can be modified over the network without the user needing to authenticate. In some cases this will be an interactive user dropping files into the folder using Windows Explorer. In many other cases the user will actually be a Windows service running as Local Service. The Windows server is not a member of a domain.

Let me say up front that I know we should not be doing this. However, assume that parameters outside my control prevent a more proper / security-conscious configuration.

I am able to accomplish this task by enabling the Guest account and then giving the Everyone group appropriate permissions to the folder and share. This is certainly easy, but I get very nervous enabling the Guest account. I believe it has ramification that go far beyond just file sharing. Am I justified in my paranoia?

Using Linux and Samba, this task of creating a writable, public network share is not hard either, and I do not recall quite as much concern about the overall security of the machine.

Is there a way using Windows Server, to just configure a public, read/write share without severely compromising the machine's security?

The machine will be on a standalone LAN and not connected to the Internet.

Jeremy
  • 651
  • 3
  • 11
  • 17
  • I don't think you need to set up the guest account to enable Everyone group access to the share. –  Oct 26 '09 at 19:25
  • I am hoping that is the case. All I can say is that in my particular case, enabling/disabling the Guest account seems to toggle the access between works/doesn't work. – Jeremy Oct 26 '09 at 20:21

2 Answers2

2

You may need to enable the local policy for "Network Access: Let Everyone permissions apply to anonymous users". This may be disable by default on certain versions of Windows. Use this in addition to granting the Everyone group CHANGE rights on the file share and NTFS permissions.

Additional information on the policy is here: http://technet.microsoft.com/en-us/library/cc778182(WS.10).aspx

Doug Luxem
  • 9,612
  • 7
  • 50
  • 80
  • In my particular case, I also needed to add the share to the policy for "Network Access: Shares that can be accessed anonymously". I think this may be because one client was a Windows service running as Local System. With setting the above policy, it could not access the share. – Jeremy Nov 24 '09 at 19:13
0

Have you tried to set share permissions to everyone and ntfs permissions to everyone?

JamesBarnett
  • 1,129
  • 8
  • 12
  • 1
    W/o enabling the guest account it's not going to matter. Enabling the Guest account is the "magic switch" that enables anonymous access in Windows File and Print Sharing. (The poster will also have to be sure that "Guest" isn't named in the "Deny access to this computer from the network" Security Option in Group Policy, too...) – Evan Anderson Nov 09 '09 at 19:39