What are the minimum permissions for a Windows share to be anonymous-read only?

permissions windows-server-2008-r2 network-share

First, setting up anonymous access to a share isn't that bad, you just have to include Anonymous in Everyone (you actually linked to it yourself):

  1. Open the Local Group Policy Manager (gpedit)
  2. Computer Configuration
  3. Windows Settings
  4. Security Settings
  5. Local Policies
  6. Security Options -- Network access: Let Everyone permissions to apply to anonymous users from Disabled to Enabled
  7. Change Network access: Restrict anonymous access to Named Pipes and Shares to disabled
  8. Network access: Shares that can be accessed anonymously - set the share name there you are sharing.

As far as the Share itself goes then. Set the Share Permissions as "Everyone - Modify" and "Administrators - Full Control". Then set the NTFS permissions as Administrators - Full Control and Everyone - <whatever rights needed>

That should handle your need.


Three things need to be done to set up access for anonymous users under the "Everyone" group, which is cleaner than using 'ANONYMOUS LOGON' explicitly:

1. Create the File Share

  • NTFS permissions: set 'Read & Execute', 'List Folder Contents', and 'Read' for the 'Everyone' group
  • Share permissions: set 'Read' for the "Everyone" group

2. Adjust Local Security Policy

Open "Local Security Policy", navigate to Security Settings -> Local Policies -> Security Options, and set:

  • Network access: Let Everyone permissions apply to anonymous users - Enabled
  • Network access: Restrict anonymous access to Named Pipes and Shares - Disabled
  • Edit Network access: Shares that can be accessed anonymously to be the name of the share you created. (Formatting is ambiguous, but don't include the server name, and presumedly this is a comma-delimited list if you need more than one.)

3. Allow Access Without a Password

  • Open "Advanced sharing settings", either from "Network and Sharing Center" in control panels, or by clicking the link in Properties on the directory (under Password Protection).
  • Change the "Password protected sharing" setting to off.

Other notes:

  • Permissions need to be granted for users BOTH on the NTFS and Share levels
  • Consider any testing you do on a machine logged in as a user whose name matches one on your server to be useless (but rebooting a true test machine will not be necessary)

Related

Add queueing to Angular's HttpClient
Java Client SDK for Hyperledger blockchain [closed]
Calculate maximum diameter in 3D binary mask
How to resolve 'Import "django.contrib" could not be resolved from source' in VS Code?
Create a 3D ply file with faces and vertices from numpy array containing vertices
Convert date and time from UTC to local in specifed format
Visual Studio 2019 is not showing Device target option for UWP
How to define mongoose _id in TypeScript interface?
Program exits loop, can't understand why even with debugging
How to extract the values stored in a Variable and add them? I Used a function which stores more than one value in a Variable [duplicate]
How to redirect to a POST route in Laravel
Is it possible to add a Polygon layer to a google map v3 without using fusion tables