none
Disable anonymous access to shares

    Question

  • Hi Everyone.

    As part of our cyber treat initiative, I’m tasked with disabling anonymous access to shares thru out the organization. Before doing so, I wish to mitigate the risk of impact by identifying all instances that current allow anonymous access to shares, on workstations and servers. 

    What to look for? Are there any hard and fast rules that exist to confirm the presence of anonymous access to shares? For instance, is the local guest account required for anonymous access to shares? If so, I could quickly validate if the enabled state of the local guest account!

    Any help is truly appreciated.


    Ernie Prescott

    Tuesday, June 12, 2018 1:26 PM

All replies

  • Hi,

    Anonymous basically contains only anonymous user. This uses is special one, used for all anonymous access.

    If you disable it, Users who log on anonymously (also known as null session connections) cannot display lists of domain user names, nor share names. Also, these users cannot view security permissions, and they cannot use all of the features of Windows Explorer, Local Users and Groups, and other programs that enumerate users or shares.

    The guest account is an account for people who do not have individual accounts. This user account does not require a password. Guest group stores registered users. They can have different policies then anonymous

    If you need to list all the permission for a specific user account, you may need to use some tools or scripts.

    http://www.itprotoday.com/security/using-accesschk-view-which-files-and-folders-user-has-access

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    https://gallery.technet.microsoft.com/scriptcenter/b3961e31-3843-4163-9e39-633518d3a362

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 13, 2018 3:11 AM
    Moderator
  • Hi Mary

    Thanks for providing this information, however I don't think you answered my question. 

    I'm being asked to set “Network access: Shares that can be accessed anonymously” to none in GPOs that will be applied to all computer objects. 

    Before doing this, I need to identify if there currently are shares that can be accessed anonymously. I need to identify what to look for to identify this in my network.

    Regards

    Ernie


    Ernie Prescott

    Wednesday, June 13, 2018 2:34 PM
  • Hi Ernie,

    I'm afraid there's no build-in method you could list all the share folders that accessed by  anonymously account directly.

    And as I said before, you may need to use scripts to list all the share permission and NTFS permission of all the share folders for the user account. In your scenario, this user account is anonymously account. Maybe you could refer to the scripts mentioned above.

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 14, 2018 1:53 AM
    Moderator