Configuring Windows Server 2008 R2 as a non-domain file server

Configuring Windows Server 2008 R2 as a non-domain file server

Monday 28 November 2011

Oh dear lord, I’ve just lost two days of my life trying to find the exact incantation to persuade a fresh install of Windows Server 2008 R2 to act as a file server on my home network. I did this last two and a half years ago, and it’s taken me two days to regain the knowledge.

Here’s the list of things you need to do to make it play nicely, both with anonymous / legacy accounts and operating systems, and to allow access control for protected shares.

  1. Add the file server role
  2. Modify the Local Security Policy –> Local Policies –> Security Options
    1. Network access: Allow anonymous SID/name translation = Enabled
    2. Network access: Do not allow anonymous enumeration of SAM accounts = Disabled
    3. Network access: Do not allow anonymous enumeration of SAM accounts and shares = Disabled
    4. Network access: Let Everyone permissions apply to anonymous users = Enabled
    5. Network access: Restrict anonymous access to Named Pipes and Shares = Disabled
    6. Network access: Sharing and security model for local accounts = Classical
    7. Network security: Do not store LAN Manager hash value on next password change = Enabled
    8. Network security: LAN Manager authentication level = Send LM & NTLM - use NTLMv2 session security if negotiated
  3. Flush your group policy like a boss (gpupdate /force)
  4. Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings
    1. Turn on network discovery
    2. Turn on file and printer sharing
    3. Turn on public folder sharing
    4. Turn off password protected sharing (else nobody will be able to browse to machine names)
  5. Turn on the Guest user account
  6. Create any user accounts you want to give specific access to.

Now: Anonymous users will authenticate as the guest account, so “Everyone” network sharing will work fine, and you can specifically log on to the server as SERVERNAME\user for specific access rights on mapped network shares.

It’s just that easy.

Yeah.