WinSecWiki > Security Settings > Local Policies > Security Options > Network Access > Shares that can be accessed anonymously

Network access: Shares that can be accessed anonymously

This setting allows you to define exceptions to the “Network Access: Restrict anonymous access to Named Pipes and Shares” setting below. Shares listed in this setting can still be accessed anonymously (aka Null Session) even if “Network Access: Restrict anonymous access to Named Pipes and Shares” is enabled. This setting is necessary since there are a few components of Windows with shares that must allow anonymous access in order to function. 

Default value:

• COMCFG – This share only needs to exist on Host Integration Servers for SNA networking. The shared folder on HIS servers contains the COM.CFG file is where SNA Server configuration information is kept for the SNA Server subdomain. While this share name is listed by default, the share itself only exists on HIS servers.

• DFS$ - This share only exists on servers running Distributed File System

Bottom line

Typically you should leave this setting with its defaults. It’s possible you may install software that requires an adjustment to this setting in order to function or there may be a security vulnerability in the future in which a workaround is to remove the affected share from this list.

Back to top

 

Upcoming Webinars Uncovering and Addressing the Blind Spots in Privileged Access Management Agentless Event Log Collection for the Modern Entra-Joined Windows 11 Endpoint The Changing Landscape of Authentication and Logon Tracking in Hybrid Environments of Entra and AD

Additional Resources