WinSecWiki > Security Settings > Local Policies > Security Options > Network Access > Sharing and security model for local accounts
Network access: Sharing and security model for local accounts
When you are at another computer on the network and connect to a share resource on this computer (i.e. shared folder) using a local account on this computer (as opposed to a domain account) Windows uses this setting to determine which mode to use in handling the logon.
- Classic: In this mode local accounts authenticate as themselves meaning that if a user on another computer establishes a network logon to this computer as local account Bob, Windows enforce access control as normal allowing the user to access objects and perform operations as allowed for Bob.
- Guest only: In this mode all local accounts authenticate as Guest meaning that if a user on another computer establishes a network logon to this computer as local account Bob, Windows treats the logon as Guest. No matter what local account you use to authenticate, you always get logged on as Guest. In fact you can simply connect anonymously (depending on Network access: Restrict anonymous access to Named Pipes and Shares) and you will still be authenticated as guest. Of course the Guest account must be enabled or no one will be able to logon. If the computer does NOT belong to a domain, the access control list for shared folders is simplified such that you just select Full Control or Read Only access which is then applied to all local users connecting over the network. If this computer is part of a domain, share ACLs remain normal – allowing you to specify different permissions for different users and groups. When this mode is selected and the computer is a member of a domain, domain users will be allowed to connect and access shares according to their permissions but local accounts will continue to authenticate as Guest and only have access to objects where Guest has been granted permissions.
Bottom line
Guest Only mode is intended for non-domain, home or other simple, low security networks where users need to share folders with each other and don’t require different levels of access for different users. Typically you should configure this setting as Classic.
Back to top