Much Ado About Everything

There are many articles on how to get  non-Windows machines to access Windows 7 shared files but I found it the hard way that there’s always something amiss. So here’s my take on it.

First, if you have the ability to use Homegroups – then use them. While right now this is limited to networking between Windows 7 machines (and perhaps some other Microsoft devices), it’s the way of the future. Homegroups are simple to set up, (probably) secure and most importantly, they just work. No messing with user names, machine names, domains, workgroups, NETBIOS and God knows what other arcane Windows networking lore.

But if you have to access Windows 7 files from a device such as O!Play media player or another linux box, then you might have to work at it.

It would be good if you could restrict access only to authenticated users but I was not able to do so or find any guide that allows it. Therefore only anonymous access will be allowed which is very convenient and very insecure. So bear in mind that there’ll be little to no security on those files that you allow access to. Therefore only share stuff that is intended to be public using this method. I.e. share your multimedia but don’t share your private financial documents and serial numbers and such. Or if you do make sure you’re on the private network.

You can use Homegroups alongside “classic” shares – that’s what I’m doing, with the intention of eventually retiring classic sharing, though I have no fantasies about that happening any time soon.

Go to folder you want to share using Windows Explorer and right-click on it, select properties. Go to Security tab and click “Edit…”. Now click “Add..” and type “Everyone”, click “Check Names” and then “OK”. In short, add “Everyone” to the list of “users” that can access this folder. It may already be there, depending on what are you trying to share.

Now we need to let Windows 7 know that “Everyone” includes anonymous. There actually is “ANONYMOUS LOGON” “user” defined but I was not able to get it to work. So be aware that from now on everything that has “Everyone” in its security list will potentially be available to anyone who can see your PC regardless of whether they have any kind of account on it. To do this go to Local Security Policy – just click on the Windows button and start typing in the search box, you won’t even have to type more than 2 letters before it shows up. Alternately you can go to  Control Panel, open System and Security, Administrative Tools and then Local Security Policy. Anyway, go to Local Policies, Security Options and scroll down to “Network access: Let Everyone permissions apply to anonymous users”. Set this to “Enabled”. Don’t close this window, we’ll change a few more options.

Make sure that Restrict anonymous access to Named Pipes and Shares is disabled. Alternately, you can let it be enabled and then manually enter all shares you intend on being available anonymously using the “Shares that can be accessed anonymously” setting. This might provide better security.

Next, Sharing and Security Model for local accounts should be set to Classic.

There are several other settings that should not be touched if they are at their defaults. Those are:  Accounts: Limit local account use of blank passwords to console login (should be enabled), Network access: Do not allow anonymous enumeration of SAM accounts and shares (disabled).

Make sure Guest account is disabled.

Now go to Control Panel, Network sharing, Change advanced sharing settings. Turn on network discovery, file and printer sharing and public folder sharing (you might not need it but the music and video I want to share are in the public folders). Finally, turn off Password protected sharing.

Now reboot and you should be able to browse your

Windows 7 PC and access folders you designated as shared to “Everyone”. A few things to note: changing settings through Local Security Policy can cause a change of options in the “Advanced Network Sharing” so you should do those changes last. E.g. password protected sharing tends to get turned off often in my experience. You also may need to first stop sharing folders and remove “Everyone”, to start from a clean slate so to speak. If you use Homegroup sharing you might end up “competing” for privileges on some folders so you may not keep removing/adding Homegroup – e.g. right-click, “share with…’”,  “Specific people…” and so on.

UPDATE: As I witnessed again yesterday, it looks like Homegroup networking is really not compatible with “classic” SMB file sharing. I have copied a file from my laptop to my PC via homegroups and suddenly my ASUS O!Play was not able  to access any folders; it was able to log in and see the list of folders but that was it. I had to: disable Guest account AGAIN, reboot, disable password-protected file sharing AGAIN but only after half an hour of fiddling with shares and their security settings. In summary, don’t expect to be able to use both methods of sharing at the same time. Read access may work but as soon as you do any writing to the “server”, it will have some of its settings reset. I hope developers start switching to Homegroups for Windows file sharing ASAP – it’s really a better, simpler method. I am not sure how open Microsoft is to this though as nothing but Windows 7 and Xbox 360 support it right now.