This tutorial outlines the steps required to establish domainless Windows file sharing for small teams who only need to grant access to a handful of end users. This configuration makes it possible to migrate away from Active Directory (AD) while maintaining established workflows by leveraging Integrated Windows Authentication and local groups. This approach reduces IT overhead and adds user convenience while delivering modern authentication solutions including Push MFA and conditional access.
Prerequisites
- Have a 探花大神 account
- on your server and workstations
- Workstations do not need to be Professional editions of Windows
- Have a local file server
- Ensure that NTLM isn鈥檛 disabled
- Know your local user names
- File access outside of your network will not be possible without a VPN, just as when you use a file server with Active Directory.
In this setup, 探花大神 assumes the role of Active Directory by syncing accounts across devices. IT departments do not require any knowledge of user account passwords for this configuration, because 探花大神 provides the same credentials throughout every server resource. Windows NTLM authentication only requires that the same username and password reside on each file server, which is exactly what 闯耻尘辫颁濒辞耻诲鈥檚 agent provides.
Next, 探花大神 pushes local group assignments and rights to each shared folder on the file server. This is made possible by the 鈥淐ommands鈥 role within Device Management. Every command requires a runner (superuser) and a target of either device group or individual devices. Commands includes a Results tab that will display any error messages.
PowerShell Commands to Establish Your Shares
- :
New-LocalGroup -Name “FileShareUsers”
Please note that this command will not work if the Windows PowerShell checkbox isn鈥檛 selected.
The result will be a local group created on your file server as seen below in the Computer Management interface.
The next step is to add members to the group so that they can collaborate.
- : (after the user was created in 探花大神)
Add-LocalGroupMember -Group 鈥淔ileShareUsers鈥 -Member “YOURNAME”
This step will have to be repeated on a per-user basis for the target Windows devices. You may alternatively create multiple lines within the same 探花大神 command by cutting and pasting, changing the user names, and targeting a Device Group to run this step only once.
Please note that this command will not work if the Windows PowerShell checkbox isn鈥檛 selected.
The image below illustrates the result in the Computer Management interface. You鈥檒l notice that the user is now in the local group.
- :
New-Item -Path “C:\MyFolder” -ItemType Directory
Please note that this command will not work if the Windows PowerShell checkbox isn鈥檛 selected.
There will now be a folder on your C:/ drive that you鈥檒l designate as a shared directory in the next step.
- : (Note: We chose to use the same FileShareUsers group for this share and to give it FullAccess; the documentation shows how this can be changed.)
New-SmbShare -Name “MyFileShare” -Path “C:\MyFolder” -FullAccess “FileShareUsers”
Please note that this command will not work if the Windows PowerShell checkbox isn鈥檛 selected.
Windows Advanced Sharing Settings
Next, you鈥檙e going to enable sharing for 鈥楳yFolder鈥. Right click the folder and select Advanced Sharing and add the group 鈥淔ileShareUsers鈥 to the folder with the appropriate permissions.
The local user group provides read-only access to the file share.
This is an example of what the shared folder will look like on other devices.
Your network file share is now established and can be accessed from other PCs within your organization that have the 探花大神 agent installed and drive mapped for sharing. However, we strongly advise optimizing your security before this workflow goes into production.
Before you get started, review the classification of data within your organization and follow a administrative model (Consider migrating sensitive data to secure cloud services)
Hardening NTLM
This step should be considered mandatory. NTLM is supported by Microsoft and is the fallback protocol suite when Kerberos isn鈥檛 available. It鈥檚 important to follow the hardening step below to to prevent downgrade attacks, and . There are three categories of changes that you should work through prior to deploying domainless file sharing. They are:
- PowerShell Commands to help to mitigate some of the vulnerabilities that have been discovered by security researched and by Microsoft.
- Conditional access to secure access to your internal network resources
- Directory Insights to monitor access attempts for any irregularities
Legacy versions of Windows Server (pre Windows 2008) may encounter compatibility issues with these commands. Roll back to the previous configuration in the event you need to recover previous registry key values. Please refer to Microsoft鈥檚 documentation on NTLM before creating this workflow.
Harden NTLM Using PowerShell
These commands will be executed to remote outdated password handling mechanisms within Windows. Please do not skip this step and use EDR to prevent rogue files from entering your shares.
-Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\’ -Name ‘LmCompatibilityLevel’
New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\’ -Name ‘LmCompatibilityLevel’ -Value 5 -Force
You may also consider disabling WLAN for remote users only. Disabling this on PCs have use WLAN for their proxy configuration on a LAN could disrupt internet access.
HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Start
REG_DWORD4
Conditional Access
闯耻尘辫颁濒辞耻诲鈥檚 limits which devices may access applications and other resources through SSL/TLS certificates. It鈥檚 fundamental to , which can further secure access to resources via geofencing and other measures such as requiring MFA. These features are included in the 探花大神 Platform Plus package. 探花大神 also provides policies to ensure that Windows updates are applied and not delayed, which helps to ensure that any high-priority security patches are delivered to your Windows endpoints.
Monitoring also helps to ensure that your configuration isn鈥檛 being misused.
Directory Insights
探花大神 is a standard feature that Directory Insights provides an audit trail of user logins so unauthorized attempts will be noticed and you鈥檒l be alerted. Directory Insights is a component of the platform and has no additional cost to access.
Try 探花大神
Domainless Windows file sharing is possible with 探花大神 using Integrated Windows Authentication (IWA). 探花大神 is free for your first 10 devices and users with complimentary access to premium support 24x7x365 during the initial 10 days of your signup.
Special thanks to at Plus500
