Howto: Disable Windows Simple File Sharing via the Registry and Local Security Policy

Microsoft KB 307874 describes how to disable Windows XP Professional’s simple file sharing. Why would you want to disable simple file sharing on your workstation? The KB explains:

By default, simple file sharing is enabled on a Microsoft Windows XP-based computer if the computer is not a member of a domain. With simple file sharing, you can share folders with everyone on your workgroup or network and make folders in your user profile private. However, if simple file sharing is enabled, you cannot prevent specific users and groups from accessing your shared folders. If you turn off simple file sharing, you can permit specific users and groups to access a shared folder. Those users must be logged on with the credentials of user accounts that you have granted access to your shared folder.

In a nutshell, if your machine is not a member of a domain, and you want to specify non-default ntfs or share permissions, you’ll need to disable simple file sharing.

To disable simple file sharing as explained in KB 304040, follow these steps:

1. Click Start – My Computer

2. On the Tools menu, click Folder Options – View

3. In the Advanced Settings section, clear the Use simple file sharing (Recommended) check box – OK

This method works just fine, but I wanted to disable simple file sharing on machines that had already been deployed, without any end user interaction. I figured the easiest way to do this was to edit the registry on the remote machines. KB 290403 explains that the registry value that needs to be changed to disable simple file sharing is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest

Change the value from 1 (simple file sharing enabled) to 0 (simple file sharing disabled)

You can also disable simple file sharing by changing the following Local Security Policy:

Security Settings – Local Policies – Security Options – Network Access: Sharing and Security Model for local accounts

Change Guest Only – local users authenticate as guest to Classic – local users authenticate as themselves, then run gpupdate /force from a command prompt.

Please note that if you are running Windows XP Home, you will not have the option to disable simple file sharing through Windows Explorer unless you boot to safe mode.

Comments [2]

  1. Thanks,
    This helped me to install Sophos Antivirus without having to touch each machine to disable Simple File Sharing. We used the Computer Configuration-Windows Settings-Security Settings-Local Policies-Security Options GPO to apply this policy.
    -Scott

  2. Thank you very much. I used the same GPO setting Syscomdt used above. This allowed me to disable SFS across our domains 100+ computers so that I could install our AntiVirus Enterprise software.

Leave a Reply

Your email address will not be published. Required fields are marked *