I always thought that the Local System account cannot access the network resources. I thought that Network Service is meant for that. And I was not the only one. But recently, I accidentally found out that this is not quite true.
There are 3 built-in accounts in Windows commonly used for services:
- Local System (NT AUTHORITY\System)
- It has the highest level of permissions on the local system.
- If the client and the server are both in a domain, then the Local System account uses the PC account (hostname$) to login on the remote computer.
- If the client or the server is not in a domain, then the Local System account uses ANONYMOUS LOGON.
- Network Service (NT AUTHORITY\Network Service)
- It has permissions as an unpriviledge normal user on the local system.
- When accessing the network, it behaves the same as the Local System account.
- Local Service (NT AUTHORITY\Local Service)
- It has permissions as an unpriviledge normal user on the local system.
- It always uses ANONYMOUS LOGON, whether a computer is in a domain or not.
So, you can access network shares with any account, just the authentication is different. ANONYMOUS LOGON is not part of Everyone group, but it can be made to be by setting the following Local policy to Enabled:
Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Let Everyone permissions apply to anonymous users
Also, to allow anonymous access for a share, two things must be set up:
- Share and local permissions (Everyone or ANONYMOUS LOGON)
- Share must be listed in the following list: Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network access: Shares that can be accessed anonymously