La Secure resource sharing in Windows 11 This can be a real headache, especially since Microsoft removed HomeGroup and has been tightening security measures with each version. Many users encounter strange situations, such as being able to access a resource from another network or segment, but within the same LAN, the system repeatedly asks for their username and password without accepting any credentials.
If something like this happens to you, you're not alone: Windows 10 and Windows 11 (including version 24H2) They have changed the way folders, printers, and drives are shared, and have also strengthened the SMB protocolThis article will guide you step-by-step through how to prepare your network, securely share folders using SMB3, access shared resources from other Windows computers and Linux (Ubuntu), avoid security risks, and resolve common errors that arise when trying to access shared resources. This includes disabling older versions and blocking insecure guest logins.
Basic concepts: from HomeGroup to sharing with SMB in Windows 11
For years, Microsoft bet on the Working Groups and the Household Group HomeGroup was introduced as a simple way to share resources on home networks or in small offices with Windows 7, but it disappeared from the system starting with Windows 10 version 1803, and is now a thing of the past in Windows 11.
At present, Windows 10 and Windows 11 They still allow sharing files, folders, and printers, but rely on the classic mechanisms of the SMB protocol, NTFS permissions, and advanced sharing settings. This makes sharing more flexible and secure, but also means there are more settings to check when something isn't working as it should.
Preparing the network: appropriate profile, detection, and firewall
The first requirement for sharing to work is that the network is properly configured. If your connection is marked as public, Windows blocks most sharing features For security reasons, the teams cannot see each other or access shared folders.
In a home or small office environment, it is recommended to use the Private network profileIn Windows 11, you can change this from Settings > Network & Internet > select the active network > Properties, and then choose Private. If the graphical interface fails, you can always use PowerShell with the commands Get-NetConnectionProfile and Set-NetConnectionProfile to change the network category.advanced network commands).
Once your profile is set to Private, you need to review the advanced sharing settingsFrom Control Panel > Network and Sharing Center > Change advanced sharing settings, make sure the following options are enabled in the private network profile:
- Network discovery (including automatic configuration of connected devices).
- File and printer sharing, essential for other teams to see your resources.
In the All Networks section you will find options such as public folder sharingThe encryption type for SMB connections (it's best to leave it at 128 bits whenever possible) and password-protected sharing. Depending on the level of security you're looking for, you can leave password protection enabled or disable it, keeping in mind that disabling it reduces security, especially if your Wi-Fi isn't well protected.
Requirements and ports needed for SMB sharing
In addition to network settings, secure sharing in Windows 11 relies on some key technical requirementsNTFS is recommended as a file system because it allows granular permissions to be applied to folders and files; with FAT32, for example, you won't have a Security tab in the properties, which greatly limits access control.
Regarding network communication, the SMB protocol uses several TCP and UDP ports. For everything to work, the Windows firewall and intermediate firewalls (for example, a Fortinet between network segments) must allow at least the following:TCP 445 (SMB over TCP Direct) and the NetBIOS-related ports (137, 138, 139) if legacy name resolution mechanisms are still in use. It is also useful to know Techniques for optimizing large transfers between devices on the same LAN.
It is also essential that the user account you use to configure the shared resource has permissions to modify folder propertiesNormally, it is enough to be a local administrator or have sufficient privileges over that path.
Configuring SMB3 and related features in Windows 11 24H2
In modern versions of Windows 10 and Windows 11, the default protocol is SMB 3.xwhich incorporates encryption and performance improvements (SMB Direct, multi-channel, etc.). SMB 1.0 is disabled for security reasons, and should only be enabled if you need to communicate with very old devices that do not support newer versions.
To review or adjust these features, you can go to Control Panel > Programs > Turn Windows features on or off. There you will see entries such as SMB Direct file sharing support and compatibility for SMB 1.0/CIFS file sharing. In a secure environment, it is advisable to:
- Enable SMB Direct If your hardware supports it, it improves performance on fast networks.
- Keep the SMB 1.0/CIFS client/server disabledunless a very old piece of equipment requires it temporarily.
With PowerShell you can check the SMB server configuration with a command like Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocoland adjust values with Set-SmbServerConfiguration. It's common to have SMB2/3 enabled and SMB1 disabled, as the latter is highly vulnerable to malware like WannaCry or NotPetya. In addition, it's advisable to implement general security measures and fast hardening depending on the type of equipment.
Create users and groups to share securely
A highly recommended practice for secure sharing is Don't use your personal account for everything.And certainly don't enable anonymous guest access. Instead, you can create specific accounts on the computer acting as the file server and assign them permissions tailored to what users actually need to do.
In Windows 10/11 Pro, it is convenient to use the tool of Team management (compmgmt.msc). Within Local Users and Groups, you can create users like user11, user12, etc., and group them into their own group (for example, sharegroup1). Then, when sharing a folder, you assign permissions to the group as a whole, and all its members inherit those permissions.
This strategy greatly simplifies management: You add or remove users from the group as needed, instead of adjusting permissions folder by folder. Additionally, you can distinguish between users with read-only access and users with full control by combining share permissions (SMB) and NTFS permissions on the Security tab. To securely manage credentials and access policies, it is recommended to integrate a solution of password management with Bitwarden.
Sharing a folder in Windows 11 with advanced options
The most robust way to share a folder is to use the advanced sharingnot the quick Share button. The flow is similar in Windows 7, 8, 10, and 11, but in the latest versions the interface is more polished.
First, open the File Browser Navigate to the folder you want to share (for example, a subfolder within Documents). Right-click the folder, select Properties, and go to the Sharing tab. From there, click Advanced Sharing and check Share this folder.
In this window you can define the shared resource name (what clients will see on the network) and set limits on simultaneous users. Then, by clicking on Permissions, you can add specific groups or users and decide whether they will have Read, Change, or Full Control. Removing the Everyone group from SMB permissions and working only with specific users/groups is usually more secure.
When you're finished with the shared resource permissions, you should check the tab Security (NTFS permissions)There you can add the same groups or users again (for example, sharegroup1 with Full Control and another user with Read-only permissions) and align SMB and NTFS permissions. Remember that Windows applies the more restrictive of the two layers, so if one level is Read-only, the user will not be able to write even if the other level grants them more permissions.
Access the shared resource from another Windows computer
Once the folder is shared, from the other Windows computer you simply need to open it. Open File Explorer and click on Network. In the left panel, you can view the available computers. Selecting the computer that exposes the resource will display the shared folders, such as the standard Users folder or any custom resources you have created.
You can also go directly to the UNC path in the Explorer's address bar by typing something like \\EquipmentName\ResourceName or by using the server's IP address, for example \\192.168.1.97\share01. This is very useful when, for some reason, the computers are not shown in the Network view or there are name resolution problems.
For convenience, you can assign the resource as a network unitOnce you open the shared folder, right-click on it and choose Map network drive. Choose a drive letter, check the Reconnect at logon box, and finish the wizard. The resource will then appear in "This PC" as if it were another local drive, or you can use Quick Share as a quick alternative.
Access to shared resources from Ubuntu or other Linux distributions
If your network includes both Windows and Linux computers, there's no problem: Ubuntu can access SMB folders You can easily do this using File Explorer. In the left pane, go to Other locations and you'll see Windows Network. You can also directly enter the server path using the format smb://IP, for example, smb://192.168.1.97.
When attempting to connect, the system will ask user and password credentialsYou can use a Windows account with permissions on the shared resource. Then you can choose whether you want Ubuntu to forget the password immediately, remember it until you log out, or store it permanently.
In some cases, you'll see not only the Users folder, but also administrative resources like C$, D$, or ADMIN$. These are hidden Windows administrative resourcesThese are accessible only to accounts with elevated privileges. In Ubuntu, they are displayed openly, but you will need credentials with administrative permissions to access them; otherwise, in practice, you will only be able to use resources like Users or those you have defined yourself.
Connect to a shared folder without asking for a password each time
A very common question is why Windows asks for credentials when accessing \\Computer\Folder even though you've granted access to Everyone in the folder permissions. The reason is that SMB permissions control what an already authenticated user can do.However, authentication is always based on a valid account on the remote computer, unless you allow anonymous or guest access.
However, there is a safe way to prevent Windows from asking for your username and password every time: use the same account and password on both devicesFor example, if on Computer1 you have a user User1 with Password1, and on Computer2 you also create User1 with exactly the same password, when you log in to Computer2 as User1 and access \\Computer1\share, Windows will transparently use those credentials and will not display the login box.
This approach is considered good practice for small, domain-less environments because The connection is still password protectedHowever, the user doesn't have to enter it every time. What is not recommended is completely disabling password protection or enabling broad anonymous access, as this greatly increases the attack surface if someone manages to connect to your network.
Guest, insecure logins, and changes in Windows 11 24H2
In older versions of Windows it was common to use the Guest account to allow very limited access to certain resources. Today, that account is disabled by default, and in recent versions of Windows 10, it can no longer be enabled as before. Furthermore, Microsoft has tightened its handling of unauthenticated guest logins, especially in the context of SMB.
Starting with Windows 11 24H2, the Insecure guest logins are blocked By default, this means that if a shared resource expects guest connections (without credentials), Windows may reject the connection with messages indicating that security policies do not allow unauthenticated guest access. For this to work, you would need to enable the "Enable insecure guest logons" option in Group Policy (Computer Configuration > Administrative Templates > Network > Lanman Workstation) or via the AllowInsecureGuestAuth registry key.
These options can also be adjusted using PowerShell Set-SmbClientConfiguration and Set-SmbServerConfiguration to allow insecure logins or disable mandatory signing. However, it is worth emphasizing that these configurations They go against safety recommendations and should only be used in highly controlled and isolated environments.
Enable or disable SMB 1.0 and check protocol versions
There are still many older devices (old NAS devices, printers, Windows XP) that only talk to themselves SMB1.0In Windows 10/11, this version is disabled by default due to its history of vulnerabilities. If you need to interoperate with one of these machines, you can temporarily enable the SMB1 client and/or server from Windows Features or with PowerShell commands such as Enable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol".
To check which versions are active, Windows offers commands such as Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol or Get-SmbServerConfiguration | select "*enablesmb*". If you want to enforce a more secure environment, you can confirm that SMB1 is disabled and SMB2/3 are enabled. Disabling SMB2 rarely makes sense in current scenarios, except in very specific tests.
It's worth remembering that major ransomware attacks exploiting SMB vulnerabilities (EternalBlue, EternalRomance, and others) relied precisely on SMBv1 defectsSo keeping it turned off whenever possible is a basic hygiene measure.
Windows services and other settings that affect network visibility
In many installations the problem is not so much the shared folder as that The teams can't see each other or the list of computers on the network appears empty. In these cases, it's advisable to check some Windows services related to network discovery, such as:
Function Discovery Provider Host (fdPHost), Function Discovery Resource Publishing (FDResPub), UPNP Host Device (upnphost), and SSDP Discovery (SSDPSRV).
They should all be in Automatic start type and running to ensure consistent detection of computers and resources via File Explorer. If any are stopped, you can start them from services.msc and check if, after a few minutes, the computers appear under the Network section.
In environments where there are persistent access errors, it can also help edit the HOSTS file To manually assign IP addresses to each computer, you can add lines like 192.168.1.3 PCNAME to C:\Windows\System32\drivers\etc\hosts with administrator privileges, thus avoiding reliance on discovery mechanisms that sometimes fail.
Common problems accessing shared resources and how to solve them
Even with correct configuration, it's quite common to encounter cryptic error messages when trying to open a shared resource. One of the most typical is: “Windows cannot access \\hostname\share”, sometimes accompanied by "You do not have permission to access…".
When you see something like this, the first thing to check is that The user has permissions in the folder This applies to both the share and NTFS levels. You can use PowerShell to audit these permissions with `Get-SmbShareAccess -Name "ShareName"` and `Get-acl FolderPath`. If the user isn't listed in either location, or only has read access where they need write access, the permissions will need to be adjusted.
Another common scenario is the error 0x80070035 (Network route not found)This is usually due to problems with the SMB protocol between client and server (incompatible versions or SMB disabled), the "Server" service being stopped on the sharing machine, or discovery services not running. Verifying that the SMB server is active, that SMB2/3 is enabled, and that the resource publishing services are working usually resolves the issue.
If you use guest or anonymous logins (not recommended), the error may be related to the policy of “Enable insecure guest logins"on the Lanman Workstation. Disabling it blocks these types of connections; enabling it allows them, but at the cost of security. Another cause of persistent errors can be outdated credentials stored in the Windows Credential Manager; deleting them and re-entering the correct password often clears conflicts."
Additional tips to improve stability and compatibility
In some networks, especially mixed networks or those with proprietary routers, Disable IPv6 on the network adapter It has resolved erratic behavior in device detection and sharing. It's not the ideal long-term solution, but if you're stuck, it can be a reasonable test: from the adapter properties, uncheck Internet Protocol Version 6 (TCP/IPv6) and restart.
It's also worth noting that client editions of Windows, such as Windows 10 or Windows 11, have a limit of 20 simultaneous connections to shared resources. On a busy network, this can become saturated and cause errors. If you're going to provide file services to many users, you might want to migrate to a server running Windows Server. a dedicated NAS, instead of using a client PC as the main server.
With all of the above in mind, it is possible to install a robust and relatively secure resource sharing infrastructureEven in environments with multiple network segments, legacy equipment, and Linux systems, proper network profile, services, SMB policies, and user and group permissions minimize both unexpected credential requests and access errors between devices within the same network or across different firewall-controlled segments.
With a suitable combination of network configuration, updated SMB protocol, creation of specific users, advanced sharing, and review of services and policies, resource sharing in Windows 11 can be both convenient and secure, avoiding insecure solutions such as anonymous guest or SMB1 and significantly reducing typical access problems between computers within the same network or across different firewall-controlled segments.