Enabling Guest Access for Windows File Share

Description: As of Canary version 2.2, you can configure Canaries to allow or deny Guest access when enabling the Windows File Share in Active Directory mode (both in Bluetooth config mode and remotely via your Canary Console).

You can read how to join your Canary to your Active Directory domain either remotely or over Bluetooth.

Why is this an option

Enabling guest access for your AD-joined Canary allows both Guests and credentialed users to access the Windows File Share on your Canary.

The benefit is that attackers who have not yet discovered AD credentials elsewhere in your network could still trigger alerts. In other words, it introduces an detection option to the attacker's presence. This is the default.

The downside is that allowing guest access to your Active Directory joined Canary allows attackers to enumerate your Active Directory users through an RID cycling attack

If you decide to disable Guest Access for your Windows File Share, you will lose the ability detect an attacker earlier in their campaign, before they've discovered legitimate credentials.