How can I disable the Administrative Share creation in Windows
NT/2000/XP/2003?
Every Windows NT/W2K/XP/2003 machine automatically creates a share
for each drive on the system.
These shares are hidden, but available with full control to domain
administrators. The drive letter,
followed by the $ sign is the name, and it is shared from the
root. When trying to attain a highly secure
network, you may wish to address this potential security issue by
disabling these shares, or at least
restricting their permissions to specific users or services.
The default-hidden shares are:
C$ D$ E$ -
Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional
computer only members of the Administrators or Backup Operators
group can connect to these
shared folders. For a Windows NT Server/W2K Server computer,
members of the Server
Operators group can also connect to these shared folders.
ADMIN$ -
%SYSTEMROOT% This share is used by the system during any remote administration
of a computer. The path of this resource is always the path to the
W2K/NT system root (the
directory in which W2K/NT is installed usually C:\Winnt and in XP
it's C:\Windows).
FAX$ - On W2K
Server, this used by fax clients in the process of sending a fax. The shared
folder
temporarily caches files and accesses cover pages stored on the
server.
IPC$ - Temporary
connections between servers using named pipes essential for communication
between programs. It is used during remote administration of a
computer and when viewing a
computer's shared resources. This share can be very dangerous and
can be used to extract large
amounts of information about your network, even by an anonymous
account.
NetLogon -
This share is used by the Net Logon service of a W2K, 2003 and NT Server
computer
while processing domain logon requests, and by Pre-W2K computers
when running logon scripts.
PRINT$ -
%SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of
printers.
It is possible to simply remove the share from Server Manager (in
NT) or Shared Folders (in W2K/XP
/2003) but the problem with this method is that the shares will
automatically be recreated when the
machine reboots.
You can disable the automatic administrative share creation via
Group Policy, but this is a much simpler
way:
In order to disable these shares permanently, a registry edit will
be necessary.
Servers
For NT 4.0/W2K/Windows Server 2003s, the change is:
Hive: HKEY_LOCAL_MACHINE Key:
SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer Data Type: REG_DWORD Value: 0
Idiot proof note: If
you can't find the value in the registry under the exact location (i.e. it does
not
exist) - please right click in the right pane of the window and
create it.
Note: A reboot is
necessary for this to take effect.
Workstations
For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:
Hive: HKEY_LOCAL_MACHINE Key:
SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks Data Type: REG_DWORD Value: 0
A double idiot proof note: If you can't find the value in the registry under the
exact location (i.e. it
does not exist) - please right click in the right pane of the
window and create it.
Note: Again, a
reboot is necessary for this to take effect. If you want the administrative
shares to be
re-created, you can change the value back to 1.
Note: Some
applications depend on the presence of these shares. If things stop working
you'll know to
re-enable the shares.
Security note: Unfortunately
this registry hack does NOT stop the IPC$ share and this is a share that
is often used by hackers to enumerate systems before attack since
it can yield a wealth of information
about your system names, your user names, and more. If your ACL
permissions are not correct or you
haven't disabled anonymous user access or you haven't disabled the
guest account then this port can
lead to total system compromise within minutes!
Source Copas: http://www.petri.co.il/disable_administrative_shares.htm
http://gardanier.net/3.html
http://www.pchelpforum.com/xf/threads/windows-7%C2%AE-security-tweaking-optimization-guide.81266/
No comments:
Post a Comment