How to disable the Administrative Share creation in Windows NT/2000/XP/2003?
Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.
The default-hidden shares are:
* C$ D$ E$ - Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.
* ADMIN$ - %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it's C:\Windows).
* FAX$ - On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
* IPC$ - Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
* NetLogon - This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.
* PRINT$ - %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
It is possible to simply remove the share from Server Manager (in NT) or Shared Folders (in W2K/XP/2003) but the problem with this method is that the shares will automatically be recreated when the machine reboots.
You can disable the automatic administrative share creation via Group Policy, but this is a much simpler way:
In order to disable these shares permanently, a registry edit will be necessary.
Servers
(+) For NT 4.0/W2K/Windows Server 2003s, the change is:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer
Data Type: REG_DWORD
Value: 0
Note: A reboot is necessary for this to take effect.
Workstations
(+) For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 0
Note: A reboot is necessary for this to take effect.
If you want the administrative shares to be re-created, you can change the value back to 1.
Note: Some applications depend on the presence of these shares. If things stop working you'll know to re-enable the shares.
2 comments:
Maybe you can help me. Several months ago I got some kind of virus. It did 2 things. It set my screen saver to blank and also I was getting these pop up messages all the time about my system being infected or something. I got spy sweeper and that seemed to have gotten the virus, no more pop up messages. But I still can't create and save a screen saver. Must have to change something in the registry but I have never done that before.
If you think you can help email me at fatcamera@comcast.net.
Thanks,
d
Robert,
what is your and utilizes antivirus?
has you try to utilize super add blocker?
my friend an also has once experienced as which you experience, then he tries to utilize supper add blocker. And apparently Super Add Blocker feels equal to detect virus² that troubles.
scan's attempt utilizes that tools, maybe can little bit help.
Post a Comment