Administrative share
From Wikipedia, the free encyclopedia
 |
It has been suggested that Ipc share be merged into this article or section. (Discuss) |
The Administrative Shares are the default network shares created by all Windows NT-based operating systems (NT/2000/XP/2003). These default shares share every hard drive partition in the system. These shares will allow anyone who can authenticate as any member of the local Administrators group access to the root directory of every hard drive on the system. They are not generally used or useful outside an enterprise environment.
Contents |
[edit] Share names
Administrative shares are the term Microsoft defined for the collection of by-default automatically shared filesystem resources including the following:
- any drive letter + $ (only the local disk volumes, not any removable devices such as CD/DVD drives, USB drives)
- admin$ (which shares access to %SYSTEMROOT%, which is usually C:\WINDOWS or C:\WINNT)
The "$" appended to the end of the share name means that it's a hidden share. Windows will not list such shares among those it defines in typical queries by remote clients to obtain the list of shares. This means that one needs to know the name of an administrative share in order to access it.
It is commonly believed that any share that includes the final '$' character defines it as an administrative share. According to Microsoft's use of the term "administrative share", this is false. While any share (even non-administrative shares) can include a '$' character at the end of its name, only those by-default shares created by Windows containing the '$' suffix are considered administrative share.
Generic UNC Address for an Administrative Share:
\\NetworkComputerName\(Drive letter)$
For Example:
\\MyComputer\c$
This represents the administrative share for the "C" drive on the computer "MyComputer". This works just as well for any other local drive on the computer, e.g. \\MyComputer\d$, \\MyComputer\e$ (assuming those are local drives and not removable drives).
\\MyComputer\ADMIN$
This represents the administrative share for the %SYSTEMROOT% object on the computer "MyComputer".
[edit] How to disable
The shares can be deleted by a user with Administrators membership but they will be recreated at the next reboot. The easiest way to correct this is by editing the Windows Registry e.g. using Regedit. If the setting is not present then you must create it. (Be careful editing the Registry: A simple mistake can cause serious malfunctions.)
[edit] Servers
Windows NT 4.0 Server, Windows 2000 Server, Windows Server 2003
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer Data Type: REG_DWORD Value: 0
[edit] Regular workstation
Windows NT 4.0 Workstation, Windows 2000 Professional, Windows XP
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareWks Data Type: REG_DWORD Value: 0
[edit] Security and Prevention
[edit] Preventing Access
However, disabling the Administrative shares doesn't mitigate any real significant security risks, but only keeps administrators from casually browsing the shared contents. This is because anyone who has membership in the local Administrators group can either (a) re-enable the administrative shares or (b) create new shares (hidden using the "$" suffix or not). Merely disabling the administrative shares doesn't make it any harder for a technically astute user to gain access to the disk contents.
Better ways to prevent remote browsing of the disk contents is to:
- disable File and Printer Sharing (or unbind the NetBT protocol)
- Stop and/or Disable the Workstation service
- set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp
- remove membership in the Administrators group for those users/groups you wish to block
- encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the files
[edit] Security of the Shares
Note: the DACLs on the administrative shares cannot be modified, even by the local .\Administrator account.
As of Windows XP Home edition and beyond, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will actually assign to their session a Guest access token, not an Administrator access token. This is arguably more secure against such remote attacks than assigning a weak or easily-guessed password to the local Administrator account.
