Admin$ share on a workgroup

[Tom Hanks]

I am trying to set up a pair of Windows XP computers in a Workgroup
(no Windows Domain) such that the special "Admin$" share of one is
available to the other. I need to do this to use PsExec.

On a Windows Domain network this is possible by making \\DOMAIN\User
an administrator on the admin$-sharing computer, and then logging in
as that user to the admin$-accessing computer.

But the network I have to get this working in has no Windows Domain,
just a plain old Workgroup. I just want to get PsExec functioning.
Security is a non issue (a small LAN, used by trusted people and
separated from the internet by an air gap).


Here is what happens if I try "NET USE" (admin is an account on both
machines with administrator privelidges whose password is pswd on both
machines)

C:> NET USE L: \\REMOTE\admin$ pswd /USER:admin
System Error 5 has occurred.

Access is denied.


And if I just type "\\REMOTE\admin$" into an explorer address bar I
get a "Connect to REMOTE" dialog in which the user is fixed at
"\\REMOTE\Guest", the password can be editted, but pressing OK only
ever redisplays the dialog.


Thanks,
Tom.

 

[Steve Winograd [MVP]]

I am trying to set up a pair of Windows XP computers in a Workgroup
(no Windows Domain) such that the special "Admin$" share of one is
available to the other. I need to do this to use PsExec.

On a Windows Domain network this is possible by making \\DOMAIN\User
an administrator on the admin$-sharing computer, and then logging in
as that user to the admin$-accessing computer.

But the network I have to get this working in has no Windows Domain,
just a plain old Workgroup. I just want to get PsExec functioning.
Security is a non issue (a small LAN, used by trusted people and
separated from the internet by an air gap).


Here is what happens if I try "NET USE" (admin is an account on both
machines with administrator privelidges whose password is pswd on both
machines)

C:> NET USE L: \\REMOTE\admin$ pswd /USER:admin
System Error 5 has occurred.

Access is denied.


And if I just type "\\REMOTE\admin$" into an explorer address bar I
get a "Connect to REMOTE" dialog in which the user is fixed at
"\\REMOTE\Guest", the password can be editted, but pressing OK only
ever redisplays the dialog.


Thanks,
Tom.

I assume that you have XP Professional: to the best of my knowledge,
XP Home Edition doesn't have administrative shares.

I suspect that you just need to disable simple file sharing on the
computer that you're trying to access. Go to My Computer | Tools |
Folder Options | View and scroll to the end of the list of advanced
settings.

If that results in a user name and password prompt, enter values
corresponding to an administrator account on the computer that you're
accessing.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[Tom Hanks]

I am trying to set up a pair of Windows XP computers in a Workgroup
(no Windows Domain) such that the special "Admin$" share of one is
available to the other. I need to do this to use PsExec.

[snip]

I assume that you have XP Professional: to the best of my knowledge,
XP Home Edition doesn't have administrative shares.

I suspect that you just need to disable simple file sharing on the
computer that you're trying to access. Go to My Computer | Tools |
Folder Options | View and scroll to the end of the list of advanced
settings.

You're correct, "simple file sharing" was not my friend. Now I can
access admin$ well enough for my purposes. Thankyou.

If that results in a user name and password prompt, enter values
corresponding to an administrator account on the computer that you're
accessing.

Oddly, whenever the password box is displayed it has the same problem
as before (always has the account "REMOTE\Guest", password can be
editted but clicking [OK] just redisplays the dialog).

This can be avoided in two ways.

1. Perform the command line...
NET USE L: \\REMOTE\admin$ pswd /USER:admin
...and then \\REMOTE\admin$ can be accessed (either as drive L: or
simply as the absolute path "\\REMOTE\admin$")

2. Use an account on the LOCAL computer that also exists with
administrator privelidges and the same password on the REMOTE
computer.

Thanks,
Tom Hanks.

 

[cquirke (MVP Win9x)]

On 8 Feb 2004 14:17:35 -0800, (e-mail address removed) (Tom
I wish that was true, but it's cursed with Admin$, IPC$, C$ etc.

You're correct, "simple file sharing" was not my friend. Now I can
access admin$ well enough for my purposes. Thankyou.

Let's hope the entire Internet doesn't share that access - else your
PC is likely to be "automated" to do who knows what!

Oddly, whenever the password box is displayed it has the same problem
as before (always has the account "REMOTE\Guest", password can be
editted but clicking [OK] just redisplays the dialog).

This can be avoided in two ways.

1. Perform the command line...
NET USE L: \\REMOTE\admin$ pswd /USER:admin
...and then \\REMOTE\admin$ can be accessed (either as drive L: or
simply as the absolute path "\\REMOTE\admin$")

2. Use an account on the LOCAL computer that also exists with
administrator privelidges and the same password on the REMOTE
computer.

Interesting, thanks. Personally I'd like the option to get rid of
these (as one can the C$, D$ etc.). Allowing write access to the
startup axis and other "magic" locations is poor Safe Hex,
facilitating direct intra-LAN and possibly Internet attack.

---------- ----- ---- --- -- - - - -

Consumer Asks: "What are you?"
Market Research: ' What would you like us to be? '

 

[Steve Winograd [MVP]]

On 8 Feb 2004 14:17:35 -0800, (e-mail address removed) (Tom

I wish that was true, but it's cursed with Admin$, IPC$, C$ etc.

I've just checked four different XP Home Edition computers, Chris, and
I don't see what you see. I'm running compmgmt.msc, clicking Shared
Folders, then clicking Shares. I see IPC$ (which isn't a shared disk
or folder) and Print$ (if there's a shared printer). I don't see
Admin$, C$, or anything else for shared disks and folders. Where do
you see them? Have you booted to Safe mode and changed any file
system settings?
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[cquirke (MVP Win9x)]

On 8 Feb 2004 14:17:35 -0800, (e-mail address removed) (Tom

I wish that was true, but it's cursed with Admin$, IPC$, C$ etc.

[/QUOTE]

I've just checked four different XP Home Edition computers, Chris, and
I don't see what you see. I'm running compmgmt.msc, clicking Shared
Folders, then clicking Shares. I see IPC$ (which isn't a shared disk
or folder) and Print$ (if there's a shared printer). I don't see
Admin$, C$, or anything else for shared disks and folders. Where do
you see them? Have you booted to Safe mode and changed any file
system settings?

That's interesting! No, no tweaks (though if I tweaked, it would be
to .reg away C$, D$ etc. there's one that does that).

They are supposed to be invisible, and are documented to always exist.
There is a .reg that kills them, but there's no way to completely kill
some of the others, esp. IPC$ - best is suppression for remainder of
runtime, but it's back next boot. AFAIK, Admin$ points to C: or the
OS subtree, where the others don't map to file system as we know it.

When I read up on this, I found a "how to exploit" page, as well as
discussions where it was pointed out that these shares were only
hidden from MS-UI stuff (much like +s +h files).

I have to nibble XP while buiding new PCs, which generally aren't
LAN'd until delivery - so learning will be slow :-(

---------- ----- ---- --- -- - - - -

Consumer Asks: "What are you?"
Market Research: ' What would you like us to be? '

 

[Tom Hanks]

Let's hope the entire Internet doesn't share that access - else your
PC is likely to be "automated" to do who knows what!

This is a timely warning. In my case the computer is on a small
trusted LAN that is seperated from the internet.

Thanks,
Tom Hanks.

 

[cquirke (MVP Win9x)]

On 9 Feb 2004 16:54:42 -0800, (e-mail address removed) (Tom

This is a timely warning. In my case the computer is on a small
trusted LAN that is seperated from the internet.

Good one. In case of migration from some other entrance method to
trans-LAN spread (a standard feature of many malware), I'd still limit
and manage shares. What I usually do is:
- write-share only data locations, with no auto-run opportunities
- maintain a "data hygiene" policy; no executables in such locations

You can put a fist in the glove by automatically sweeping these data
shares for executables and deleting them, or simply leave it as a
matter of policy; "if you see executables (digression on what an
'executable' is) in here, don't run them; they *will* be intruders".

The main "autorun opportunities" are:
- patching into system startup; StartUp, Win.ini, Autoexec.bat etc.
- patching into app startup; MS Office StartUp, Normal.dot etc.
- \Autorun.inf (suppress via NoDriveTypeAutoRun=9D and others)
- desktop.ini / "View As Web Page"
- any dir in the Path
- other magic-name opportunities

"View As Web Page" is potentially the biggest risk, as this makes
every full-shared directory a malware launchpad. The most dangerous
practice is to full-share C:\ as "C" and map a drive letter to it; the
auto C$ may be less visible, but I'd rather it was completely gone.

TCP/IP on LAN can make it more difficult to use personal firewall
software, which in turn makes it harder to spot call-home behaviour
(even when this is isn't stealthed through via a trusted wrapper such
as svchost, rundll, rundll32, or a BHO-driven IE).

That's why I liked using NetBEUI or IPX for LAN, wherever Internet
access via router or ICS was not required. But XP botches that.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"