Administrative Shares

[Neil]

I'm none too pleased about having admin shares (C$, D$, IPC$ etc.) available
to
all and sundry.

Apart from setting all users to deny priviledge level, what is the best high
security yet
still functional setup for these shares or is there a way to rid myself of
them without
losing functionality ??

WIN XP Pro, workgroup based peer to peer network.

Thanks.

 

[David Jones]

http://support.microsoft.com/default.aspx?scid=314984

(found by searching for "Administrative Share", for
future reference)

 

[Neil]

Thanks,

Whilst this info. is handy for the purpose of turning shares on and off,
what I am inquiring about is the NTFS security levels that are appropriate
for these 'admin' shares and how I might allocate varying levels of access
to users and system type 'users' that still maintains functionality but
improves security...

 

[David Jones]

Oh, your original post seemed to indicate you wanted them
gone, hence why I brought that up.

The access in all cases is only allowed to accounts that
are members of the Administrators group by default. All
other accounts are denied. I'm not sure what your exact
concerns are. The shares themselves don't have NTFS
permissions, and the only accounts that are allowed
access to these shares are Administrator accounts.

For security purposes, all Administrator accounts should
have strong passwords (typically 7+ characters with
uppercase/lowercase/numeric/punctuation), but that's
really not specific to the admin shares.

Having said all that, what concerns do you have?

 

[Roger Abell]

As David said, the administrative shares are only available
to administrators. No other accounts can use them. The NTFS
permissions on the underlying filesystems is a separate thing
from the share access permissions, and at least for the install
partition the NTFS permissions restrict non-admin accounts
fairly well, just as if they had logged in locally (but for these
accounts to remotely access the filesystem you would have to
first define shares - they cannot use the administrative shares
and you cannot modify the share level permissions of the
administrative shares)

 

[Neil]

Thanks Roger and David,

My concerns were mainly centered on the possibility of someone accessing
the entire computer through use of the admin shares, as you have pointed
out this is well controlled, with the key being strong password protection
of the admin accounts.....

 

[Roger Abell]

No problem Neil, and as you have said

the key being strong password protection
of the admin accounts.....

is so very true, and often overlooked.

 

[Guest]

Hello Everyon

I am trying to resolve an issue. Can anyone tell me if having shares (invisible) are any different from visable shares when it comes to security. Especially in regards to virus attacks

 

[Pegasus \(MVP\)]

Hello Everyone

I am trying to resolve an issue. Can anyone tell me if having shares

(invisible) are any different from visable shares when it comes to security.
Especially in regards to virus attacks.
Viruses love administrative shares, because they provide the opportunity to
attack whole drives. This is why Microsoft recommend that you should not
perform your everyday work as administrator. If you do, and if your machine
is infected, then the virus can make use of administrative shares.