C$

  • Thread starter Thread starter Seth Gecko
  • Start date Start date
S

Seth Gecko

Hi

Could someone please tell me if this is normal.
On Win2k Network with XP machines, if you are an administrator on the server
you can \\computername\c$ and see anyone's complete
hard drive irrespective whether they have shared it or not ?

Surely this is a big problem. I can imagine the CEO having his hard drive
invaded by a network administrator
whenever he felt like it.

please advise of anything can be done

thanks
 
Seth said:
Could someone please tell me if this is normal.
On Win2k Network with XP machines, if you are an administrator on the
server you can \\computername\c$ and see anyone's complete
hard drive irrespective whether they have shared it or not ?

Surely this is a big problem. I can imagine the CEO having his hard
drive invaded by a network administrator
whenever he felt like it.

please advise of anything can be done
Click to expand...

That is default.
If it is a domain environment, all domain admins can fully access all
machines by default.

You can turn off the shares and do various other things to prevent this, but
if you do not disable all access, the domain admin will still be able to
over-ride and restore access.

(Thus why you have domain admins you trust - they have access to all the
files/email you have on the servers too.)
 
That is how NT has been for many, many years.
These are called the default administrative shares,
and are only accessible by admin accounts.

These can be shut off
Run Regedit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Change (or create if missing) the DWORD value "AutoShareWks", and set it to
0 (zero)
 
If it is NTFS volume then selectively make sensitive folders private using
a local account. Since it is on network it must be XP Pro so you can encrypt
these folders as well.

Note that the determined admin can still access it although would require
jumping some hoops. If you cannot trust the admin then fire him. Get
somebody who is trust worthy.
 
Encrypting won't do much either, as a Domain Admin can designate his/her
logon as the recovery agent, thus gaining access to the files.
 
Back
Top