Defautl Hidden Shares

[Guest]

I noted that during Windows 2000 Server setup, these hidden shares Admin$,
C$, D$ and IPC$ are created.

Most of the best practices from books mentioned to remove the hidden shares.
What are the risks if these hidden shares are not remove?

Can i say that these hidden shares consist of
1) Admin$ - for administering the server which contains of Windows system
utilities.
2) C$ & D$ - for may consist of application and data.

 

[Roger Abell [MVP]]

The risks from the administrative shares are minimal if normal sane
practices are in use. Those only allow access by an admin account.
There is a risk of someone attempting login via the authentication
mechanisms that protect the administrative shares, using it as a way
to try to find username/password pairs. However, if only allowed
locations with supposedly trusted people have access to the needed
ports on those IPs, perhaps people that already have accounts, there
is little, if any, added risk.
Somewhat similarly for the IPC$ share you have mentioned, which
does not require an admin account.

 

[Guest]

thanks for your info.

The risks from the administrative shares are minimal if normal sane
practices are in use. Those only allow access by an admin account.
There is a risk of someone attempting login via the authentication
mechanisms that protect the administrative shares, using it as a way
to try to find username/password pairs. However, if only allowed
locations with supposedly trusted people have access to the needed
ports on those IPs, perhaps people that already have accounts, there
is little, if any, added risk.
Somewhat similarly for the IPC$ share you have mentioned, which
does not require an admin account.

 

[.]

The really big risk is if you have only one local administrator password for
all laptops and desktops (and maybe servers) and someone finds it or is
given it for whatever reason. Even though it's the "local" administrator
account, it can be used across the network

net use x: \\computername\c$ /user:computername\administrator

Enter the local admin password at prompt and you now have full admin access
across the network.

It's an even bigger risk if you left the local admin password blank...

Ray

 

[Steven L Umbach]

Though that is of concern Roger's solution was that only trusted
computers/users have access to those shares which can be accomplished by
enabling and configuring Windows Firewall on operating systems that have it
and/or the use of ipsec policies to make sure access is allowed only from
authorized IPs or computers with compatible ipsec policy. --- Steve

 

[Roger Abell [MVP]]

Though that is of concern Roger's solution was that only trusted
computers/users have access to those shares which can be accomplished by
enabling and configuring Windows Firewall on operating systems that have
it and/or the use of ipsec policies to make sure access is allowed only
from authorized IPs or computers with compatible ipsec policy. --- Steve

quite so, or by having the machine behind firewall through which only
narrowly defined traffic is passed.

Never-the-less, Ray has in fact hit the nail on the head, indicating one of
the great weaknesses - that people tend to have an admin account of the
same name and password on large numbers of machines. Worse yet,
because these are so widely distributed they tend to very infrequently
(if ever) change these. In that environment, assume a rogue "trusted"
user who manages to leverage something, an overallocation of privilege
or an unpatch exploit, in order to get the local SAM and crack it, then
the admin shares do slightly simplify life for that rogue person that must
otherwise first define a needed share.
Yes, yes, long, strong passwords, etc. can reduce this some.
But IMO final analysis is that admin shares are not the danger here.