"special shares created by the system"

[Guest]

Hello.

WinMCE created several 'special shares' (as desecubed in Help) that are
shared. They include ADMIN$, C$, IPC$, etc... I do not rely on anyone to
administer my PC remotely -- so are these necessary? Do they pose a security
risk? If I stop sharing these will I loose any application functionality?

Thanks in advance - Dave

 

[frodo]

WinMCE created several 'special shares' (as desecubed in Help) that are
shared. They include ADMIN$, C$, IPC$, etc... I do not rely on anyone to
administer my PC remotely -- so are these necessary? Do they pose a security
risk? If I stop sharing these will I loose any application functionality?
Thanks in advance - Dave

Yes. No. Google is your friend:

http://www.google.com/search?q=xp+administrative+shares

 

[Guest]

Is it better to ......
1) leave the admin shares alone and turn off the sharing service, or
2) delete the admin shares and leave the sharing service running, or
5) delete the admin shares AND turn off the sharing service?

If turning off the sharing service is a best practice, can someone direct me
to instructions for doing this?

Thanks in advance -- Dave

 

[Guest]

IPC$ is needed, but the Admin shares (C$ etc ) are only needed for
centralised administration of domains. (and not always then)

Admin shares are a huge security risk, because in a domain they become
writable to any administrator who logs-on anywhere on the network. If this
computer happens to have malware on it (possibly the reason for the admin's
visit) the malware can then copy itself to the Windows\System folder of
every computer on the network -including the server- creating a pandemic.

You cannot delete the admin shares in Explorer, there is a registry key that
will remove them and I advise everyone to apply it.

Note that there are two registry values; one for servers and one for
workstations. (It does no harm if you apply both)

http://www.petri.co.il/disable_administrative_shares.htm

 

[Guest]

Might add that in a recent rollout I've experimeted with turning off the
Server service (setting it to Manual, actually) and this seems to have no ill
effect. The only limitation is that machines do not then advertise their
presence on the network, so you cannot use NET VIEW to see which machines are
active. If you can live with this small restriction it makes things a lot
more secure.

(If you need to share files temporarily from such a machine, it's just a
matter of issuing NET START SERVER from a commandprompt, and this has the
advantage that it will only apply until reboot.)

 

[Steven L Umbach]

It depends. The risk is if an attacker has administrator credentials to your
computer and has network access and in such case the administrator shares
and having file and print sharing enabled puts your computer at extreme risk
whether or not the administrative shares are enabled or not. Disabling the
administrative shares alone does not protect your computer if administrator
credentials have been compromised.

Such can be mitigated by making sure that any user account in local
administrators group has a strong password that is protected by user [not
shared or written down in unsecure place], that only the built in
administrator account is in the local administrators group and it is
disabled to normal logon or if it is enabled it has a blank password
assuming that does not pose a threat for interactive logon and with the
understanding that is bad practice in malware/hack attacks, or file and
print sharing is disabled.

I personally leave the administrative shares enabled and find them useful
and never had a problem doing such following other basic security best
practices. You need to have file and print sharing enabled and the IPC$
share available if others access your computer for shared files or printers
and if not disable it. In a domain type network disabling the
administrative shares will pose a problem with some management tasks such as
remote scans using Microsoft Baseline Security Analyzer and I believe
running Resultant Set of Policy Group Policy in logging mode. A good
strategy in such situation is to enable the Windows Firewall or use ipsec to
allow access from known clean and secured admin workstations. --- Steve

 

[frodo]

for a truely standalone machine, I typically REMOVE/UNINSTALL the MS
Client and File and Printer Sharing network layers (you can/should just
uncheck them if you want). Removing them will eliminate the Server and
Workstation services from your Services list - they won't show up at all,
and they won't boot up and use system resources. Most everything will
work just fine, tho you may occasionally get an error message about the
Server service not running - that's ok, it's not fatal. [note MS Baseline
Security Monitor requires Server service to be running, but very little
else does].

here's where to look:

control panel | network connections | any network adapter | general tab.
in the section labled "this connection uses...." you should see tcp/ip -
that you need. If you see either of the 2 listed above, uncheck them so
they are not part of that connection; optionally select/hilight each in
turn and click Uninstall. Note uninstalling them removes them from ALL
connections; unchecking only "unbinds" it from that connection - you'll
need to repeat the unbind for any other connections (wireless, dial-up,
etc). Summary: deffinately Unbind 'em if you don't need 'em (for
security); remove 'em for a bit more mem/performance (but an occasional
error message in the logs).

Note: to reinstall them if need-be, repeat above and click the Install...
button, then find MS Client and File and Print Sharing in the list and add
them back; reboot and they'll be installed. Double check that the binding
is as you need it, they'll default to checked.

 

[Guest]

Thanks to everyone who responded -- great advice.

 

[Edward Luke-Kun BR]

I don't Know...But if i were you, I should disable this shares. You don't
lose any application functionatily ( I do that)

Good Luck

Edward_BR