Saturday, March 14, 2009

Disable or Hide Administrative Shares

Hidden Shares:

A hidden share is identified by a dollar sign ($) at the end of the share name. Hidden shares are not listed when you look through the shares on a computer or use the net view command. Windows create hidden administrative shares that administrators, programs, and services can use to manage the computer environment on the network. By default, Windows can enable the following hidden administrative shares:

(1) C$ D$ E$ - Root of each partition. For a Windows workstation computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.

(2) ADMIN$ - %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the system root (C:\Windows).

(3) FAX$ - On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.

(4) IPC$ - Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.

(5) NetLogon - This share is used by the Net Logon service of a computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.

(6) PRINT$ - %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers. This shares may not be used , if you are not connect to any LAN /WAN. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services. Better practice to disable these hidden shares.

How to disable:

There are two ways to disable it.

(1) Right Click My Computer -> Manage ->Shared Folders ->Shares -> Right Click on the Share and Disable.

(NOTE: If you disable an administrative share , it will not be automatically enabled after you restart your computer. )




(2) Permanently disable by using folowing regedit:

Hive:HKEY_LOCAL_MACHINE
Key:SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name:AutoShareServer (for Windows 2000/2003/2008)
Name: AutoShareWks (for Win XP/Vista)
Type: REG_DWORD
Value: 0 



Security Risk:

Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven't disabled anonymous user access or you haven't disabled the guest account then this port can lead to total system compromise !

No comments:

Post a Comment