Question

Disabling access to Administrative Shares (c$)

Asked by: jrhelgeson

I have a customer that must allow their users to have admin rights to their machines... However, because each user has local admin rights, users can type in the ip address or machine name followed by the /c$ and they can pull up the remote machines entire C drive.

Is there a registry hack or a group policy setting that can either disable that share, or can we disable fellow users from accessing these shares on remote machines without revoking admin rights to their local machines?

They are currently using Win2k on the PC's and 2k servers.  AD environment.

There is NO NT4 in the environment.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-12-17 at 01:04:54ID21245848
Tags

administrative

,

disabling

,

group

,

local

,

share

Topic

Windows Network Security

Participating Experts
5
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. faking domain member with win2k and NT4 server
    Is there any way I can make Windows NT4 server think I'm on the domain with a Windows 2000 workstation? I can't add a computer account because I'm not the administrator. The main problem is that the security settings on the NT4 server must be set to high. I could access al...
  2. Migrating NT4 to Win2k
    I have an NT4 PDC up and running. I now also have a new machine which I want to install as a DC with AD instead of the old NT4 machine, but without any interuptions and moving my existing users. So how do I setup a Win2k DC and transfer my accounts?
  3. how to revoke connect from internal
    how to revoke the connect feature from internal....in other words, how to deny users from using internal user because it has the privilege of dba?
  4. Creating a safe 'DMZ' between Win2K Proxy and NT4 …
    Hello.. Here is what we have.. *MS Proxy on a Win2K DC with 2 NIC's, one to our internal domain, one going upstream to the router and ISP. *NT4 SP6 PDC in our NT user domain, obviously the PDC to our resource and user domain. What I would like is.. *Have the Proxy DC 'tr...
  5. Group Policy for Win2k clients in NT4 domain
    I need to know how I can implement group policy from NT4 sp6a server so where user on win2k client can not access display panel.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: PeteLongPosted on 2004-12-17 at 01:11:27ID: 12848716

Disable Windows hidden shares ($)

Start >Run Type "regedit" {enter}

Navigate to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

Modify or create new REG_DWORD Entries shown below


AutoShareServer
AutoShareWks

Set the values as follows

0 = disable shares
1 = enable

WARNING, some programs and services use the hidden share feature I STRONGLY advise
you carry this out either in a test environment OR on your least used server for a trial period

 

by: CoccoBillPosted on 2004-12-17 at 03:43:16ID: 12849270

I strongly recommend doing everything possible to avoid giving local administrator rights to users, it should be the absolute last resort, and can be avoided 99% of the time. What do you mean though by them remotely connecting to other computers? This will not be possible except to their own workstations, you're not giving them domain admin rights, or using a common/shared local Administrator password in every machine, right? RIGHT? :)

Even if you disable the admin shares, if your users have local admin rights, whats stopping them from creating new shares?

 

by: lawson2305Posted on 2004-12-17 at 05:29:25ID: 12849940

I agree with CoccoBill you usually can do things in XP to give users access to everything they need without giving them more than user rights.

Do these users have Admin rights to the AD domain?  If so STOP!!!!!!!!

If not then you are assigning them local admin rights to the local machine which means they won't have admin rights across the network.

To do this go to the local machine they need Admin rights for and go to the local admins group or necessary group and add their ad username (domain/username).  This will give them Admin rights only to the local machine not the entire network.  If you are giving everyone Domain Admin rights then you are in for a mess of trouble.

Also assign the NTFS deny right to the share for the users you don't want in.  This will appear to them that they can't get in then.  

 

by: caza13Posted on 2004-12-17 at 13:44:09ID: 12854239

From Windows 2000 help:

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000 security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a User can run in Windows NT 4.0, a Power User can run in Windows 2000.

Power Users can:

Run legacy applications in addition to Windows 2000 certified applications.
Install programs that do not modify operating system files or install system services.
Customize system-wide resources including Printers, Date/Time, Power Options, and other Control Panel resources.
Create and manage local user accounts and groups.
Stop and start system services which are not started by default.
Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

 

by: jrhelgesonPosted on 2004-12-17 at 15:56:06ID: 12854996

If a user has local admin rights to their machine, that means they have full control over their own particular machine.  If Joe Sixpack sits down at his machine, "Machine A" and logs in as himself, "Joe6" he has full control over his machine.  Joe Sixpack does NOT have admin rights to the network, or the domain, only over his own personal machine.

Now, because he has local admin rights over his own personal machine, if he were to sit down at Jane Doe's machine, and logs in as himself; "Joe6" he would have admin rights over that particular machine as well.  He'd have full access to every directory on Jane Doe's machine.

(For the purpose of this example, lets presume that the IP address of Janes machine is 192.168.1.25.)

Therefore, by extension, if Joe Sixpack is sitting at his desk and he decides he wants to see Jane's entire hard drive, all he has to do is go into network neighborhood and type the following: \\192.168.1.25\c$ and he'll be able to pull up the Jane's entire hard drive because windows security presumes that because he has local admin rights on his local pc, that if he were to log into Jane's machine as himself he'd be able to see her entire hard drive anyway, so why not just let Joe view Janes entire hard drive over the network simply by browsing the to the "hidden" share.

We need to be able to have Joe sixpack and Jane Doe to have local admin rights without allowing them to browse each others hidden share.  READ: HIDDEN SHARES!  That means shares that are automatically created by Windows 2000 that are hidden.

If what I've said here is over your head, then don't bother offering a response. If you tell me to remove local admin rights; you'll be in grave danger of losing your manhood. That option is NOT on the table.  

I am NOT talking about sharing folders on a person's machine... I'm talking about the default hidden share that MS creates (c$)... If you don't know what I'm talking about then go to your own machine, open network neighborhood or your IE browser and type \\127.0.0.1\c$ and you'll see your entire C:\ drive just as though you were viewing it locally, however, you'll be looking at your own c drive through your own TCP/IP stack.

My question is: How do we stop Joe Sixpack from being able to pull up Jane's private hidden share without having to remove local admin rights.

 

by: ckratschPosted on 2004-12-17 at 16:17:44ID: 12855124

jrhelgeson, your presumption above is incorrect.

"Now, because he has local admin rights over his own personal machine, if he were to sit down at Jane Doe's machine, and logs in as himself; "Joe6" he would have admin rights over that particular machine as well.  He'd have full access to every directory on Jane Doe's machine."

Not at all the case.  If Joe6 (a domain account) is a local administrator on Machine A, he has admin rights to Machine A.  The local Administrators group belongs to the *computer,* not to the logged-in user, so if Joe6 logs into Machine B, where he is not a member of the local administrators group, then he doesn't have admin rights.

So, therefore by extension, if Joe6 logs into Machine A, and Machine B's IP is 192.168.1.25, and he enters \\192.168.1.25\c$ - he gets access denied.

The answer to your question, based on the evidence you've provided, is that Joe6 already cannot pull up an administrative share on someone else's computer.

*If he can* -- then he's a member of the local admins group on the other machine, either individually or as a member of a group which has been added.

 

by: jrhelgesonPosted on 2004-12-17 at 17:15:05ID: 12855368

Ok, the issue here is that Joe6 *can* pull up Jane's entire C drive as was described above by typing \\192.168.1.25\c$
.
I realize that disabling the private share as PeteLong suggested is a viable solution. I'm just looking how to disable the ability through AD or group policy.

 

by: ckratschPosted on 2004-12-17 at 18:27:35ID: 12855578

You can't disable that through AD or group policy, unless you want to push out a modified .reg file via a logon or startup script.  But the bigger problem you have is that people have permissions that they're not supposed to, and you don't know why.  Removing the hidden admin shares is the wrong way to come at this.  If you do that, all Joe6 has to do is open an MMC console, add the Computer Management snap-in for Jane's computer, and he can create all the new shares on Jane's computer he wants to.  If Joe6 is smart enough to find the admin share through a command line, he's smart enough to run mmc.

Look at what accounts and groups on Jane's computer are members of the local admins group.  If you see Joe6 in there, take him out.  But that's too obvious; I'm sure you would have seen it already.  Look also for domain security groups which are members of the local admins group of Jane's machine, and figure out which one(s) of those Joe6 belongs to.

Also notice that I'm not suggesting that you remove local admin rights for everyone.  What you've described as being the case - each user having local admin rights to only their own machine - is not true.  That needs to be (and can be) corrected, so that the security configuration you want is actually in place.

 

by: lawson2305Posted on 2004-12-17 at 21:18:30ID: 12856007

So you need to check and see if Joe6 has some kind of Domain rights that are enabling this ability.  Like membership to the Domain Admins Group.  Or if there is a Domain or Local group that was given ADMIN or entire NTFS access to C: on all machines Locally and he is a member of that group.  Local account example if I make the ADMIN password the same on every machine in my network and I log in as the ADMIN I will be able to get access to all the machines even though my account is not logging into the network but only the local PC.  Bottom line you need to find out what is causing this before you can decide which route to take (AD or Group policy) because if it is as I described above a local user account with ADMIN rights to all machines locally, the domain will do nothing (in reason) to help.

"If what I've said here is over your head, then don't bother offering a response. If you tell me to remove local admin rights; you'll be in grave danger of losing your manhood. That option is NOT on the table."

Come on here we are only trying to help you (you need help from us so I don't believe it is wise to make threats) and make you understand that you need to find the root of the issue first.  As I have already recommend to remove Admin rights before I won't recommend it this time but will leave you with this - If you don't take security seriously you will have bigger problems than this.  We all see this but you don't.

Please Answer these questions.  
Does every user have local admin rights to ALL PC's?  You described before no but I want to make sure.
In other words when JOE6 goes to BOB99's pc (Not JOE6's PC because we understand he has admin rights on that pc) and JOE6 logs himself in as himself on BOB99's PC does he have admin rights?  If so why please provide an EXACT answer.  Example he is a member of the domain ADMIN Group or a member of a group that is part of every local admin group on every pc or his user account is a member of the local admin group on every pc.
Do you know the difference between domain rights and local rights?

 

by: lawson2305Posted on 2004-12-17 at 21:29:13ID: 12856035

Also here is a couple more solutions.
Remove TCP/IP
Disable the network card
pull the network card from the machines.
Remove the cat5e cable

put a firewall on each machine prevent all incoming traffic.
Disable file and print sharing.

http://www.experts-exchange.com/Security/Win_Security/Q_21245848.html
Method 1: Deleting default administrative shares for the current session only
To delete a hidden administrative share for the current session only, follow these steps:
1.      In Control Panel, double-click Administrative Tools, and then double-click Computer Management.
2.      Expand Shared Folders, and then click Shares.
3.      In the Shared Folder column, right-click the share that you want to delete, click Stop sharing, and then click OK.
Method 2: Deleting default administrative shares for current and later sessions
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To delete the hidden administrative shares for all root partitions and volumes (such as C$) and the system root folder (ADMIN$) and to prevent Windows from re-creating them, add an AutoShareWks DWORD value to the following registry key, and then set its value data to 0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

 

by: lawson2305Posted on 2004-12-17 at 21:29:54ID: 12856040

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...