Domain Users have access to some Server ADMIN Shares (C$)

Posted on 2007-08-10
Last Modified: 2013-11-05
Running a Windows Server 2003 environment.
For some strange reason, some servers allow ADMIN Share access to the Domain Users group.

I've confirmed the NTFS permissions and Local Administrator groups match the secure servers.
Looked through the Local Security Policy a bit, but couldn't find anything that stood out.

Local Policies\User Rights Assignment - Access this computer from the network & Deny access to this computer from the network are both setup exactly the same as the secure servers.

Any suggestions on where this setting is coming from?  My goal is to lock down the ADMIN share on the open servers.

Question by:cmanderville
    LVL 38

    Expert Comment

    May I draw your attention to a program called "ShareEnum" found on the microsoft sysinternals website. Let me give you the link.

    This program will go over the share permissions. I believe that includes administrative shares.

    LVL 38

    Expert Comment

    You looked at the NTFS permissions, but have you looked at who is in the administrative groups under active directory.

    ShareEnum will quicken the process of discovery.

    Author Comment

    Unfortunately, ShareEnum didn't include the ADMIN share.
    Also I confirmed the Adminitrators group in AD didn't include the Domain User group or anybody who shouldn't be there.

    Any other suggestions?
    LVL 38

    Accepted Solution


    I am sorry for not replying sooner.

    Not to insult your intelligence, but are you sure these users are not authenticating using domain admin username and password?

    I was certain ShareEnum looked at admin shares if you log on to that PC as domain administrator. Nevertheless, that was a part of discovery and I think we can move on.

    Instead of share enumeration, go to the server in question and  use the share snaping by going to: Start>>Select "Run">>type in "mmc">>go to the "console" menu>>Select "add/remove snapin".  This is a good place to organize your administrative tasks. Add the Shares Snapin to the console and any other snapins you wish to use. Save the console to the desktop. Then go into the console. By default it is a icon called "Console1". If you have network share, they should be seen in the share snapin. You may be able to control access there, I am not currently setting at one of my server. So, this is all off memory. I will be at one of my servers on 8/15. Then I will be more productive.

    The following are recommendations Wikipedia had for securing shares. Waring, some recomendations are used to disable the shares from all, including administrators.

    Preventing Access
    However, disabling the Administrative shares doesn't mitigate any real significant security risks, but only keeps nuisance administrators from casually browsing the shared contents. This is because anyone who has membership in the local Administrators group can either (a) re-enable the administrative shares or (b) create new shares (hidden using the "$" suffix or not). Merely disabling the administrative shares doesn't make it any harder for a technically astute user to gain access to the disk contents.

    Better ways to prevent remote browsing of the disk contents is to:

    disable File and Printer Sharing (or unbind the NetBT protocol)
    Stop and/or Disable the Workstation service
    set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp
    remove membership in the Administrators group for those users/groups you wish to block
    encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the files


    Author Comment

    I'm sure of the authentication method because I'm testing with both a Domain User and Domain Admin account.  The Domain Admin account works for all servers.  The Domain User account only works for those few unsecured servers.  My goal is to get all servers denying Domain Users.  This is for Admin share access only (\\<server name>\c$ (or d$, e$, etc)

    Checking both the Local groups (such as Administrators) and the NTFS permissions have yeilded no results, as the secure and unsecure match perfectly.  That's why I thought this could be on the Group Policy level, but unable to find any significant differences in there.

    Tried the Shared Folders view in MMC and am able to view both secure and unsecured servers from here.  All show ADMIN shares.  Of course there's no way to view Security infomation on ADMIN shares through here.

    Man, Wikipedia has everything.  However, I'm not looking to cut off access from the Domain Admins.

    I really apprciate your help.
    LVL 38

    Expert Comment

    In windows NT and 2000, a member of the Server Operator's Group has access to these files. Maybe 2003 is the same way.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now