NTFS permissions and the default C$ share on servers - security issue?

Posted on 2007-10-11
Last Modified: 2013-12-04
I just have a simple question about NTFS permissions on a web server:

I have the site data on a seperate hard drive, E:, with group Everyone completely removed from the permissions. Should I do the same on the C: drive to lockdown the server further or will the ruin the server and I won't be able to login? Do you have any recommendations? The way it's currently setup, anyone that gains access to the network -- not even the server -- can simply access \\server\c$ to see EVERYTHING on the C: drive. If you ask me, that is a heck of a security threat. Do you have any recommendations for other servers such as DCs or file servers? Is this share necessary (I assume so...)?

That's all! Thanks!
Question by:Pugglewuggle
    LVL 4

    Accepted Solution

    The c$ Share is an admin share and normally only accessable with administrative rights. I would NOT recommend to remove the share.
    But you can remove the Everyone group from the NTFS permissions. Maybe you should add "Domain users" or another group with READ permissions if necessary to access something.
    Be sure that on C: (Root) the "Administrators" group has FULL Control permissions

    Detailed information see here:

    Also interresting tool:


    MAYBE a good idea is to have a full backup of the server and a system restore point!
    If you have doubts, use a VMWare session or VirtualPC2007 session to setup a new server for testing and playing around with permissions before doing this on a productive machine.
    LVL 57

    Expert Comment

    by:Pete Long
    I'm assuming because of the TA we are talking about an IIS web site?

    OK there is a difference in permissions if we are - web permissions are set in the IIS management console, not at folder level :) your best bet id you are worried is to download the IIS lock down tool which will Analyse and recommends the best practice for your IIS server then run the Microsoft baseline security analyzer and the server to make sure everything else is OK :)


    IIS Lockdown tool
    M$ Baseline Analyser
    LVL 12

    Author Comment

    Here are a few extra notes to help your decision making/suggestions out a bit --

    The server is running IIS 6.0 on WS 2003 Web Edition - fully patched - SP2
    IIS 6.0 does not support the IIS lockdown tool
    The MBSA has been run and the server is locked down as suggested
    These hidden shares are located on the root of ALL drives in systems running at least XP
    I DO NOT want to delete these shares, just secure them with NTFS permissions
    SMB permissions CANNOT be set on these default shares - they are for administrative purposes

    When I go to remove the Everyone group, the OS freaks out and tells me "You are about to change the permission settings on the root directory of the startup disk, which can result in unexpected access problems and reduce security. Do you want to continue?"

    The message shouts "don't mess with me"... so I'm a bit worried.... Please advise.

    LVL 4

    Expert Comment

    LVL 2

    Expert Comment

    These 'drive' shares C$, D$ etc are admin shares as previously stated and can only be accessed by members of the local administrators group, which include domain admins by default. You cant change the permission on them, only disable the share itself. Note that this could cause problems with applications that use them, plus it makes remote administration harder.

    If you have a problem with people being able to access them, then a better procedure would be to remove them from unnecessary security groups - think principle of least privilege.
    LVL 12

    Author Comment

    For the purpose of the web server, a stand alone machine in a DMZ and not a member of a domain, what do you recommend? Should I remove the Everyone from the NTFS permissions on the C: drive or does it matter?
    LVL 4

    Expert Comment

    I personally would remove Everyone group
    See about the links provided earlier, there are MS security guides and server hardening documentations of about 30 pages.....

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now