What hidden shares can be safely disabled in a Windows 2003 Network?

We are having some network vulnerability issues and I would like to tighten up security on our Windows 2003 servers and XP desktops.

Quesiton - What Hidden Shares can I either safely remove or better secure?

On the servers I see C$, Admin$, IPC$

Thanks!
LVL 1
AutomatedITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

robsz1Commented:
You are able to disable those shares.  You may be better off looking into services and applications that you do not need running on your servers.  If you are having problems from outside of your network you may want to look into the configuration of your firewall.  It really depends on what sort of problems you are having to get a better idea of what you missed when securing your servers.
0
robsz1Commented:
Sorry, that was meant to say you are NOT able to disable those shares.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AutomatedITAuthor Commented:
We are actually have internal network problems.  Got a bad bug floating around and we are trying to find all infected machines so that we can remove them from the network.  While looking at the information from Wireshark I see SMB traffic from machines to servers and often they are working on the IPC$.  Also have some SMB traffic from machine to machine.

I dont think that I can totally stop SMB traffic since it will kill the network, but I am trying to at least minimize the points of attack and spreading to give us a chance to find all of the infected machines.  (AV software is not effective in stopping the spread)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

robsz1Commented:
Well  the IPC$ is used for passing along login credentials which would be done prior to accessing a share on a machine so you will see a lot of that going to your server.  If you see it going out to various workstations then that may be a better indicator.
0
robsz1Commented:
If your problems are more towards your entire network being unstable such as a lot of packet loss that could also be a sign of a routing loop in your switches which can be tricky to catch.  Perhaps check your core switches for unusually high cpu utilization.

 Figure out what are the similarities of the clients having problems like were they recently updated, are they on the same subnet or switch, is it only clients in a certain department, are they all currently on fire...
0
AutomatedITAuthor Commented:
What about changing the IPC share in the registry?



1. Open Regedit
2. HKEY_LOCAL_MACHINE -> System -> CurrentControlSet -> Control ->
Lsa -> restrictanonymous
3. Change "Value Data" from 0 to 1
4. This will disable remote logon to a null IPC$ share
0
robsz1Commented:
In my opinion, if you have to open the registry to do it its a hack.  Thats debatable though.  Anyways that doesnt sound like something I personaly would want to test out on my server, at least not during working hours unless everything is already broken anyways.
It may be worth a shot, though I would be worried about it making the shares on the computer inaccessible.
0
robsz1Commented:
Not saying it will, but who's to say it won't.
0
herbusCommented:
For some other ideas on server hardening, check out this checklist on the texas uni site, it should get you thinking...
http://security.utexas.edu/admin/win2003.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.