Solved

Default c$ shares permissions

Posted on 2014-01-28
15
4,867 Views
Last Modified: 2015-07-16
It seems common knowledge with users they can use \\%computername%\c$ etc. to get to their C drives, even when C drive access has been carefully hidden from explorer by their IT depts.

On Windows XP default permissions for the C$ share was to only allow access to the local Administrators group.  In Windows 7 it seems it shows Everyone, full control in NET SHARE C$ though it also shows the same in Windows 2003/2008 server and they prompt for admin credentials if the user isn't an admin on there.

This is in domain environment, and on my own kit non-domain as "work" network.

OK you need to be authenticated in some way and guest will (should) be disabled but anyone can access anyone's C drive.... really?!

Have read various documents all of which go nowhere.

NET SHARE C$  as a non admin user hows "Access Denied" to show the permissions BUT the same non admin user can view in explorer or PUSHD \\%computername%\c$ etc.

So have I missed an obvious policy to tie this down, or anything else for this?

I suppose we could disable admin shares through policy and try add new C$ hidden shares with specific permissions if wanted through policy again?

Steve
0
Comment
Question by:Steve Knight
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 9

Expert Comment

by:Alex Green
ID: 39814717
Ok so, what's the question?

Can anyone access the \\computername\c$? No they can't, if you have a group policy that throws the domain users into the local admin group for PC's that would be an issue.

I assume you're trying to lock it down so people can't do that, on a standard users machine run GPResult and see what groups they are in, then either modify your group policy or go through it again and make sure there aren't any contradictions.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39814797
Thanks for the reply, actually having checked myself rather than what I was told, users who are not in any local groups except users via "domain users" in the case of domain, and "users" in the case of standalone Win 7 machine CAN access c$.  BUT only on their own machine, i.e. C$ works regardless from the local machine, but over t

So from your experience do c$ shares still work as before, i.e. normal users can't access them on windows 7 machines at all, or do you get the same effect?

i.e. User as admin of particular machine can of course access C$, admin$ shares etc.
User who isn't admin can't as expected
but user can always access c$ on the machine he is logged into, even if not admin and the C; drive is hidden from explorer and command prompt disabled, for instance.

thanks

Steve
0
 
LVL 9

Expert Comment

by:Alex Green
ID: 39814810
If it's the standalone machine and they can still access the C$ you can set a local group policy to change that. Domain policy won't apply
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 43

Author Comment

by:Steve Knight
ID: 39814819
Understand that.   I suppose to summarise:

Is it now 'normal' that users can access c$ of their own domain or non-domain machine when they aren't in anything other than "users" group on Windows 7?

If so WHY, and how can I turn it off except disabling / deleting admin shares.

thanks!

Steve
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39815038
Confirming. The admin shares are "Everyone, Full" by default on W7, just tested that. It doesn't matter for the local machine, but on remote machines those shares are filtered by default (the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LocalAccountTokenFilterPolicy key is responsible for that), so no harm.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39815074
Trouble is it does matter when you are also hiding the C drive!
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 39815121
Ooops. Then you'll have to redefine c$ ...
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 0 total points
ID: 39815143
Stumbled across another issue the same:

http://www.networksteve.com/windows/topic.php/c$_access_to_localhost_as_a_standard_user/?TopicId=52862&Posts=10

So looks like have to live with it.... pointless being able to hide C drive then frankly!

May be able to delete the C$ share and create another one I suppose during startup:

net share c$ /delete
net share c$=c:\ /grant:administrators,FULL /cache:none /remark:"Manually shared"

Any other ideas?

Steve
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39815261
Don't recreate the same c$... name it something else besides that administrative share name.

Then, run your net share c$ /delete command at every reboot, because the computer will recreate it.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39815392
Works OK actually like that having pushed it to an OU for testing.  Will see how that goes and leave this open for a little while in case anyone else has any bright ideas.

thanks

Steve
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 39817485
Besides switching off AutoAdminShares, and recreate manually as necessary, I don't have any idea.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39819302
May I ask what you are planning to do? Hiding c: does not prevent them from accessing it. Even the GPO "prevent access to these drives..." does only work in explorer. It does NOT keep them from using any other file-open-dialogue of programs that don't use explorer (like total commander for example) to access c: - So the measure is pointless in the first place.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39819550
Not my company or decision and I know there are various ways of getting to see and access the files on c: drive, though being able to connect to c$ is a bit of a gaping flaw.  When users are blocked from command prompt, c drive and the like.

The reasons are mainly to stop people deciding to use the c: drive for storing data which is then subsequently lost when machines fail, get lost or stolen etc. and instead keep to offline files from home drives etc.

There are arguments both ways as always, much like whether to keep mailboxes and home drives with tiny quotas and force people to archive data off all the time, a free-for-all or something inbetween.

In this case I was hoping their was another policy I had missed that stopped this access but since there isn't will have to work around it or leave it as is.

thanks for interest

Steve
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39820069
I see. By default, users may create folders on the root of c: - stop that using adjusted NTFS permissions for "this folder only", this alone helps a little.
0
 
LVL 1

Expert Comment

by:CHI-LTD
ID: 40884556
looks like the problem is that everyone group has access to every share (clients and servers!).  Its showing this in our 3rd party management program, but in MMC - computermgt its not showing it..

going to check GPO..
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question