Solved

Default c$ shares permissions

Posted on 2014-01-28
15
4,022 Views
Last Modified: 2015-07-16
It seems common knowledge with users they can use \\%computername%\c$ etc. to get to their C drives, even when C drive access has been carefully hidden from explorer by their IT depts.

On Windows XP default permissions for the C$ share was to only allow access to the local Administrators group.  In Windows 7 it seems it shows Everyone, full control in NET SHARE C$ though it also shows the same in Windows 2003/2008 server and they prompt for admin credentials if the user isn't an admin on there.

This is in domain environment, and on my own kit non-domain as "work" network.

OK you need to be authenticated in some way and guest will (should) be disabled but anyone can access anyone's C drive.... really?!

Have read various documents all of which go nowhere.

NET SHARE C$  as a non admin user hows "Access Denied" to show the permissions BUT the same non admin user can view in explorer or PUSHD \\%computername%\c$ etc.

So have I missed an obvious policy to tie this down, or anything else for this?

I suppose we could disable admin shares through policy and try add new C$ hidden shares with specific permissions if wanted through policy again?

Steve
0
Comment
Question by:Steve Knight
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 6

Expert Comment

by:alexgreen312
ID: 39814717
Ok so, what's the question?

Can anyone access the \\computername\c$? No they can't, if you have a group policy that throws the domain users into the local admin group for PC's that would be an issue.

I assume you're trying to lock it down so people can't do that, on a standard users machine run GPResult and see what groups they are in, then either modify your group policy or go through it again and make sure there aren't any contradictions.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39814797
Thanks for the reply, actually having checked myself rather than what I was told, users who are not in any local groups except users via "domain users" in the case of domain, and "users" in the case of standalone Win 7 machine CAN access c$.  BUT only on their own machine, i.e. C$ works regardless from the local machine, but over t

So from your experience do c$ shares still work as before, i.e. normal users can't access them on windows 7 machines at all, or do you get the same effect?

i.e. User as admin of particular machine can of course access C$, admin$ shares etc.
User who isn't admin can't as expected
but user can always access c$ on the machine he is logged into, even if not admin and the C; drive is hidden from explorer and command prompt disabled, for instance.

thanks

Steve
0
 
LVL 6

Expert Comment

by:alexgreen312
ID: 39814810
If it's the standalone machine and they can still access the C$ you can set a local group policy to change that. Domain policy won't apply
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39814819
Understand that.   I suppose to summarise:

Is it now 'normal' that users can access c$ of their own domain or non-domain machine when they aren't in anything other than "users" group on Windows 7?

If so WHY, and how can I turn it off except disabling / deleting admin shares.

thanks!

Steve
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39815038
Confirming. The admin shares are "Everyone, Full" by default on W7, just tested that. It doesn't matter for the local machine, but on remote machines those shares are filtered by default (the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LocalAccountTokenFilterPolicy key is responsible for that), so no harm.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39815074
Trouble is it does matter when you are also hiding the C drive!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 39815121
Ooops. Then you'll have to redefine c$ ...
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 0 total points
ID: 39815143
Stumbled across another issue the same:

http://www.networksteve.com/windows/topic.php/c$_access_to_localhost_as_a_standard_user/?TopicId=52862&Posts=10

So looks like have to live with it.... pointless being able to hide C drive then frankly!

May be able to delete the C$ share and create another one I suppose during startup:

net share c$ /delete
net share c$=c:\ /grant:administrators,FULL /cache:none /remark:"Manually shared"

Any other ideas?

Steve
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39815261
Don't recreate the same c$... name it something else besides that administrative share name.

Then, run your net share c$ /delete command at every reboot, because the computer will recreate it.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39815392
Works OK actually like that having pushed it to an OU for testing.  Will see how that goes and leave this open for a little while in case anyone else has any bright ideas.

thanks

Steve
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 39817485
Besides switching off AutoAdminShares, and recreate manually as necessary, I don't have any idea.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39819302
May I ask what you are planning to do? Hiding c: does not prevent them from accessing it. Even the GPO "prevent access to these drives..." does only work in explorer. It does NOT keep them from using any other file-open-dialogue of programs that don't use explorer (like total commander for example) to access c: - So the measure is pointless in the first place.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39819550
Not my company or decision and I know there are various ways of getting to see and access the files on c: drive, though being able to connect to c$ is a bit of a gaping flaw.  When users are blocked from command prompt, c drive and the like.

The reasons are mainly to stop people deciding to use the c: drive for storing data which is then subsequently lost when machines fail, get lost or stolen etc. and instead keep to offline files from home drives etc.

There are arguments both ways as always, much like whether to keep mailboxes and home drives with tiny quotas and force people to archive data off all the time, a free-for-all or something inbetween.

In this case I was hoping their was another policy I had missed that stopped this access but since there isn't will have to work around it or leave it as is.

thanks for interest

Steve
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39820069
I see. By default, users may create folders on the root of c: - stop that using adjusted NTFS permissions for "this folder only", this alone helps a little.
0
 
LVL 1

Expert Comment

by:CHI-LTD
ID: 40884556
looks like the problem is that everyone group has access to every share (clients and servers!).  Its showing this in our 3rd party management program, but in MMC - computermgt its not showing it..

going to check GPO..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now