Solved

Default c$ shares permissions

Posted on 2014-01-28
15
5,334 Views
Last Modified: 2015-07-16
It seems common knowledge with users they can use \\%computername%\c$ etc. to get to their C drives, even when C drive access has been carefully hidden from explorer by their IT depts.

On Windows XP default permissions for the C$ share was to only allow access to the local Administrators group.  In Windows 7 it seems it shows Everyone, full control in NET SHARE C$ though it also shows the same in Windows 2003/2008 server and they prompt for admin credentials if the user isn't an admin on there.

This is in domain environment, and on my own kit non-domain as "work" network.

OK you need to be authenticated in some way and guest will (should) be disabled but anyone can access anyone's C drive.... really?!

Have read various documents all of which go nowhere.

NET SHARE C$  as a non admin user hows "Access Denied" to show the permissions BUT the same non admin user can view in explorer or PUSHD \\%computername%\c$ etc.

So have I missed an obvious policy to tie this down, or anything else for this?

I suppose we could disable admin shares through policy and try add new C$ hidden shares with specific permissions if wanted through policy again?

Steve
0
Comment
Question by:Steve Knight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +3
15 Comments
 
LVL 11

Expert Comment

by:Alex Green
ID: 39814717
Ok so, what's the question?

Can anyone access the \\computername\c$? No they can't, if you have a group policy that throws the domain users into the local admin group for PC's that would be an issue.

I assume you're trying to lock it down so people can't do that, on a standard users machine run GPResult and see what groups they are in, then either modify your group policy or go through it again and make sure there aren't any contradictions.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39814797
Thanks for the reply, actually having checked myself rather than what I was told, users who are not in any local groups except users via "domain users" in the case of domain, and "users" in the case of standalone Win 7 machine CAN access c$.  BUT only on their own machine, i.e. C$ works regardless from the local machine, but over t

So from your experience do c$ shares still work as before, i.e. normal users can't access them on windows 7 machines at all, or do you get the same effect?

i.e. User as admin of particular machine can of course access C$, admin$ shares etc.
User who isn't admin can't as expected
but user can always access c$ on the machine he is logged into, even if not admin and the C; drive is hidden from explorer and command prompt disabled, for instance.

thanks

Steve
0
 
LVL 11

Expert Comment

by:Alex Green
ID: 39814810
If it's the standalone machine and they can still access the C$ you can set a local group policy to change that. Domain policy won't apply
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 43

Author Comment

by:Steve Knight
ID: 39814819
Understand that.   I suppose to summarise:

Is it now 'normal' that users can access c$ of their own domain or non-domain machine when they aren't in anything other than "users" group on Windows 7?

If so WHY, and how can I turn it off except disabling / deleting admin shares.

thanks!

Steve
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39815038
Confirming. The admin shares are "Everyone, Full" by default on W7, just tested that. It doesn't matter for the local machine, but on remote machines those shares are filtered by default (the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LocalAccountTokenFilterPolicy key is responsible for that), so no harm.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39815074
Trouble is it does matter when you are also hiding the C drive!
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39815121
Ooops. Then you'll have to redefine c$ ...
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 0 total points
ID: 39815143
Stumbled across another issue the same:

http://www.networksteve.com/windows/topic.php/c$_access_to_localhost_as_a_standard_user/?TopicId=52862&Posts=10

So looks like have to live with it.... pointless being able to hide C drive then frankly!

May be able to delete the C$ share and create another one I suppose during startup:

net share c$ /delete
net share c$=c:\ /grant:administrators,FULL /cache:none /remark:"Manually shared"

Any other ideas?

Steve
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39815261
Don't recreate the same c$... name it something else besides that administrative share name.

Then, run your net share c$ /delete command at every reboot, because the computer will recreate it.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39815392
Works OK actually like that having pushed it to an OU for testing.  Will see how that goes and leave this open for a little while in case anyone else has any bright ideas.

thanks

Steve
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 39817485
Besides switching off AutoAdminShares, and recreate manually as necessary, I don't have any idea.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39819302
May I ask what you are planning to do? Hiding c: does not prevent them from accessing it. Even the GPO "prevent access to these drives..." does only work in explorer. It does NOT keep them from using any other file-open-dialogue of programs that don't use explorer (like total commander for example) to access c: - So the measure is pointless in the first place.
0
 
LVL 43

Author Comment

by:Steve Knight
ID: 39819550
Not my company or decision and I know there are various ways of getting to see and access the files on c: drive, though being able to connect to c$ is a bit of a gaping flaw.  When users are blocked from command prompt, c drive and the like.

The reasons are mainly to stop people deciding to use the c: drive for storing data which is then subsequently lost when machines fail, get lost or stolen etc. and instead keep to offline files from home drives etc.

There are arguments both ways as always, much like whether to keep mailboxes and home drives with tiny quotas and force people to archive data off all the time, a free-for-all or something inbetween.

In this case I was hoping their was another policy I had missed that stopped this access but since there isn't will have to work around it or leave it as is.

thanks for interest

Steve
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39820069
I see. By default, users may create folders on the root of c: - stop that using adjusted NTFS permissions for "this folder only", this alone helps a little.
0
 
LVL 1

Expert Comment

by:CHI-LTD
ID: 40884556
looks like the problem is that everyone group has access to every share (clients and servers!).  Its showing this in our 3rd party management program, but in MMC - computermgt its not showing it..

going to check GPO..
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question