• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7536
  • Last Modified:

Default c$ shares permissions

It seems common knowledge with users they can use \\%computername%\c$ etc. to get to their C drives, even when C drive access has been carefully hidden from explorer by their IT depts.

On Windows XP default permissions for the C$ share was to only allow access to the local Administrators group.  In Windows 7 it seems it shows Everyone, full control in NET SHARE C$ though it also shows the same in Windows 2003/2008 server and they prompt for admin credentials if the user isn't an admin on there.

This is in domain environment, and on my own kit non-domain as "work" network.

OK you need to be authenticated in some way and guest will (should) be disabled but anyone can access anyone's C drive.... really?!

Have read various documents all of which go nowhere.

NET SHARE C$  as a non admin user hows "Access Denied" to show the permissions BUT the same non admin user can view in explorer or PUSHD \\%computername%\c$ etc.

So have I missed an obvious policy to tie this down, or anything else for this?

I suppose we could disable admin shares through policy and try add new C$ hidden shares with specific permissions if wanted through policy again?

Steve
0
Steve Knight
Asked:
Steve Knight
  • 6
  • 3
  • 2
  • +3
3 Solutions
 
Alex Green3rd Line Server SupportCommented:
Ok so, what's the question?

Can anyone access the \\computername\c$? No they can't, if you have a group policy that throws the domain users into the local admin group for PC's that would be an issue.

I assume you're trying to lock it down so people can't do that, on a standard users machine run GPResult and see what groups they are in, then either modify your group policy or go through it again and make sure there aren't any contradictions.
0
 
Steve KnightIT ConsultancyAuthor Commented:
Thanks for the reply, actually having checked myself rather than what I was told, users who are not in any local groups except users via "domain users" in the case of domain, and "users" in the case of standalone Win 7 machine CAN access c$.  BUT only on their own machine, i.e. C$ works regardless from the local machine, but over t

So from your experience do c$ shares still work as before, i.e. normal users can't access them on windows 7 machines at all, or do you get the same effect?

i.e. User as admin of particular machine can of course access C$, admin$ shares etc.
User who isn't admin can't as expected
but user can always access c$ on the machine he is logged into, even if not admin and the C; drive is hidden from explorer and command prompt disabled, for instance.

thanks

Steve
0
 
Alex Green3rd Line Server SupportCommented:
If it's the standalone machine and they can still access the C$ you can set a local group policy to change that. Domain policy won't apply
0
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

 
Steve KnightIT ConsultancyAuthor Commented:
Understand that.   I suppose to summarise:

Is it now 'normal' that users can access c$ of their own domain or non-domain machine when they aren't in anything other than "users" group on Windows 7?

If so WHY, and how can I turn it off except disabling / deleting admin shares.

thanks!

Steve
0
 
QlemoDeveloperCommented:
Confirming. The admin shares are "Everyone, Full" by default on W7, just tested that. It doesn't matter for the local machine, but on remote machines those shares are filtered by default (the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LocalAccountTokenFilterPolicy key is responsible for that), so no harm.
0
 
Steve KnightIT ConsultancyAuthor Commented:
Trouble is it does matter when you are also hiding the C drive!
0
 
QlemoDeveloperCommented:
Ooops. Then you'll have to redefine c$ ...
0
 
Steve KnightIT ConsultancyAuthor Commented:
Stumbled across another issue the same:

http://www.networksteve.com/windows/topic.php/c$_access_to_localhost_as_a_standard_user/?TopicId=52862&Posts=10

So looks like have to live with it.... pointless being able to hide C drive then frankly!

May be able to delete the C$ share and create another one I suppose during startup:

net share c$ /delete
net share c$=c:\ /grant:administrators,FULL /cache:none /remark:"Manually shared"

Any other ideas?

Steve
0
 
Darr247Commented:
Don't recreate the same c$... name it something else besides that administrative share name.

Then, run your net share c$ /delete command at every reboot, because the computer will recreate it.
0
 
Steve KnightIT ConsultancyAuthor Commented:
Works OK actually like that having pushed it to an OU for testing.  Will see how that goes and leave this open for a little while in case anyone else has any bright ideas.

thanks

Steve
0
 
QlemoDeveloperCommented:
Besides switching off AutoAdminShares, and recreate manually as necessary, I don't have any idea.
0
 
McKnifeCommented:
May I ask what you are planning to do? Hiding c: does not prevent them from accessing it. Even the GPO "prevent access to these drives..." does only work in explorer. It does NOT keep them from using any other file-open-dialogue of programs that don't use explorer (like total commander for example) to access c: - So the measure is pointless in the first place.
0
 
Steve KnightIT ConsultancyAuthor Commented:
Not my company or decision and I know there are various ways of getting to see and access the files on c: drive, though being able to connect to c$ is a bit of a gaping flaw.  When users are blocked from command prompt, c drive and the like.

The reasons are mainly to stop people deciding to use the c: drive for storing data which is then subsequently lost when machines fail, get lost or stolen etc. and instead keep to offline files from home drives etc.

There are arguments both ways as always, much like whether to keep mailboxes and home drives with tiny quotas and force people to archive data off all the time, a free-for-all or something inbetween.

In this case I was hoping their was another policy I had missed that stopped this access but since there isn't will have to work around it or leave it as is.

thanks for interest

Steve
0
 
McKnifeCommented:
I see. By default, users may create folders on the root of c: - stop that using adjusted NTFS permissions for "this folder only", this alone helps a little.
0
 
CHI-LTDCommented:
looks like the problem is that everyone group has access to every share (clients and servers!).  Its showing this in our 3rd party management program, but in MMC - computermgt its not showing it..

going to check GPO..
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now