How to stop network users access my c: drive

I noticed when I turned off my windows firewall, other users can use \\IP address\c$ to access my drives.

Which service is in control of this and can i stop the service to forbid it?

thanks.
Jason YuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Naranthiran DSystem AdministratorCommented:
Hi,
  Follow the steps in the below link to remove the default sharing option.

http://support.microsoft.com/kb/816524
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
First of all only administrators can access c$ shares.  Ensure users are not member of Administrators group on your computer (or for that matter, member of domain admins).
0
Jason YuAuthor Commented:
I have windows 7, does the above article work for me?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Jason YuAuthor Commented:
any help for this question?
0
cantorisCommented:
I've not tried that setting but I would have thought it would work.
You could also use local group policy and under User Rights Assignments, add the undesirable users to "Deny access to this computer from the network".
0
Rich RumbleSecurity SamuraiCommented:
Is this Computer yours to administer? Does it belong to your employer? Perhaps contact your IT department and ask if they can make the permissions stricter or if they can enable the firewall.
-rich
0
kenfcampCommented:
Are they accessing your full C:\ Drive or just your shares on the C:\ Drive?

Are any of these shares work related (Folder for Network Scanner, etc)?

Do you have Administrative access (Admin Login) on this PC, or do you have an IT department that manages PC network configurations?

Ken
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
1.  The administrative shares should NOT be removed.  It could cause problems with managing your computer and doing CRITICAL things like updating your antivirus software and installing important software.
2.  Both YOURSELF and OTHER USERS should not have access to them.  Only Administrators should have access (hence the name - ADMINISTRATIVE SHARES!).  You should not be running as an administrator.  Other users should ABSOLUTELY NOT have access to the shares.
3.  If you are not the network administrator, you need to talk to your network administrator.  He should know better than to grant (what appears to be) Domain Users admin rights to all PCs.  That's a HORRIBLE security issue.  Even if you need admin rights, YOU should have a separate local admin account used with UAC to give access to whatever admin function you need and even if you're company is too lazy to implement proper security that way, ONLY your account should be listed in the regular user of a computer should be in the administrators group.

If you elaborate more on your role, I may be able to help further, but I don't like nor do I think it's appropriate to explain how to do something that's a bad idea to a person who may not be the administrator (or even to the administrator).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason YuAuthor Commented:
I am the network and system administrator. I noticed I am able to access other user's C: or D: partition and notices other administrator domain account can access my hard disk.

I think there is a service which is in charge of network file sharing, I tried it before but forgot. whenever you stop that service, even user with domain admin's privilege can't access your paritions. Am I right?
0
Jason YuAuthor Commented:
I am the network admin and manager of IT, I want to make sure no other users including staff in IT department can't access my hard drive. How to achieve it?

thanks.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
The server service controls your computer's ability to accept incoming data on file shares.  Windows also has a built-in firewall that block access to file sharing.

There are also methods of removing the administrative shares only and leaving sharing running.

BUT, anyone experienced in Windows management can tell you, that ADMINISTRATIVE shares are used by various programs to ensure things like Antivirus and other applications are up to do date - You should NOT be disabling them or preventing access to them.

What you should be doing in my opinion is:
1. replacing staff you do not trust.  (Why would you give untrustworthy people admin access to ANYTHING on your network?)
2. Enabling auditing on file access on your computer and use scripts and/or third party utilities to alert you to employees that do access files on your system inappropriately.  Just make sure there isn't a logical explanation for why the employee is accessing the machine (perhaps they are doing a software inventory or updating your antivirus).
3. NO EMPLOYEE - allow me to repeat with emphasis - ABSOLUTELY NO EMPLOYEE should be using a domain admin account - OR EVEN A LOCAL ADMIN ACCOUNT as their regular user account.  Run as an unprivileged user and when a UAC prompt runs, use a specifically created account with appropriate rights to "ok" the administrative request.

You may have reasons to except #3 - but even if you do, you MUST take a close look at what is requiring the exception and look at how to you allow that poorly designed software to operate while granting the end user the minimum of privileges.  This needs to be done on a software case by case basis.

Bottom line - can you do it what you ask?  Yes - I've outlined how above - there are tons of instructions for doing any of the above online - SHOULD YOU?  A smart IT person wouldn't, in my opinion.  (If you have critical data you don't want people accessing, store it offline or encrypt it).
0
Rich RumbleSecurity SamuraiCommented:
Simple, turn on the firewall. Remove domain admins from the list of remote users so they can't RDP into the machine. You do not have to, or want to remove the share, you simply need to block access to it. You do that with permissions and or the firewall. An IT admin should know this at a minimum, already. The service is the "server" service, do not disable that, even though it technically can do what you are asking. Almost everything on your computer relies on that service.
-rich
0
Jason YuAuthor Commented:
Thank you, guys, I appreciate your help. I will follow the suggestions above and make sure my system is secure.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.