- Administrative share
The Administrative Shares are the default
network share s created by allWindows NT -basedoperating system s (NT/2000/XP/2003). These default shares share everyhard drive partition in the system. These shares will allow anyone who can authenticate as any member of the local Administrators group access to theroot directory of every hard drive on the system. They are not generally used or useful outside an enterprise environment.hare names
Administrative shares are the term Microsoft defined for the collection of by-default automatically shared filesystem resources including the following:
* any drive letter + $ (only the local disk volumes, not any removable devices such as CD/DVD drives, USB drives)
* admin$ (which shares access to %SYSTEMROOT%, which is usually C:WINDOWS or C:WINNT)The "$" appended to the end of the share name means that it's a hidden share. Windows will not list such shares among those it defines in typical queries by remote clients to obtain the list of shares. This means that one needs to know the name of an administrative share in order to access it.
It is commonly believed that any share that includes the final '$' character defines it as an administrative share. According to Microsoft's use of the term "administrative share", this is false. While any share (even non-administrative shares) can include a '$' character at the end of its name, only those by-default shares created by Windows containing the '$' suffix are considered administrative share.
Generic UNC Address for an Administrative Share:
"\NetworkComputerName(Drive letter)$"
For Example:
"\MyComputerc$"
This represents the administrative share for the "C" drive on the computer "MyComputer". This works just as well for any other local drive on the computer, e.g. "\MyComputerd$", "\MyComputere$" (assuming those are local drives and not removable drives).
"\MyComputerADMIN$"
This represents the administrative share for the %SYSTEMROOT% object on the computer "MyComputer".
How to disable
The administrative shares can be deleted by a user with Administrators membership but the administrative shares will be recreated automatically at the next reboot. The easiest way to prevent this is through a Registry configuration change e.g. using
Regedit . If the setting is not present then you must create it. (Be careful editing the Registry: A simple mistake can cause serious malfunctions.)ervers
Windows NT 4.0 Server, Windows 2000 Server, Windows Server 2003
Hive: HKEY_LOCAL_MACHINE Key: SYSTEMCurrentControlSetServicesLanManServerParameters Name: AutoShareServer Data Type: REG_DWORD Value: 0
Clients
Windows NT 4.0 Workstation, Windows 2000 Professional, Windows XP
Hive: HKEY_LOCAL_MACHINE Key: SYSTEMCurrentControlSetServicesLanManServerParameters Name: AutoShareWks Data Type: REG_DWORD Value: 0
ecurity and Prevention
Preventing Access
Disabling the Administrative shares does not mitigate any known security risks; it merely prevents users with Administrators membership from easily browsing the shared contents. This is due to the fact that anyone who has membership in the local Administrators group can either (a) re-enable the administrative shares or (b) create new shares (whether hidden using the "$" suffix or not). The act of disabling the administrative shares doesn't make it any harder for a technically astute administrator to gain remote access to the Windows filesystem.
Alternative approaches to prevent remote browsing of the disk contents include:
* disable File and Printer Sharing (or unbind the NetBT protocol)
* Stop and/or Disable the Workstation service
* set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp
* remove membership in the Administrators group for those users/groups you wish to block
* encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the filesecurity of the Shares
Note: the DACLs on the administrative shares cannot be modified, even by the local .Administrator account.
Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token. This is arguably "more" secure against such remote attacks than assigning a weak or easily-guessed password to the local Administrator account.
Wikimedia Foundation. 2010.
