|
Home > Archive > 70-210 > January 2004 > Sharing C Drive...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Sharing C Drive...
|
|
| moreilly 2004-01-29, 1:13 pm |
| Hello:
I've repeatedly turned off sharing on my C: drive. However each time I restart my Windows 2000 computer the C: drive is again set to be shared across the network. Is
this an automatic setting that I can't disable?
I've been using the administrator's account also.
Any advice is much appreciated.
Thanks,
Matthew | |
| aznluvsmc 2004-01-29, 2:29 pm |
| You cannot unshare the default shares. All you can do is restrict access. | |
|
| C$ is shared and used to remotely perform admin tasks. The root of each partition on a HD (C$,D$,E$, etc...)is automatically shared. You can not change/unshare this.
By default, members of the Administrators group have FC permission for adminstrative shared folders. You cannot modify the permissions on administrative shared folders.
As a side note - the $ sign makes the share hidden, but it does not make it a default administrative share. | |
| em_ar_ducks 2004-01-29, 11:29 pm |
| In fact it is a recommended security practice in some cases.
There is a KB article on MSofts site, just do a search and it will tell you which registry keys to modify. | |
| Boulware5 2004-01-30, 12:26 am |
| There's also the Admin$ share which is C:\Winnt and the Print$ share which provides access to printer driver files. Both are hidden. | |
| pcthug 2004-01-30, 4:25 am |
| There is a registry hack that will permenantly remove those $ shares. You won't see them again after reboots. I usually remove them all on a IIS server. In fact, the lockdown utility itself does this for some $ shares.
If your workstation is standalone home PC (not connected to any NT/w2k domains or workgroups, you can remove them without any side effects. | |
|
|
|
| quote:
Originally posted by em_ar_ducks
In fact it is a recommended security practice in some cases.
As a side note, could you point me in the direction of these cases? Because the MS article states differently. In fact, I've never seen a need nor a recomendation from an IIS, SMS, etc... configuration standpoint stating that one should disable these.
This is from the article posted above:
"IMPORTANT: The default IPC$ administrative share is required by the Server service and cannot be deleted. Microsoft recommends that you not delete administrative shares that were created by Windows for root partitions and volumes (such as C$) and the system root folder (ADMIN$). This can cause problems for administrators and programs or services that rely on these shares. example, both Microsoft Systems Management Server (SMS) and Microsoft Operations Manager 2000 require administrative shares for correct installation and operation.
So I guess my comment is, if members are going to state that there are instances that one 'should' do this for security purposes, and or post about a 'lockdown' utility, please post a link supporting this so others (like myself) can read up on these items.
Obviously you can disable the administrative shares. I'm just having difficulty seeing a need as I for one have really never seen nor heard of a lockdown utility to do this or seen any real reason/need to disable these.  | |
| em_ar_ducks 2004-01-30, 3:39 pm |
| I didn't have time to perform the search and add the link. (my apologies again)
The conditions or situations in which disabling the admin shares may be required or recommended are extremely high security environments (Government).
In my limited experience, it typically becomes a battle between what is administratively required vs. the potential security risks/vulnerabilities. In one particular case I have been required to disable the shares to prove that doing so created more work or interfered with network applications more than the potential vulnerability justified. (want to know how long that took, I'm still turning stuff back on because some Government twink wanted it gone, and I couldn't be entirely sure I needed it)
As was stated earlier, it is probably a good practice to disable admin shares on any IIS or other public boxes residing on a DMZ, provided adequate safeguards on the firewalls protect the internal network.
On Government systems, the rule of thumb is that if a service is absolutely not required it must be disabled, deinstalled, never installed, etc. You would not believe what I go through to lock down a system. | |
|
| Good stuff em_ar_ducks. Thanks for the reply. |
|
|
|
|