The next time you plan a security audit on your systems, the plan should include the examination of the file shares on your Windows servers. What I’m getting at is securing the administrative shares, which carry a $ symbol in the share name. The $ symbol means these shares are hidden, most likely for administrative purposes.
Here is a closer look at administrative shares and methods to remove them in an attempt to secure an installation. The procedure is only slightly different on clients than on servers, but we’ll cover both.
Identifying administrative shares
The Windows 2000 generation of operating systems creates a number of hidden admin shares by default when you install the OS, including the following:
- DriveLetter$: Root partitions and volumes are shared as the drive letter name appended with the $ character (e.g., "C$").
- ADMIN$: This is used during remote administration of a computer.
- IPC$: This one shares the named pipes that you must have for communication between programs. Note: This resource cannot be deleted.
- NETLOGON: This one is used on domain controllers.
- SYSVOL: Here's another one used on domain controllers.
- PRINT$: This is used during the remote administration of printers.
- FAX$: This is the shared folder on a server that is used by fax clients during fax transmission.
Removing admin shares on servers
Let’s deal with Windows servers first. This procedure is valid on the following operating systems:
- Windows 2000 Server
- Windows 2000 Advanced Server
- Windows 2000 Datacenter Server
- Windows NT Server 4.0
- Windows NT Server 4.0 Terminal Server Edition
- Windows NT Server, Enterprise Edition 4.0
Before removing any shares…
- Remember that you cannot remove the IPC$ share because it is fundamental to the proper functioning of the operating system.
- You should also note that if you’re using Microsoft Systems Management Server (SMS) and/or Microsoft Operations Manager (MOM), then you shouldn’t remove any administrative shares because both of these applications rely on the presence of the default administrative shares in order to work properly.
There are two methods to permanently remove administrative shares, namely, by using the Policy Editor (POLEDIT) or by modifying the registry. On the other hand, if you simply want to remove a share for the current session, you can open Computer Management, expand the Shared Folders node, right-click the share you want to disable, and select Stop Sharing. However, when the system is rebooted, the share will be returned to its default state.
The Policy Editor is an NT4 tool that is used to set policies for clients and servers. NT4 has been largely superseded by Group Policy in Windows 2000 (when running Active Directory). However, Poledit.exe is still valuable for making some system changes and is still part of the Windows 2000 Administration Tools pack. It can be installed by running Adminpak.msi in the I386 folder on the Windows installation CD.
After you install it, you can open it by clicking Start | Run and then typing poledit and clicking OK. Once inside the program, click on the File menu, select the option to open the registry, and double-click Local Computer. Then expand the Windows NT Network and expand Sharing. Uncheck the Create Hidden Drive Shares (Server) box. Click Save from the File menu. Reboot the machine. Your hidden administrative shares will no longer be active on that system.
OK, you’ve heard it before, but you’re going to hear it again: Before you manually mess with the registry, make sure you have a backup copy. Also, you’ll probably want to do this at the start of the weekend (like Friday night or Saturday morning) so that if there are problems, then at least you have some time to figure it out and fix it.
In the Windows registry, this registry key controls administrative drive shares.
You need to change the value to 0 to disable the creation of administrative shares. If this key doesn’t exist, you’ll have to create it by opening the Edit menu and selecting Add Value. Call the Value AutoShareServer and set it as a REG_DWORD with a value of 0 to disable the administrative shares. Then reboot the server.
If you want to reverse the situation and resurrect your administrative shares, follow the opposite procedure, whether you’re using the Poledit approach or editing the registry. Note that if you’re editing the registry, you can either set the AutoShareServer back to a value of 1 or delete the value altogether.
Also note that if you’re working with Windows Server 2003, you can apply the same edit to the registry; at the end, instead of a reboot, you can simply run these two commands:
Removing admin shares on clients
Now let's look at what to do if you’re dealing with client workstations. This procedure is good on these operating systems:
- Windows XP Professional
- Windows XP Media Center Edition
- Windows XP Tablet PC Edition
- Windows XP 64-Bit Edition
- Windows 2000 Professional
- Windows NT Workstation 4.0
You’ll be happy to know that the process is essentially the same, except that you wouldn’t use Poledit; you’d just edit the registry. The registry key is the same, but the value is different. Instead of using the "AutoShareServer" value, you use the "AutoShareWks" value. Again, you disable administrative share creation by setting the value to 0.
If you only need to disable the share for the current session, you can open Computer Management, expand the Shared Folders node, right-click the share(s) you want to disable, and select Stop Sharing. Remember that when the system is rebooted, the share will be returned to its default state.
Remember that these procedures for removing and recreating administrative shares will never remove the IPC$ share because it is needed by the operating system. Also, be sure to test your systems’ functionality once you’ve removed the shares. You may find that some programs and/or services don’t work properly. Also, some third-party applications may not run correctly without access to the default administrative shares.