RE: Any way to remove ADMIN$ only?

From: Jim Harrison (SPG) (jmharr@microsoft.com)
Date: 11/07/02


Date: Thu, 7 Nov 2002 10:32:38 -0800
From: "Jim Harrison (SPG)" <jmharr@microsoft.com>
To: "Dennis Bauer" <dbauer@Mines.EDU>, "Zack Berkovitz" <zberkovitz@pga-inc.com>, "Eric" <ews@tellurian.net>, "Palumbo, Dave (Factiva)" <Dave.Palumbo@factiva.com>, <focus-ms@securityfocus.com>

The ADMIN$ share actually resolves to %WinDir% and allows easy access to that folsder without having to connect to C$ and then drilling down to the actual Windows installation folder.
A share name followed by $ is nothing more than a hidden share and doesn't necessarily indicate an "admin" share at all. By default, Windows creates hidden shares for any physically connected drives and the Windows installation folder and limits access to local admins, unless you disable it:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318751
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984
 
-----Original Message-----
From: Dennis Bauer [mailto:dbauer@Mines.EDU]
Sent: Tue 11/5/2002 12:58
To: 'Zack Berkovitz'; Jim Harrison (SPG); 'Eric'; 'Palumbo, Dave (Factiva)'; focus-ms@securityfocus.com
Cc:
Subject: RE: Any way to remove ADMIN$ only?



        As I recall if you want to keep the C$ and D$ available without the
        admin$ share you will need to share them again after you have shut off
        the admin$. From my understanding C$ and D$ share are the admin$ share.
        If I am wrong will someone explain to me what exactly the admin$ does
        share. Anyway my suggestion is to leave the admin$ alone if you want to
        share the C$ and D$.
        
        Dennis Bauer
        Colorado School of Mines
        Information Technology Professional II
        
        
        -----Original Message-----
        From: Zack Berkovitz [mailto:zberkovitz@pga-inc.com]
        Sent: Tuesday, November 05, 2002 12:27 PM
        To: Jim Harrison (SPG); Eric; Palumbo, Dave (Factiva);
        focus-ms@securityfocus.com
        Subject: RE: Any way to remove ADMIN$ only?
        
        
        The best practice is in fact to use default (Everyone=Full) share
        permissions and to set NTFS security on all drives (with inheritance for
        2K and newer systems running NTFS 5 or greater). Share permissions
        should really only be used when absolutely necessary, such as on FAT
        volumes where ACE's cannot be applied. Conflicts between share and NTFS
        perms always cause headaches down the road, and NTFS perms secure the
        files and directories for locally logged on users as well.
        
        If you are sharing C and D, of which one is the system drive, how will
        removing the admin$ share (winnt) make the system any more secure, if
        the drive it resides on is shared out? NTFS permissions seem like a
        more comprehensive solution. The presence of any of the administrative
        shares is a security hole, regardless.
        
        - Zack
        
        
        
        -----Original Message-----
        From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com]
        Sent: Tuesday, November 05, 2002 9:59 AM
        To: Eric; Palumbo, Dave (Factiva); focus-ms@securityfocus.com
        Subject: RE: Any way to remove ADMIN$ only?
        
        
         The only problem with using "net share" to create shares is that it
         applies default permissions to those shares it creates. These include
         "Everyone=Full"; obviously not an ideal scenario, especially given the
         default security of Windows drives (Everyone=Full). I've written a
         script that will create shares that only allow those accounts listed
         in the local server's administrator's group to have access to the
         share you choose to create.
        
        http://isatools.org/createshare.zip
        
        * Jim Harrison
        MCP(NT4/2K), A+, Network+
        Services Platform Division
        
        The burden of proof is not satisfied by a lack of evidence to the
        contrary..
        
        
        
        -----Original Message-----
        From: Eric [mailto:ews@tellurian.net]
        Sent: Monday, November 04, 2002 11:55 AM
        To: Palumbo, Dave (Factiva); 'focus-ms@securityfocus.com'
        Subject: Re: Any way to remove ADMIN$ only?
        
        
        write a script that will launch each time upon machine bootup that
        'unshares' that share.
        
        'net share admin$ /delete'
        
        I don't know of any registry setting that will remove only that share
        and
        leave the others.
        
        Understand also that anyone with admin privileges to that machine can
        recreate that share at any time.
        
        
        At 01:11 PM 11/4/2002 -0500, Palumbo, Dave (Factiva) wrote:
>Hello,
>
>I have a scenario in which I'd like to remove the ADMIN$ share from a
>Windows 2000 server, but keep the other default shares (c$, d$)
>available for an application...is there any documented/undocumented way
        
>to accomplish this? If this is documented, please forgive me....but I
>sure can't find it. I am aware of the
>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShar
>eServ
>er=0 registry key...but this disables all the default shares (save
        IPC$).
>Again, I'm just looking to remove ADMIN$.
>
>Any ideas?
>
>Thanks,
>
>Dave Palumbo
>http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x41F746F8