RE: Any way to remove ADMIN$ only?

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: 11/05/02 

Date: Tue, 05 Nov 2002 10:36:47 -0800
To: "Jim Harrison (SPG)" <jmharr@microsoft.com>, "Eric" <ews@tellurian.net>, "Palumbo, Dave (Factiva)" <Dave.Palumbo@factiva.com>, <focus-ms@securityfocus.com>
From: "Deus, Attonbitus" <Thor@HammerofGod.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 09:59 AM 11/5/2002, Jim Harrison (SPG) wrote:
> The only problem with using "net share" to create shares is that it
> applies default permissions to those shares it creates. These include
> "Everyone=Full"; obviously not an ideal scenario, especially given the
> default security of Windows drives (Everyone=Full). I've written a
> script that will create shares that only allow those accounts listed
> in the local server's administrator's group to have access to the
> share you choose to create.

Hey Jim!

Actually, the permissions for ADMIN$ are pre-set, and cannot be changed
(and are admin only). Even if you delete the ADMIN$ with the net command
and create it back again manually, it will still only have admin
permissions. So in this case, it is not really an issue.

But more importantly, as Eric pointed out, there is really no value in
deleting the admin share at all, as only admins have access to it, which
means they can always add it back with a simple "net share admin$" command.

hth

- --
AD

"Do not lead, for I may not follow. Do not follow, for I may not lead. And
don't stand next to me either. Just leave me the hell alone."

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPcgPv4hsmyD15h5gEQLKsQCfaDNxUEjlhiLAUXjoypY5MTRBOTQAnjIM
xIE6TFZjnbGDJPCCdm61G0o5
=xkGm
-----END PGP SIGNATURE-----

Relevant Pages

  • RE: Any way to remove ADMIN$ only?
    ... The jist is that that share permissions basically still exist to support fat ... Any way to remove ADMIN$ only? ... 2K and newer systems running NTFS 5 or greater). ... applies default permissions to those shares it creates. ...
    (Focus-Microsoft)
  • RE: Any way to remove ADMIN$ only?
    ... method of setting permissions between share level and file level within the ... Any way to remove ADMIN$ only? ... 2K and newer systems running NTFS 5 or greater). ... applies default permissions to those shares it creates. ...
    (Focus-Microsoft)
  • RE: Any way to remove ADMIN$ only?
    ... Mixing the share permissions and the NTFS permissions generally cause ... which means more groups/people access the same shares. ... Along comes another admin that creates a share at a higher level in the ...
    (Focus-Microsoft)
  • Re: Restrict access to administrative shares?
    ... shares with the reg hack, then just share out the drives you need to access ... as an admin and setup the appropriate permissions. ...
    (microsoft.public.win2000.security)
  • Re: More security questions
    ... You shouldn't be logging in as Admin, ... have permissions to do anything. ... Usernames/passwords/group membership are stored in the mdw. ... Microsoft Access MVP ...
    (microsoft.public.access.security)