Re: command needed to disable hidden admin shares

From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 05/09/04

• Next message: High Desert: "ARRGH!!!COOLWEBSEARCH"
• Previous message: Shannon: "Re: SpotOn popups"
• In reply to: Bill Sanderson: "Re: command needed to disable hidden admin shares"
• Next in thread: Fraser Mackie \(No Email\): "Re: command needed to disable hidden admin shares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 09 May 2004 10:03:40 +0200

On Sat, 8 May 2004 16:55:50 -0400, "Bill Sanderson"

>So far, nothing's disabled the firewall, but a trojan in place is a near
>equivalent. OTOH, the trojan doesn't care about the shares--it already owns
>the machine.

False assumption, bad strategy...

1) Depend on one protection method as bulletproof
2) When that fails: Aargh! The sky is falling; all is lost, Format!!

Defence in depth means you always assume whatever defences you put up
will be broken through, and plan what happens *next*. For most of us,
the attacks we see will be fully automated, and if you can trip them
up, they fail to progress further. So it's always worth adding every
defence that doesn't come with negative baggage.

Basic strategy is that if no-one will ever use a risky facility in
your PC's situation, you should rip that facility out. If you can't
see the need to allow other systems to write directly to your system's
startup axis, then don't full-share the whole of C:\ - DUUUH!!!

There is an article that covers how to kill those damnfool c$, d$
auto-shares. It will describe what this .REG file will do...

<paste1>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000

</paste1>

...and what this one will undo:

<paste2>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000001
"AutoShareWks"=dword:00000001

</paste2>

However, killing off RPC$ is tougher - there's no way I know of to
keep it dead, the settings they offer only hold until the next reboot
(and we all know how easy it is to force or encourage XP to reboot)

While you're up, you may be interested in these .REG that disable WSH
(Windows Scripting Host)...

<paste3>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"Enabled"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"EnableRemoteLaunch"="N"
"EnableRemoteConnect"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"UseWINSAFER"="1"
"Enabled"="0"
"IgnoreUserSettings"="0"

</paste3>

...and re-enable it again...

<paste4>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"Enabled"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"EnableRemoteLaunch"="Y"
"EnableRemoteConnect"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"UseWINSAFER"="1"
"Enabled"="1"
"IgnoreUserSettings"="0"

</paste4>

...as well as this that allows Recovery Console to be more useful...

<paste5>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole]
"SetCommand"=dword:00000001
"SecurityLevel"=dword:00000001

</paste5>

...and less so as default:

<paste6>
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole]
"SetCommand"=dword:00000000
"SecurityLevel"=dword:00000000

</paste6>

>-- Risk Management is the clue that asks:
      "Why do I keep open buckets of petrol next to all the
      ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -

---

• Next message: High Desert: "ARRGH!!!COOLWEBSEARCH"
• Previous message: Shannon: "Re: SpotOn popups"
• In reply to: Bill Sanderson: "Re: command needed to disable hidden admin shares"
• Next in thread: Fraser Mackie \(No Email\): "Re: command needed to disable hidden admin shares"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: System32 Folder Appears ... Click apply/ok, do not reboot yet. ... Start/run msconfig, on the general tab select the diagnostic mode. ... Windows Registry Editor Version 5.00 ... (microsoft.public.windowsxp.newusers) Re: After boot up sequence PC opens with the Win 32 system folder ... Windows Registry Editor Version 5.00 ... Click apply/ok, do not reboot yet. ... > Associate Expert - WindowsXP Expert Zone ... (microsoft.public.windowsxp.general) Re: System32 Folder Appears ... Click apply/ok, do not reboot yet. ... on the general tab select the diagnostic mode. ... Windows Registry Editor Version 5.00 ... (microsoft.public.windowsxp.newusers) Re: Tweak UI & Win XP ... I reset to default, and rebooted. ... Save the lines between the asterisks to a .reg file; ... file to merger the changes and reboot your computer. ... Windows Registry Editor Version 5.00 ... (microsoft.public.windowsxp.configuration_manage)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security.virus  > 2004-05