Disable Admin Shares on Windows

How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?

Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.

The default-hidden shares are:

  • C$ D$ E$ – Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.
  • ADMIN$ – %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it’s C:\Windows).
  • FAX$ – On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
  • IPC$ – Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer’s shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
  • NetLogon – This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.
  • PRINT$ – %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.

1. CMD Method

Batch file and noshare.reg file can be copied to the workstations where it can be run to add the Registry entry. add2reg.cmd
Use PSEXEC to execute remotely (restart required)

The REG File:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000

The CMD file:

C: regedit /s noshare.reg
goto tim
:tim
%Systemroot%\system32\shutdown /r /f
goto end
:end

2. VBS Method

The VBS File content:

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colShares = objWMIService.ExecQuery _
("Select * from Win32_Share where Type = 2147483648")
For Each objShare in colShares
objShare.Delete
Next

3. More

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*