Win XP Hidden Shares

[Methcook]

When Windows XP is installed, hidden administrative shares are created. They can be found by going to Start>>Administrative Tools>>Computer Management. Open the System tools folder, Shared Folders, and finally open up the Shares. Recently my machine was completely compromised because of this crap. I ended up losing everything as someone else gained admin privleges to my entire OS. THese shares ARE a secutiry risk.

http://support.microsoft.com/default...EN-US;q314984&

Microsoft describes the shares:

Windows XP computers create hidden administrative shares that administrators and operating system services can use to manage the computer environment on the network. By default, administrative shares such as ADMIN$ are enabled by the system. Any share that is created by the system (such as C$), can be disabled, but it is then re-enabled by the system after you restart your computer. Shares that are created by users can be disabled, and they are not recreated after you restart your computer. Administrative shares include the following shares:

Root partitions or volumes
The system root folder
The FAX$ share
The IPC$ share
The NETLOGON share
The PRINT$ share

Root partitions and volumes are shared as the drive letter name appended with the $ sign. For example, drive letters C and D are shared as C$ and D$.

The system root folder (%SYSTEMROOT%) is shared as ADMIN$. This administrative share provides administrators with easy access to the system root folder hierarchy over the network.

The FAX$ share is used by fax clients in the process of sending a fax. This shared folder caches files and accesses cover pages that are stored on a file server.

The IPC$ share is used with temporary connections between clients and servers by using named pipes for communications among network programs. It is primarily used for remote administration of network servers.

The NETLOGON share is used by the Netlogon service to process log on requests.

The PRINT$ share is used for the remote administration of printers.

__________________________________________________________________________

Each time you logon you can disable the shares but it's only temporary. To disable the shares for good it has to be done thru the registry.

Windows Tech support emailed this to me:

You want to delete your Admin$ share.

Cause:
Your system is not secure. You'd like to make it more secure.

Resolution/Recommendation:
Edit the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

___________________________________________________________________________

Now what? I dont know much about the registry. I found the Parameters folder now what do I do with it?

I found this on thru a websearch: http://is-it-true.org/nt/atips/atips2.shtml

There's nothing in my Parameters folder Named AutoShareServer or AutoShareWks.


Can anyone give me any help on this?


Thanks

[Matty_Cross]

Your meant to create them.....

Right click on the branch (folder) and choose new -> DWORD.

Set it to a value of 0 or 1... I can't remember which one it is.....

[Methcook]

What do you mean? They are already there. I wanna get rid of them.

I just manually dekleted ADMIN$ and C$ and there seems to be no effect on performance. For some reason the IPC$ share wont delete. As soon as I reboot ADMIN$ and C$ will be there again. I want these off of my msystem.

Edit: There;s 6 DWORDS in that Prameter folder. Which one do I use. I know it should be set to 0.

Edit: Ok, I think I know hwta you mean. I created "New Value #1 Reg_DWORD 00000 (0). But it didnt seem to work. the shares are still there.

[Matty_Cross]

Okay..

If you've done it properly, and edited/created the AutoShareServer/AutoShareWks registry key, when you delete the shares and reboot, they should not come back....

BTW, Windows XP shouldn't have the AutoShareServer key by default.....

[kiddanger]

What M$ says now:

http://support.microsoft.com/default...;en-us;Q314984

What they said then:

http://support.microsoft.com/default...;en-us;Q288164

Notice, the 2nd one does say it works with XP Pro.

[Methcook]

It worked!

I got rid of the ADMIN$ and the C$ share. I guess the ICP$ (or whatever it's called) is impossible to delete. I;m just glad to get rid of that admin share....and edit the registry for the first time.

Thanks!

[slarty]

Do rememeber that removing the admin shares provides no security improvement.

Someone who gets local admin rights remotely can still connect to the server service and create whatever shares they like remotely.

Also the admin shares can only be accessed by users with local admin rights - so there really is no difference if they're present or absent.

If you're not using it, stop the server service. That will keep everybody out.

[Methcook]

Distiguish tween the administrator account that you own and the hidden admin account that you have no real access to, cept for when you go into safe mode. They are two different accounts.

Someone got local admin rights remotely on my pc thru the hidden admin account that MS creates. That admin accont overrides the admin account that we all use. He had the control of the most powerful account on my OS, which happened to be hidden from me. Needless to say, I was at his mercy and eventually ended up being completely locked out of even simple user accounts.

[dionjuan2004]

i'm little confused, we have lan in our hostel and i know my friend's both admin and guest password but still when i go to this- \\his comp's name\C$ it asks for password and none of these password actually works with the option- allow to be used remotely being enabled.
one thing is sure he doesn't have any other account on his comp so can any one help us(yes, this has frustrated both of us) ??
dion

[stanger]

you got rid of that crap...

but..remember : ServicePacks,Updates and patches will bring'em back.
...and (RWMADX)access to C: for ALL.

or am i not right?