why does win 2k insist on sharing C$ and D$?

[st1mpy]

how about $ipcs .... and how do i turn it off ... coz i have the same prob except my pswd is a bit longer etc but hey good info here

[slarty]

Okay, another nice rant-like post from me in this thread:

1. linux_wynter919 said

The C$ and D$ shares is 1 of the biggest security flaws in windows

No they are not. For reasons I mentioned before, they pose no additional security risk whatsoever. Windows may have many security flaws, but that is not one of them.

2. Having a null admin password

This may be convenient, but I'd advise against it.

True, you may feel safe with "Server" disabled, with a null admin password, BUT "Server" is not the only service which uses Windows authentication. Others include IIS (Web/FTP), SQL server and Terminal Server - any of which may grant access to administrator with an empty password.

There is no guarantee that third party apps won't use Windows authentication too (example: 3rd party FTP servers, remote control programs).

In windows 2000 it's possible to enable auto-login - there are numerous tools which will do this. Having auto-login and a strong administrator password should be at least as convenient and much more secure than a null password.

3. Stimpy said

how about $ipcs .... and how do i turn it off ?

Disable the "Server" service. If ipc$ is not enabled, no other shares will be able to be connected to (AFAIK). If you don't want ipc$, you don't want any others, therefore, just disable "Server"

---

Note that in some documents I've read, M$ frequently cite disabling "Server" as a good preventative security measure, although most sysadmins find it terribly inconvenient, as many other things (NT remote admin and a lot of other stuff) rely on it.

Also, AFAIK, domain controllers must have "Server" enabled for their Domain control / Active Directory to work.

But totally stand-alone boxes (e.g. Web servers) don't need Server.

Slarty

[wassup]

the box is facing the external world. and besides rpc (with dcom off) there is nothing else. now i just wanted to ask this C$ question for the sake of asking it. i have turned netbios off on external interfaces. i just asked this because i was wondering why it does it. seeing as there is no remote login to my box through netbios or active directory i dont see this as a security risk.

slart: technically C$ as default share IS a security risk. its a risk that can be secured. Microsoft has a huge problem in the way they do things. they turn too much stuff off by default. if you want this on you should turn it on yourself later. its like leaving finger open. its not needed and can be a security risk (because the daemons have a list of problems with them). your logic is like saying that its okay to have a vulnerable ssh daemon running as long as you firewall it to certain ranges or something of similiar tongue.

IPC$ is the communication share for windows. as slarty stated it will be needed for other shares and a lot of stuff to work.

[linux_wynter919]

sorry slarty, u r 99 % right, what i ment to say was that the shares thing "WAS" 1 of the biggest security risks on windows, untill they realesed a few udates and stuff and reduced the problem.
And if u dont belive me pick up any security books or security web sites and they will hav a ton load on this thing.
I have 2 good books at home on security (very good books) and both have the largest section dedicated to this subject and is very detailed

[pf1359]

I performed an install of SuSE 9 last night, and it auto-magically set up Samba. I was quite suprised to see C$, D$ and E$ from my XP Pro machine on the list of shared directories. Without any problem, I could access the root drive using my user login from SuSE. Thanks Microsoft!

[Timmy77]

Also be aware, some utilitied require the administrative share for remote software. SMS client deployments are one example.

As for the funtionality vs. security, you may want to consider having the workstation log on automatically with the password stored locall in the registry (this can be accomplished using TweakUI). While this does pose a security risk (because anyone with physical access can log in without a password), it should help slow remote exploitation of your workstations by a hacker or a virus.

[extremez]

Originally posted here by pf1359
I performed an install of SuSE 9 last night, and it auto-magically set up Samba. I was quite suprised to see C$, D$ and E$ from my XP Pro machine on the list of shared directories. Without any problem, I could access the root drive using my user login from SuSE. Thanks Microsoft!

Unless you have a blank admin password, I don't believe it. One possibility is you actually shared your c drive.

[pf1359]

No, I have disabled the 'Administrator' account and password-protected the account with admin privileges. I have several other computers in my home workgroup, and have even used several other flavors of Linux, and none have ever displayed the root shares in Samba. The first time I accessed C$, it opened right up. The second time it asked for the admin password.

Obviously, I have edited the registry to close that particular loophole. Wouldn't it make more sense to DISABLE those shares by default, and allow them to be ENABLED by an admin who needs them for remote administration?

[gothic_type]

[SLIGHTLY ANTI-MICROSOFT RANT]

Someone suggested using a restricted user account earlier. I use XP on my laptop (because I need to use some windows tools like word, etc. and IBM won't give me an XP install disk which means I'm screwed if I mess something up). I tried setting up a restricted user account and then found out that I could do basically nothing with it.

The restricted user account did not seem to be customisable, and did not even allow you to install programs (not even in your own share). I now just use the admin account all the time because I can't be bothered logging off then back on every time I want to do something that involves slightly higher priviledges.

On my linux box I can install programs as a normal user assuming they don't need to be put in a "system" directory, and even if that isn't the case I can su. From my use of XP, it almost seems to me as though introducing a multi-user system was pointless because the functionality as an unpriviledged user is so low.

Obviously I'm not really a windows person anymore so I can't be sure if there is actually some way to customise the unpriviledged accounts, but if there isn't, what is the point of having them? Surely it's obvious that not everyone has exactly the same situation, so a case of priviledged and unpriviledged user without being able to customise it more than that is not very good.

[/SLIGHTLY ANTI-MICROSOFT RANT]

Oh, and I will be happy to accept that this could just be to do with the fact that I know relatively little about windows XP despite the fact that I now use it most days :P

ac

[SirDice]

Gothic_type: MS has something similar to su. If you're logged on as a regular user you can start any program as a different user, including administrator (right click on setup.exe i.e. and choose Run As...) This will allow you to run the setup as an administrator.

The reason you cannot install anything as a regular user is actually quite simple. Just as you need to be root on un*x to install something in the "system" directories, you'll need to be an admin on windows because alot of software needs to install something in the "system" directories of windows. But usually it's because the software tries to register itself in the HKEY_LOCAL_MACHINE registry hive and only members of the administrators group are able to write to it.

Also NT/2K/XP/2K3 have a more fine grained accesscontrol system then linux. So your assumption that a regular user account cannot be customised is incorrect.