Win XP Hidden Shares

Printable View

September 22nd, 2002, 09:36 AM
Methcook

Win XP Hidden Shares

When Windows XP is installed, hidden administrative shares are created. They can be found by going to Start>>Administrative Tools>>Computer Management. Open the System tools folder, Shared Folders, and finally open up the Shares. Recently my machine was completely compromised because of this crap. I ended up losing everything as someone else gained admin privleges to my entire OS. THese shares ARE a secutiry risk.

http://support.microsoft.com/default...EN-US;q314984&

Microsoft describes the shares:

Windows XP computers create hidden administrative shares that administrators and operating system services can use to manage the computer environment on the network. By default, administrative shares such as ADMIN$ are enabled by the system. Any share that is created by the system (such as C$), can be disabled, but it is then re-enabled by the system after you restart your computer. Shares that are created by users can be disabled, and they are not recreated after you restart your computer. Administrative shares include the following shares:

Root partitions or volumes
The system root folder
The FAX$ share
The IPC$ share
The NETLOGON share
The PRINT$ share

Root partitions and volumes are shared as the drive letter name appended with the $ sign. For example, drive letters C and D are shared as C$ and D$.

The system root folder (%SYSTEMROOT%) is shared as ADMIN$. This administrative share provides administrators with easy access to the system root folder hierarchy over the network.

The FAX$ share is used by fax clients in the process of sending a fax. This shared folder caches files and accesses cover pages that are stored on a file server.

The IPC$ share is used with temporary connections between clients and servers by using named pipes for communications among network programs. It is primarily used for remote administration of network servers.

The NETLOGON share is used by the Netlogon service to process log on requests.

The PRINT$ share is used for the remote administration of printers.

__________________________________________________________________________

Each time you logon you can disable the shares but it's only temporary. To disable the shares for good it has to be done thru the registry.

Windows Tech support emailed this to me:

You want to delete your Admin$ share.

Cause:
Your system is not secure. You'd like to make it more secure.

Resolution/Recommendation:
Edit the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

___________________________________________________________________________

Now what? I dont know much about the registry. I found the Parameters folder now what do I do with it?

I found this on thru a websearch: http://is-it-true.org/nt/atips/atips2.shtml

There's nothing in my Parameters folder Named AutoShareServer or AutoShareWks.

Can anyone give me any help on this?

Thanks
September 22nd, 2002, 10:05 AM
Matty_Cross

Your meant to create them.....

Right click on the branch (folder) and choose new -> DWORD.

Set it to a value of 0 or 1... I can't remember which one it is.....
September 22nd, 2002, 10:11 AM
Methcook

What do you mean? They are already there. I wanna get rid of them.

I just manually dekleted ADMIN$ and C$ and there seems to be no effect on performance. For some reason the IPC$ share wont delete. As soon as I reboot ADMIN$ and C$ will be there again. I want these off of my msystem.

Edit: There;s 6 DWORDS in that Prameter folder. Which one do I use. I know it should be set to 0.

Edit: Ok, I think I know hwta you mean. I created "New Value #1 Reg_DWORD 00000 (0). But it didnt seem to work. the shares are still there.
September 22nd, 2002, 10:43 AM
Matty_Cross

Okay..

If you've done it properly, and edited/created the AutoShareServer/AutoShareWks registry key, when you delete the shares and reboot, they should not come back....

BTW, Windows XP shouldn't have the AutoShareServer key by default.....
September 22nd, 2002, 11:06 AM
kiddanger

What M$ says now:

http://support.microsoft.com/default...;en-us;Q314984

What they said then:

http://support.microsoft.com/default...;en-us;Q288164

Notice, the 2nd one does say it works with XP Pro.
September 22nd, 2002, 11:45 AM
Methcook

It worked

It worked!

I got rid of the ADMIN$ and the C$ share. I guess the ICP$ (or whatever it's called) is impossible to delete. I;m just glad to get rid of that admin share....and edit the registry for the first time.

Thanks!
September 22nd, 2002, 12:02 PM
slarty

Do rememeber that removing the admin shares provides no security improvement.

Someone who gets local admin rights remotely can still connect to the server service and create whatever shares they like remotely.

Also the admin shares can only be accessed by users with local admin rights - so there really is no difference if they're present or absent.

If you're not using it, stop the server service. That will keep everybody out.
September 22nd, 2002, 01:02 PM
Methcook

Distiguish tween the administrator account that you own and the hidden admin account that you have no real access to, cept for when you go into safe mode. They are two different accounts.

Someone got local admin rights remotely on my pc thru the hidden admin account that MS creates. That admin accont overrides the admin account that we all use. He had the control of the most powerful account on my OS, which happened to be hidden from me. Needless to say, I was at his mercy and eventually ended up being completely locked out of even simple user accounts.
September 13th, 2003, 06:41 AM
dionjuan2004

i'm little confused, we have lan in our hostel and i know my friend's both admin and guest password but still when i go to this- \\his comp's name\C$ it asks for password and none of these password actually works with the option- allow to be used remotely being enabled.
one thing is sure he doesn't have any other account on his comp so can any one help us(yes, this has frustrated both of us) ??
dion
September 13th, 2003, 07:08 AM
stanger

you got rid of that crap...

but..remember : ServicePacks,Updates and patches will bring'em back.
...and (RWMADX)access to C: for ALL.

or am i not right?
September 13th, 2003, 04:38 PM
br_fusion

dionjuan2004 try running "net use X: \\remotepc\c$ <pass> /user:<username>" in the command prompt. This way you specifiy the username. Now the drive "X:" should appear in my computer. Just use that to access his hardrive.
September 15th, 2003, 06:01 PM
mohaughn

Quote:

Distiguish tween the administrator account that you own and the hidden admin account that you have no real access to, cept for when you go into safe mode. They are two different accounts.

I'm really confused here. There is no super administrator account on a Win2k system that is created by MS. Are you smoking what you are cooking?
September 15th, 2003, 06:39 PM
CXGJarrod

Quote:

Originally posted here by mohaughn

I'm really confused here. There is no super administrator account on a Win2k system that is created by MS. Are you smoking what you are cooking?

In a domain enviroment, a domain admin can access other people hard drives using the \\computername\C$
September 15th, 2003, 07:47 PM
mohaughn

CXG- I know that. What I was questioning is what methcook is saying about there being a "hidden" administrator account that only MS has access to. That information is false.

"Someone got local admin rights remotely on my pc thru the hidden admin account that MS creates. That admin accont overrides the admin account that we all use. He had the control of the most powerful account on my OS, which happened to be hidden from me. Needless to say, I was at his mercy and eventually ended up being completely locked out of even simple user accounts."

There is no higher permissions on a system than full administrator and by default there is only one administrator account, which is named, by default, administrator. There are no other "hidden" accounts on an NT system that have admin rights. I also understand that you cannot restrict permissions from a domain administrator as they can always undo whatever things you do to try and restrict them from having rights on your system. However, a domain administrator getting access to a machine is not an issue as they have a legitimate right to have access to the machine. I was reading it that methcook was saying somebody took over his machine meaning that they were an attacker, not somebody who had legitimate access rights to begin with.
September 16th, 2003, 03:30 PM
SirDice

I think Methcook meant the Administrator account, which isn't visible in the default logon screen. If he didn't put a password on it anybody can walk into his pc. Removing admin shares doesn't help here. Setting a proper password on the Administrator account (and all the other accounts) is the only way to keep other people out.

Mohaughn: The only account that has more privileges then (Domain) Administrator is the NT AUTHORITY\SYSTEM account. But you cannot use it like a 'regular' account.
September 16th, 2003, 04:10 PM
mohaughn

SirDice- By default that is true, but given that you can very easily go into the local security policy MMC and give the administrator account, or any other account, all of the same permissions as the localsystem account it does not make it more powerful.
September 16th, 2003, 08:56 PM
SirDice

Quote:

Originally posted here by mohaughn
SirDice- By default that is true, but given that you can very easily go into the local security policy MMC and give the administrator account, or any other account, all of the same permissions as the localsystem account it does not make it more powerful.

True. It only makes it easier if a service running on SYSTEM gets nuked. As SYSTEM you can do almost anything :D If you can you should run any service you need on a normal user account. Unfortunatly this does mean fiddling around alot.