Administrative share

Administrative shares are the term Microsoft defined for the collection of by-default automatically shared filesystem resources including the following:

• any drive letter + $ (only the local disk volumes, not any removable devices such as CD/DVD drives, USB flash drives)
• admin$ (which shares access to %SYSTEMROOT%, which is usually C:\WINDOWS or C:\WINNT)

The "$" appended to the end of the share name means that it's a hidden share. Windows will not list such shares among those it defines in typical queries by remote clients to obtain the list of shares. This means that one needs to know the name of an administrative share in order to access it.

It is commonly believed that any share that includes the final '$' character defines it as an administrative share. According to Microsoft's use of the term "administrative share", this is false. While any share (even non-administrative shares) can include a '$' character at the end of its name, only those by-default shares created by Windows containing the '$' suffix are considered administrative shares.

Generic UNC address for an administrative share:

\\NetworkComputerName\(Drive letter)$

For example:

\\MyComputer\c$

This represents the administrative share for the "C" drive on the computer "MyComputer". This works just as well for any other local drive on the computer, e.g. \\MyComputer\d$, \\MyComputer\e$ (assuming those are local drives and not removable drives).

\\MyComputer\ADMIN$

This represents the administrative share for the %SYSTEMROOT% object on the computer "MyComputer".

The administrative shares can be deleted by a user with Administrators membership but the administrative shares will be recreated automatically at the next reboot.^[1]

The following registry configuration change e.g. using Regedit can completely hide all administrative shares. If the setting is not present then you must create it.

Servers

Windows NT 4.0 Server, Windows 2000 Server, Windows Server 2003 ^[2]

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer
Data Type: REG_DWORD
Value: 0

Clients

Windows NT 4.0 Workstation, Windows 2000 Professional, Windows XP, Windows 7

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 0

Microsoft does not detail any method to disable administrative shares. The command:

NET SHARE C$ /delete

can be executed in order to disable the root share in a networked computer. The problem is that after a reboot, the share will be automatically recreated.

A common workaround is to create a batch file with commands to disable all administrative shares (they can be viewed by running the "NET SHARE" command), and then scheduling the script to run at every system startup by using the Windows Task Scheduler.

Usually, the following commands, under a batch file, can successfully disable shares on a Windows XP or Windows Vista system:

NET SHARE C$ /delete
NET SHARE D$ /delete
NET SHARE admin$ /delete

By default, Windows Vista and newer versions of Windows prevent local accounts from accessing administrative shares through the network.

To enable administrative shares you have to make a registry change. Click on Start Menu and in the search box type ‘regedit’ and press ENTER. Add this registry item:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: LocalAccountTokenFilterPolicy
Data Type: REG_DWORD
Value: 1

After rebooting, the hidden share is accessible from other computers. Note that this change removes Windows' restrictions on remote User Account Control.

You may be able to use 'net stop server' and then 'net start server' from an administrative command prompt instead of rebooting.

By default, Windows XP Service Pack 3 prevents access to the administrative shares through the network.

To enable administrative shares you have to:

• Open Explorer and select Tools -> Folder Options
• Select the View tab and scroll all the way down to the bottom of Advanced Settings
• Make sure that "Use simple file sharing (Recommended)" is not selected

This should work instantly without the need for reboot. Note: Windows XP Home editions do not have this option, so cannot show administrative shares.

Preventing access

Disabling the Administrative shares mitigates many known security risks. For example, viruses such as Conficker Worm performs dictionary attacks on Administrative shares.

Alternative approaches to prevent remote browsing of the disk contents include:

• Remove "Administrators" from the Security tab of the drive in question. This will prevent any external local admin from accessing the drive yet still allow the local admin access
• disable File and Printer Sharing (or unbind the NetBT protocol)
• Stop and/or disable the Workstation service
• set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp
• remove membership in the Administrators group for those users/groups you wish to block
• encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the files

Security of the shares

The DACLs on the administrative shares cannot be modified, even by the local Administrator account.

Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token. This is arguably more secure against such remote attacks than assigning a weak or easily-guessed password to the local Administrator account.

• IPC share

This page is available in 1 language

• Français