shared folders

Discussion in 'Computer Security' started by Christo, Nov 13, 2004.

  1. Christo

    Christo Guest

    i have went through the following process

    control panel > admin tools > computer management

    shared folders > shares

    the list shows this

    ADMIN$ C:\WINDOWS

    it also shows in the comment section "Remote Admin"

    there is also

    C$ C:\

    this shows up as default share

    and finally IPC$ with no location it shows up as remote IPC

    are these security holes, specifically the Remote admin, i have not
    specified this at all, could someone tell me how to remove it please if it
    is a problem?

    there are no options in computer management console to disable or delete
    this share

    any help would be much appreciated!
    --
    --
    MSI KT6V
    AMD Athlon XP2600+
    Christo, Nov 13, 2004
    #1
    1. Advertising

  2. They are administrative shares created by the OS.

    They can be disabled by editing the Registry but I don't remember the Registry branch and
    key. :-(

    Dave



    "Christo" <> wrote in message news:...
    | i have went through the following process
    |
    | control panel > admin tools > computer management
    |
    | shared folders > shares
    |
    | the list shows this
    |
    | ADMIN$ C:\WINDOWS
    |
    | it also shows in the comment section "Remote Admin"
    |
    | there is also
    |
    | C$ C:\
    |
    | this shows up as default share
    |
    | and finally IPC$ with no location it shows up as remote IPC
    |
    | are these security holes, specifically the Remote admin, i have not
    | specified this at all, could someone tell me how to remove it please if it
    | is a problem?
    |
    | there are no options in computer management console to disable or delete
    | this share
    |
    | any help would be much appreciated!
    | --
    | --
    | MSI KT6V
    | AMD Athlon XP2600+
    |
    |
    David H. Lipman, Nov 14, 2004
    #2
    1. Advertising

  3. Christo

    donnie Guest

    On Sat, 13 Nov 2004 22:36:54 -0000, "Christo" <>
    wrote:

    >i have went through the following process
    >
    >control panel > admin tools > computer management
    >
    >shared folders > shares
    >
    >the list shows this
    >
    >ADMIN$ C:\WINDOWS
    >
    >it also shows in the comment section "Remote Admin"
    >
    >there is also
    >
    >C$ C:\
    >
    >this shows up as default share
    >
    >and finally IPC$ with no location it shows up as remote IPC
    >
    >are these security holes, specifically the Remote admin, i have not
    >specified this at all, could someone tell me how to remove it please if it
    >is a problem?
    >
    >there are no options in computer management console to disable or delete
    >this share
    >
    >any help would be much appreciated!
    >--

    ##########################
    Click start, run, type
    \\IP_addresss_of_your_machine
    see what opens if anything
    also run
    \\IP_address/C$
    \\IP_address/IPC$
    \\IP_address/admin$
    donnie.
    donnie, Nov 14, 2004
    #3
  4. Christo wrote:

    > are these security holes, specifically the Remote admin


    These are builtin M$ features to help the spread of malware. ;)

    Honestly:

    They are called administrative shares and are meant for the administrators
    of large networks to ease their work. To access them you need the machine's
    admin password, so if you have a good, strong one you aren't in too much
    danger. All those who think that admin passwords are for wimps, however,
    are in for a nasty surprise sooner or later.
    Yes they can be disabled via a certain registry key that, IIRC, you have to
    create yourself (it's not there by default). Unfortunately I can't tell you
    right away what this key is because I largely moved to SuSE Linux months
    ago, only starting M$ for games and some very special multimedia apps.

    Ah, wait, I may still have the batch file here, accessable from Linux...

    (digs through his XP partition)

    ....there it is. On my XP pro system, the following worked:



    in the registry branch

    HKLM\system\currentcontrolset\services\lanmanserver\parameters

    create a new DWORD key named

    autosharewks

    and give it the value 0.



    That should disable those admin shares at next reboot at the latest, though
    I'm not perfectly sure if IPC$ will be affected too - it may be too
    important for the system as a whole to be switched off. But ADMIN$ and the
    drive shares should be gone.

    You need admin privileges for that of course, so either start your regedit
    with "Run as..." or login as admin to do it. And if you haven't already
    done so, PLEASE do yourself the favor and assign a strong password to the
    admin account - one that can't be guessed by a dictionary attack. :)

    Hope to have helped...

    --
    Regards

    Thore "Tocis" Schmechtig
    Thore \Tocis\ Schmechtig, Nov 14, 2004
    #4
  5. Christo

    Christo Guest

    "Thore "Tocis" Schmechtig" <> wrote in message
    news:...
    > Christo wrote:
    >
    >> are these security holes, specifically the Remote admin

    >
    > These are builtin M$ features to help the spread of malware. ;)
    >
    > Honestly:
    >
    > They are called administrative shares and are meant for the administrators
    > of large networks to ease their work. To access them you need the
    > machine's
    > admin password, so if you have a good, strong one you aren't in too much
    > danger. All those who think that admin passwords are for wimps, however,
    > are in for a nasty surprise sooner or later.
    > Yes they can be disabled via a certain registry key that, IIRC, you have
    > to
    > create yourself (it's not there by default). Unfortunately I can't tell
    > you
    > right away what this key is because I largely moved to SuSE Linux months
    > ago, only starting M$ for games and some very special multimedia apps.
    >
    > Ah, wait, I may still have the batch file here, accessable from Linux...
    >
    > (digs through his XP partition)
    >
    > ...there it is. On my XP pro system, the following worked:
    >
    >
    >
    > in the registry branch
    >
    > HKLM\system\currentcontrolset\services\lanmanserver\parameters
    >
    > create a new DWORD key named
    >
    > autosharewks
    >
    > and give it the value 0.
    >
    >
    >
    > That should disable those admin shares at next reboot at the latest,
    > though
    > I'm not perfectly sure if IPC$ will be affected too - it may be too
    > important for the system as a whole to be switched off. But ADMIN$ and the
    > drive shares should be gone.
    >
    > You need admin privileges for that of course, so either start your regedit
    > with "Run as..." or login as admin to do it. And if you haven't already
    > done so, PLEASE do yourself the favor and assign a strong password to the
    > admin account - one that can't be guessed by a dictionary attack. :)
    >
    > Hope to have helped...
    >
    > --
    > Regards
    >
    > Thore "Tocis" Schmechtig


    thanks for the advice, my account is pwd prod thanks

    however after adding the reg value autosharewks as 0 (doesnt matter if its
    hex or dec does it)

    and checking the shares again they all still appear to be there (this is
    after a rboot)

    the key is in the regedit to so I am not sure why that hasn't worked?
    Christo, Nov 14, 2004
    #5
  6. Christo

    Christo Guest

    "Thore "Tocis" Schmechtig" <> wrote in message
    news:...
    > Christo wrote:
    >
    >> are these security holes, specifically the Remote admin

    >
    > These are builtin M$ features to help the spread of malware. ;)
    >
    > Honestly:
    >
    > They are called administrative shares and are meant for the administrators
    > of large networks to ease their work. To access them you need the
    > machine's
    > admin password, so if you have a good, strong one you aren't in too much
    > danger. All those who think that admin passwords are for wimps, however,
    > are in for a nasty surprise sooner or later.
    > Yes they can be disabled via a certain registry key that, IIRC, you have
    > to
    > create yourself (it's not there by default). Unfortunately I can't tell
    > you
    > right away what this key is because I largely moved to SuSE Linux months
    > ago, only starting M$ for games and some very special multimedia apps.
    >
    > Ah, wait, I may still have the batch file here, accessable from Linux...
    >
    > (digs through his XP partition)
    >
    > ...there it is. On my XP pro system, the following worked:
    >
    >
    >
    > in the registry branch
    >
    > HKLM\system\currentcontrolset\services\lanmanserver\parameters
    >
    > create a new DWORD key named
    >
    > autosharewks
    >
    > and give it the value 0.
    >
    >
    >
    > That should disable those admin shares at next reboot at the latest,
    > though
    > I'm not perfectly sure if IPC$ will be affected too - it may be too
    > important for the system as a whole to be switched off. But ADMIN$ and the
    > drive shares should be gone.
    >
    > You need admin privileges for that of course, so either start your regedit
    > with "Run as..." or login as admin to do it. And if you haven't already
    > done so, PLEASE do yourself the favor and assign a strong password to the
    > admin account - one that can't be guessed by a dictionary attack. :)
    >
    > Hope to have helped...
    >
    > --
    > Regards
    >
    > Thore "Tocis" Schmechtig


    read a bit more and found that AutoShareServer at 0 may also work
    Christo, Nov 14, 2004
    #6
  7. Christo

    Christo Guest

    "Thore "Tocis" Schmechtig" <> wrote in message
    news:...
    > Christo wrote:
    >
    >> are these security holes, specifically the Remote admin

    >
    > These are builtin M$ features to help the spread of malware. ;)
    >
    > Honestly:
    >
    > They are called administrative shares and are meant for the administrators
    > of large networks to ease their work. To access them you need the
    > machine's
    > admin password, so if you have a good, strong one you aren't in too much
    > danger. All those who think that admin passwords are for wimps, however,
    > are in for a nasty surprise sooner or later.
    > Yes they can be disabled via a certain registry key that, IIRC, you have
    > to
    > create yourself (it's not there by default). Unfortunately I can't tell
    > you
    > right away what this key is because I largely moved to SuSE Linux months
    > ago, only starting M$ for games and some very special multimedia apps.
    >
    > Ah, wait, I may still have the batch file here, accessable from Linux...
    >
    > (digs through his XP partition)
    >
    > ...there it is. On my XP pro system, the following worked:
    >
    >
    >
    > in the registry branch
    >
    > HKLM\system\currentcontrolset\services\lanmanserver\parameters
    >
    > create a new DWORD key named
    >
    > autosharewks
    >
    > and give it the value 0.
    >
    >
    >
    > That should disable those admin shares at next reboot at the latest,
    > though
    > I'm not perfectly sure if IPC$ will be affected too - it may be too
    > important for the system as a whole to be switched off. But ADMIN$ and the
    > drive shares should be gone.
    >
    > You need admin privileges for that of course, so either start your regedit
    > with "Run as..." or login as admin to do it. And if you haven't already
    > done so, PLEASE do yourself the favor and assign a strong password to the
    > admin account - one that can't be guessed by a dictionary attack. :)
    >
    > Hope to have helped...
    >
    > --
    > Regards
    >
    > Thore "Tocis" Schmechtig


    AutoShareServer

    hasn't worked

    i have read that these are created autmatically, so no one has had access to
    my machine in order to create them, i am running a firewall so it should be
    ok, hopefully, I will keep an eye on it.
    Christo, Nov 14, 2004
    #7
  8. Christo

    Mike Guest

    Christo wrote:

    > "Thore "Tocis" Schmechtig" <> wrote in message
    > news:...
    >
    >>Christo wrote:

    > however after adding the reg value autosharewks as 0 (doesnt matter if its
    > hex or dec does it)

    ROFL! F**K I've just pissed myself :-(
    Mike, Nov 14, 2004
    #8
  9. Christo

    Mike Guest

    Mike, Nov 14, 2004
    #9
  10. Christo

    Christo Guest

    Christo, Nov 14, 2004
    #10
  11. Christo

    Christo Guest

    "Mike" <> wrote in message
    news:419786ac$0$116$...
    > Christo wrote:
    >
    >> "Thore "Tocis" Schmechtig" <> wrote in message
    >> news:...
    >>
    >>>Christo wrote:

    >> however after adding the reg value autosharewks as 0 (doesnt matter if
    >> its hex or dec does it)

    > ROFL! F**K I've just pissed myself :-(


    yeah yeah ok they are the same, dumb thing to say
    Christo, Nov 14, 2004
    #11
  12. NOT if you are an administrator of many PCs !
    Albeit, WinXPHE doesn't need these Admin shares.

    Dave




    "Christo" <> wrote in message news:...
    |
    | "Mike" <> wrote in message
    | news:4197871a$0$116$...
    | > Of course what you are actually looking for is this:-
    | >
    | > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech
    |
    | it would be nice if those options were available to me however there is no
    | "stop sharing" action available
    |
    | it seems like yet another fucked up windows feature
    |
    |
    David H. Lipman, Nov 14, 2004
    #12
  13. Christo

    Christo Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:BnMld.1864$qS4.1131@trnddc09...
    > NOT if you are an administrator of many PCs !
    > Albeit, WinXPHE doesn't need these Admin shares.
    >
    > Dave
    >
    >
    >
    >
    > "Christo" <> wrote in message
    > news:...
    > |
    > | "Mike" <> wrote in message
    > | news:4197871a$0$116$...
    > | > Of course what you are actually looking for is this:-
    > | >
    > | >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech
    > |
    > | it would be nice if those options were available to me however there is
    > no
    > | "stop sharing" action available
    > |
    > | it seems like yet another fucked up windows feature
    > |
    > |
    >
    >


    thats true and seen as how i am running pro they are probably defaulted to
    be set as active with pro being the networking version of XP
    Christo, Nov 14, 2004
    #13
  14. They are both Networkable. The difference is WinXP Pro is designed for NT4 Domains and
    Active Directory. WinXPHE is not. However the both do Workgroups.

    Dave



    "Christo" <> wrote in message news:...
    ||
    | thats true and seen as how i am running pro they are probably defaulted to
    | be set as active with pro being the networking version of XP
    |
    |
    David H. Lipman, Nov 14, 2004
    #14
  15. Christo

    Mike Guest

    Christo wrote:
    > "Mike" <> wrote in message
    > news:4197871a$0$116$...
    >
    >>Of course what you are actually looking for is this:-
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech

    >
    >
    > it would be nice if those options were available to me however there is no
    > "stop sharing" action available
    >
    > it seems like yet another fucked up windows feature
    >
    >


    Try reading the article:-

    Firstly only hidden shares created by users can be deleted:-

    "Hidden shares that are created by users can be deleted, and they are
    not re-created after you restart your computer. Microsoft Windows XP
    Home Edition does not create hidden administrative shares."

    To remove the Administrative shares:-

    "Method 2: Deleting default administrative shares for current and later
    sessions
    Warning If you use Registry Editor incorrectly, you may cause serious
    problems that may require you to reinstall your operating system.
    Microsoft cannot guarantee that you can solve problems that result from
    using Registry Editor incorrectly. Use Registry Editor at your own risk.

    To delete the hidden administrative shares for all root partitions and
    volumes (such as C$) and the system root folder (ADMIN$) and to prevent
    Windows from re-creating them, add an AutoShareWks DWORD value to the
    following registry key, and then set its value data to 0:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"



    --

    ------------------------------------

    Real email to mike. The header email is a spam trap and you will be
    blacklisted,
    submitted to anti-spam sites and proably burn in hell.
    Mike, Nov 15, 2004
    #15
  16. Christo

    Christo Guest

    "Mike" <> wrote in message
    news:cna41t$g9f$...
    > Christo wrote:
    >> "Mike" <> wrote in message
    >> news:4197871a$0$116$...
    >>
    >>>Of course what you are actually looking for is this:-
    >>>
    >>>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech

    >>
    >>
    >> it would be nice if those options were available to me however there is
    >> no "stop sharing" action available
    >>
    >> it seems like yet another fucked up windows feature

    >
    > Try reading the article:-
    >
    > Firstly only hidden shares created by users can be deleted:-
    >
    > "Hidden shares that are created by users can be deleted, and they are not
    > re-created after you restart your computer. Microsoft Windows XP Home
    > Edition does not create hidden administrative shares."
    >
    > To remove the Administrative shares:-
    >
    > "Method 2: Deleting default administrative shares for current and later
    > sessions
    > Warning If you use Registry Editor incorrectly, you may cause serious
    > problems that may require you to reinstall your operating system.
    > Microsoft cannot guarantee that you can solve problems that result from
    > using Registry Editor incorrectly. Use Registry Editor at your own risk.
    >
    > To delete the hidden administrative shares for all root partitions and
    > volumes (such as C$) and the system root folder (ADMIN$) and to prevent
    > Windows from re-creating them, add an AutoShareWks DWORD value to the
    > following registry key, and then set its value data to 0:
    > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
    >
    >
    >


    done that no luck, something is up, they still appear in comp management
    Christo, Nov 16, 2004
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Y3JhYmJq?=

    Lost ability to share network printer and shared folders on Workgr

    =?Utf-8?B?Y3JhYmJq?=, Nov 11, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    1,987
    =?Utf-8?B?TW9zc3k=?=
    Feb 11, 2005
  2. old guy

    Shared folders

    old guy, Feb 2, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    562
    Robert Jacobs
    Feb 3, 2005
  3. =?Utf-8?B?VGNhdmEx?=

    Accessing shared Folders & Files

    =?Utf-8?B?VGNhdmEx?=, Mar 8, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,610
  4. JLunis

    Shared folders - easy question

    JLunis, Mar 10, 2005, in forum: Wireless Networking
    Replies:
    7
    Views:
    1,214
    kapil [MSFT]
    Mar 11, 2005
  5. =?Utf-8?B?RGF2aWQ=?=

    Access Denied for shared folders

    =?Utf-8?B?RGF2aWQ=?=, Jul 24, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    6,129
    =?Utf-8?B?RGF2aWQ=?=
    Jul 27, 2005
Loading...

Share This Page