How can I disable the Administrative Share creation in Windows NT/2000/XP/2003?
Every Windows NT/W2K/XP/2003 machine automatically creates a share for each drive on the system. These shares are hidden, but available with full control to domain administrators. The drive letter, followed by the $ sign is the name, and it is shared from the root. When trying to attain a highly secure network, you may wish to address this potential security issue by disabling these shares, or at least restricting their permissions to specific users or services.
The default-hidden shares are:
C$ D$ E$ – Root of each partition. For a Windows NT workstation/W2K/2003/XP Professional computer only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows NT Server/W2K Server computer, members of the Server Operators group can also connect to these shared folders.
ADMIN$ – %SYSTEMROOT% This share is used by the system during any remote administration of a computer. The path of this resource is always the path to the W2K/NT system root (the directory in which W2K/NT is installed usually C:\Winnt and in XP it’s C:\Windows).
FAX$ – On W2K Server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
IPC$ – Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer’s shared resources. This share can be very dangerous and can be used to extract large amounts of information about your network, even by an anonymous account.
NetLogon – This share is used by the Net Logon service of a W2K, 2003 and NT Server computer while processing domain logon requests, and by Pre-W2K computers when running logon scripts.
PRINT$ – %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
It is possible to simply remove the share from Server Manager (in NT) or Shared Folders (in W2K/XP/2003) but the problem with this method is that the shares will automatically be recreated when the machine reboots.
You can disable the automatic administrative share creation via Group Policy, but this is a much simpler way:
In order to disable these shares permanently, a registry edit will be necessary.
For NT 4.0/W2K/Windows Server 2003s, the change is:
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer Data Type: REG_DWORD Value: 0
Idiot proof note: If you can’t find the value in the registry under the exact location (i.e. it does not exist) – please right click in the right pane of the window and create it.
Note: A reboot is necessary for this to take effect.
For NT 4.0 Workstation/W2K Pro/XP Pro, the change is:
Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareWks Data Type: REG_DWORD Value: 0
A double idiot proof note: If you can’t find the value in the registry under the exact location (i.e. it does not exist) – please right click in the right pane of the window and create it.
Note: Again, a reboot is necessary for this to take effect. If you want the administrative shares to be re-created, you can change the value back to 1.
Note: Some applications depend on the presence of these shares. If things stop working you’ll know to re-enable the shares.
Security note: Unfortunately this registry hack does NOT stop the IPC$ share and this is a share that is often used by hackers to enumerate systems before attack since it can yield a wealth of information about your system names, your user names, and more. If your ACL permissions are not correct or you haven’t disabled anonymous user access or you haven’t disabled the guest account then this port can lead to total system compromise within minutes!