-1

It seems that I can access every drive on each computer in my work network by utilizing the $ share? Example:

\\computer_name\C$

would give me access to the C drive and each file

Is the AD wrongly configured? How do I disable this on my own machine?

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
Bj Blazkowicz
  • 871
  • 1
  • 6
  • 9
  • 1
    Are you in the domain administrators group? If you are not a domain admin then yes you probably have something miss-configured. – Zoredache Dec 11 '13 at 20:21

1 Answers1

3

This is default behavior. The default hidden shares on a Windows machine are each major drive letter, ADMIN$, IPC$, and some others that are specialized to certain server roles. This behavior is referred to as "Administrative Shares." Only administrators can access these shares so unless you're handing out user accounts that have admin access to each other PC on the network, you're fine. If you're logged in to a PC as a regular user, not a domain admin or a local admin that has the same username and password on the other PCs on the network, and you can still get to the admin shares, then yes, there is a problem.

It is such a base feature of Windows that disabling them can have potential downsides. Be mindful of KB842715. To disable it permanently, you will have to use a registry edit at HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. On servers edit / add AutoShareServer and make the REG_DWORD value be 0. On workstations edit / add AutoShareWks and make the REG_DWORD value be 0.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • Of course if he isn't a domain admin this wouldn't be default behavior, and instead it would mean he had something unusual. – Zoredache Dec 11 '13 at 20:22
  • 2
    @Zoredache Edited to make it clearer. And to be annoyingly precise, this same behavior can be had if you are logged in as a local account that has the same username and password as a local account on a remote PC that also has admin privileges. I've been in organizations that had a common local admin account with the same password across them all which acted like a ghetto domain admin. Log in as that account and you can get to all other PCs with a MMC snapin or via the admin shares. – Wesley Dec 11 '13 at 20:29
  • Ok. It seems that I am in the administrator group. It's seems that they have put this as standard for every developer at the company... How can I disable access to my computers hidden shares? – Bj Blazkowicz Dec 11 '13 at 20:31
  • 4
    If they've made it standard for every developer (which is unusual) then asking us how you can prevent it is asking us to circumvent your company policy, control or configuration, which we don't do here. – joeqwerty Dec 11 '13 at 20:33
  • 3
    1. Disabling the Admin shares requires editing the registry 2. Don't do that, just fix your permissions. 3. Why would you want to? *Do you have something to hide?* 4. Any other administrator can remotely re-enable them... so back to #2, fix what's really broken. – Chris S Dec 11 '13 at 20:34
  • @ChrisS have nothing to hide, just paranoid. Fix my own permissions? – Bj Blazkowicz Dec 11 '13 at 20:40
  • @joeqwerty Yes I find it pretty odd too. I will discuss this with our provider. – Bj Blazkowicz Dec 11 '13 at 20:43
  • @BjBlazkowicz Right, the fact that all the devs are administrators over a bunch of computers can be a security "problem" (as you've found). Being an admin over your own computer is fairly normal for a dev, though not everywhere. Only actual Systems Admin people should have administrator accounts in the admin group of every computer. – Chris S Dec 11 '13 at 20:45