Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disabling Admin Shares x64


  • Please log in to reply
11 replies to this topic

#1 Chillum

Chillum

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 17 January 2014 - 07:07 AM

Hi I found a fix to disable administrative shares in Windows 7 and was wondering if this fix also applies to Windows 7 x64 or is it just for x32?.

 

Thanks for any info or help

 

 

"For Workstations (Vista/Windows7)

Click Start—>Run type regedit click ok

For vista users Enter your UAC credentials to continue.

Open the HKEY_LOCAL_MACHINE branch.

Open the SYSTEM branch.

Open the CurrentControlSet branch.

Open the Services branch.

Open the LanmanServer branch.

Select the Parameters branch.

Select Edit, New, DWORD (32-bit) Value. Vista & Windows 7 adds a new value to the Parameters key (If you have the key just check for correct value).

Type AutoShareWks and press Enter. (You can leave this setting with its default value of 0.)

Restart Windows to put the new setting into effect."

 

Taken from the comments section here - http://www.sysprobs.com/disable-administrative-shares-windows-7-lets-data-secret



BC AdBot (Login to Remove)

 


#2 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:09:40 PM

Posted 17 January 2014 - 08:08 AM

This is how you do it if you have a 64 bit machine.

 

http://smallbusiness.chron.com/disable-default-admin-shares-windows-7-x64-67198.html

 

Also if you want no sharing, consider disabling the server service.

 

On a side note, why are you considering disabling Admin shares? Unless you're an admin or know the administrator password you're not going to get into C$,D$ or admin$.


Edited by chrisd87, 17 January 2014 - 08:10 AM.

"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:40 AM

Posted 17 January 2014 - 08:42 AM

Having the admin shares enabled can pose a huge security risk as it can allow remote attackers to install things on your computer remotely.

#4 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:09:40 PM

Posted 17 January 2014 - 09:50 AM

If you're worried about remote attackers, then you don't have your security set up properly in the first place.

 

My personal opinion is that it is far better to configure administrative account securely than to disable admin shares. There is legitimate use for them and if you have admin rights restricted then these are secured shares. If you have out of control admin rights then restricting the admin shares is only one minor part of a greater security problem and people can just create new shares anyway.


"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#5 Chillum

Chillum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 17 January 2014 - 10:42 AM

This is how you do it if you have a 64 bit machine.

 

http://smallbusiness.chron.com/disable-default-admin-shares-windows-7-x64-67198.html

 

Also if you want no sharing, consider disabling the server service.

 

On a side note, why are you considering disabling Admin shares? Unless you're an admin or know the administrator password you're not going to get into C$,D$ or admin$.

 

 

Thanks for the replies.I am trying to do it because of the same reason that cryptodan gave.

 

Anyway the "LocalAccountTokenFilterPolicy" isn't listed,unless the name had been changed to "FilterAdministratorToken" because that is the only other one with "Token" in the name?.

 

http://imgur.com/tsNLL4o



#6 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:09:40 PM

Posted 17 January 2014 - 10:56 AM

Well it may be worth taking a look at this if you're going to do it.

 

Something that may be easier is to just right click the C$ share and choose stop sharing. Then restart the PC or just restart the lanmanserver service using the NET START/STOP command.

 

As far as the DWORD value not being present on your system just create the DWORD yourself.


Edited by chrisd87, 17 January 2014 - 10:58 AM.

"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:40 AM

Posted 17 January 2014 - 07:49 PM

The admin shares are automatically setup by Windows, and the only way to prevent them from showing up via net use is to disable them which is what is done in corporate america, so that if there is a breach then there is no worry that malware can be installed.

admin_share.png

As you can see the drive is not shared, yet it is via admin. That is what he talking about. With that shared and remote registry service running an attacker can easily install malware on your system.

Edited by cryptodan, 17 January 2014 - 08:13 PM.


#8 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:09:40 PM

Posted 18 January 2014 - 12:42 AM

It's not done in Corporate America as it makes the job of IT so much easier. Windows puts the shares there for a reason...

 

Good example would be:

\\computer1\c$\documents and settings\jane.doe\

to

\\computer2\c$\documents and settings\jane.doe\

 

done.

 

They're called "admin shares" because only admins have rights to them...if they are worried about someone getting admin rights and using them, then there's a problem long before the admin shares...

 

I'm not going to get into the debate as to why it's best to keep them enabled, but make sure your security is setup properly to begin with...

 

Do you ever use the Previous Version for local files in Windows 7, or how about ADUC or ADSS? If so, good luck without Admin Shares.

 

They want them to be disabled, so they received the help they needed...


Edited by chrisd87, 18 January 2014 - 01:16 AM.

"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#9 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 PM

Posted 18 January 2014 - 03:45 AM

The admin shares are automatically setup by Windows, and the only way to prevent them from showing up via net use is to disable them which is what is done in corporate america, so that if there is a breach then there is no worry that malware can be installed.

admin_share.png

As you can see the drive is not shared, yet it is via admin. That is what he talking about. With that shared and remote registry service running an attacker can easily install malware on your system.

 

 

Just because net view shows it's shared doesn't mean everyone has access. Users shows as a share because it is shared with Administrator group, User admin, Everyone. The Public folder inside Users folder has the same settings as the Users folder. The usersname profile should still only be administrators without the Everyone group access. If it does simply remove Everyone from it's settings, or select share with no one. I guess you could untick sharing all together and not even administrator group will be able to access each others profiles. That's not good really because profiles should be backed up and doing it across the network makes it whole lot easier on the network administrator so he doesn't have to physically go fix 2000 computers on the network. As Chris said C$ root shares has always been only for admins with accounts on the machine and if you get people gaining access to those then you got far worse problems.



#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:40 AM

Posted 18 January 2014 - 06:34 AM

Ever hear of privilege escalation tools? Get a simple user with that and an attacker will have free reign over your entire network. I have done this before in real time under authority. It works quite well and gained access to the domain controller with a token of an account that had administrative rights such as a service running.

Edited by cryptodan, 18 January 2014 - 06:36 AM.


#11 chrisd87

chrisd87

  • Members
  • 811 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC
  • Local time:09:40 PM

Posted 18 January 2014 - 12:57 PM

Yes, have you ever heard of the runas /user: .... what's the difference... A good firewall and anti virus in place will prevent any disaster from happening. If you can't trust your users, then that's where the problem arises..


Edited by chrisd87, 18 January 2014 - 05:36 PM.

"Like car accidents, most hardware problems are due to driver ɹoɹɹǝ."

 


#12 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 PM

Posted 19 January 2014 - 12:21 PM

Ever hear of privilege escalation tools? Get a simple user with that and an attacker will have free reign over your entire network. I have done this before in real time under authority. It works quite well and gained access to the domain controller with a token of an account that had administrative rights such as a service running.

 

Yep I am aware of lots of hacks out there and used many in some cases with a customer forgeting their password. A admin accessing a domain controller in that manner is asking for trouble without being behind a VPN or some other kind of secured tunnel to protect the session both local and remotely. Also keeping public networks segmented away from the internal network, or in a DMZ behind a double nat if you will.

 

Then you got metasploit, other tools like konboot and other startup tricks to get an elevated command prompt to change passwords. Then there is brute forcing sam files with weak passwords. Then you have other things like USB sticks that emulate keyboard input for running nefarious scripts that creates acounts with reverse shell. This is why administrative servers are behind lock and key. Linux isn't impervious to hacking either. Linux root can be hacked just as easily as Windows can. Again if you got physical access there isn't much you can do if someone wants in they will get in. About 90% of the time a machine has zero encryption or full disk encryption. You can boot off a live linux cd and gain access to any file you want it's as simple as that. Not saying that the fix used was good or bad just that it can break things and later on you might forget exactly what you changed. Gotta do what you gotta do. :P


Edited by technonymous, 19 January 2014 - 12:24 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users