From: www.itworld.com

Disabling the Hidden Administrative Shares

July 2, 2008 —

 

I mentioned in my previous post that you can add $ to a share name to hide the share, and that it was a good idea to also modify the share name to something not easily guessable by some snoop. Note, however, that Windows Vista sets up certain hidden shares for administrative purposes, including one for drive C: (C$) and any other hard disk partitions you have on your system. Windows Vista also sets up the following hidden shares:

Share Shared Path Purpose
ADMIN$ %SystemRoot% Remote administration
IPC$ N/A Remote interprocess communication
print$ %SystemRoot%\System32\spool\drivers Access to printer drivers

To see these shares, select Start, All Programs, Accessories, Command Prompt to open a command prompt session, type net share, and press Enter. You see a listing similar to this:

Share name   Resource                        Remark
-----------------------------------------------------------
C$           C:\                             Default share
D$           D:\                             Default share
ADMIN$       C:\WINDOWS                      Remote Admin
IPC$                                         Remote IPC
print$       C:\System32\spool\drivers       Printer Drivers
Public       C:\Users\Public

So although the C$, D$, and ADMIN$ shares are otherwise hidden, they're well known, and they represent a small security risk should an intruder get access to your network.

To close this hole, you can force Windows Vista to disable these shares. Here are the steps to follow:

  1. Click Start, type regedit in the Search box, and then click regedit.exe in the search results. The User Account Control dialog box appears.
  2. Enter your UAC credentials to continue. Windows Vista opens the Registry Editor.

    3. CAUTION
    Remember that the Registry contains many important settings that are crucial for the proper functioning of Vista and your programs. Therefore, when you are working with the Registry Editor, don't make changes to any settings other than the ones I describe in this post.

  3. Open the HKEY_LOCAL_MACHINE branch.

  4. Open the SYSTEM branch.

  5. Open the CurrentControlSet branch.

  6. Open the Services branch.

  7. Open the LanmanServer branch.

  8. Select the Parameters branch.

  9. Select Edit, New, DWORD (32-bit) Value. Vista adds a new value to the Parameters key.

  10. Type AutoShareWks and press Enter. (You can leave this setting with its default value of 0.)

  11. Restart Windows Vista to put the new setting into effect.

Once again, select Start, All Programs, Accessories, Command Prompt to open a command prompt session, type net share, and press Enter. The output now looks like this:

Share name   Resource                        Remark
-----------------------------------------------------------
IPC$                                         Remote IPC
print$       C:\System32\spool\drivers       Printer Drivers
Public       C:\Users\Public

Bear in mind that some programs expect the administrative shares to be present, so disabling those shares may cause those programs to fail or generate error messages. If that happens, enable the shares by opening the Registry Editor and either deleting the AutoShareWks setting or changing its value to 1.