Permissions on default shares (C$ etc.)

[wiser]

Does anyone know if it's possible to set or override the permissions on the default shares C$, D$ etc. which Windows XP automatically creates for each hard drive/partition?

I have a security problem with them because some users on our network know the password for the local administrator account on their own workstation, and Windows XP is allowing these local administrator accounts to access the C$ share on any other computer on the network. I can't rely on NTFS security either as some of the machines have FAT32 partitions.

Normally if you try to set permissions on these shares, a message box pops up telling you "This has been shared for administrative purposes. The permissions cannot be set.". However, I have found out that I can remove the C$ share then re-create it and apparently set permissions on it as with any other share... but it turns out that Windows then seems to recognise it as a default share, ignores the permissions I set and reverts back to the default behaviour anyway. I have also managed to stop Windows automatically re-creating these after a reboot (by setting registry key [blue]HKLM\ SYSTEM\ CurrentControlSet\ Services\ lanmanserver\ parameters\ AutoShareWks[/blue] to 0), but this isn't quite what I want either because I still get the same problem if I try to re-create the C$ share.

Is my only option to use a hidden share with a different name? I know it would get around the problem... but somehow this way just doesn't seem as nice!

 

[MrTBC]

Hi Wiser.

Can you change the local admin passwords? Or do the users need to know them for some reason?

 

[wiser]

Hi

Yes, you're right - I can change the passwords and probably will. That would be the better solution and is probably as easy from an admin point of view, but I was hoping (naively?) that there might be a simple way to set up the shares the way I want and also to satisfy my curiosity!

One thing I've noticed since my initial post to this thread which I find a bit worrying is that if you give the local administrator on a machine full access to a share on that machine, local administrators on other machines in the domain also seem to get the same level of access. All the local admin accounts are called "Administrator". In the past I've always used (for example) the account "jsmithxp\Administrator" to access shares on a machine named "jsmithxp", but it seems I can use "<anymachine>\Administrator" even if "jsmithxp\Administrator" is the only account with permission to access that share. Is this a flaw (or should I say "feature") of Windows networking?

 

[MrTBC]

Is that because Local Administrators are members of the Domain Administrators group and it is this group that actually has the permission?

 

[wiser]

No, I've double-checked this and the local administrator account is the only one that's listed in the permissions for the shares I'm using. A "Domain Administrators" group does exist, as does an "Administrators" group on the local machine, but neither are listed in the share permissions.