Thanks Eric, this is a good suggestion. Haven't tried it, but I suspect it
will work. Colin Owens (COwensuvcs.uvic.ca) also had a similar
suggestion..He mentioned setting the AutoShareServer key (below) to 0 and
then having a script run at startup that shares each of the desired hidden
shares except for ADMIN$.

His note below:

>I haven't tried this specifically but it should work. Use the registry
>key you mention below to disable all admin shares but then create a
>batch file that shares each drive except admin$ and set it to run on
>startup.
>Example
>echo off
>net share c$=c:
>net share d$=d:

Just trying to guard against various attack scenarios.... was playing
around with pwdump3e in a lab environment and noticed that it used the
ADMIN$ share to authenticate (this is what prompted the original question).
The thinking is that if this share isn't available, this tool will fail (see
output below). This *may* be true (if it is, it's a limitation of the
tool), but as Eric has correctly pointed out to me in an e-mail, it doesn't
much matter which share is used to authenticate...administrator access is
administrator access. In fact, Eric reminded me that original versions of
the tool (Jeremy Allison, Todd Sabin) even use other shares to
authenticate...I forgot about that..

Haven't confirmed via the code, but a surface-level look at pwdump3e
indicates that it specifically tries ADMIN$:

C:\tools\pwdump3e>pwdump3e ip.add.re.ss

pwdump3e (rev 1) by Phil Staubs, e-business technology, 23 Feb 2001
Copyright 2001 e-business technology, Inc.

This program is free software based on pwpump2 by Todd Sabin under the GNU
General Public License Version 2 (GNU GPL), you can redistribute it and/or
modify it under the terms of the GNU GPL, as published by the Free Software
Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS
PROGRAM. Please see the COPYING file included with this program (also
available at www.ebiz-tech.com/pwdump3) and the GNU GPL for further details.

Logon to \\ip.add.re.ss\ADMIN$ failed: code 51
--------------------------------

At any rate, thanks for the responses, much appreciated...

- Dave

-----Original Message-----
From: Eric [mailto:ewstellurian.net]
Sent: Monday, November 04, 2002 2:55 PM
To: Palumbo, Dave; 'focus-mssecurityfocus.com'
Subject: Re: Any way to remove ADMIN$ only?

write a script that will launch each time upon machine bootup that
'unshares' that share.

'net share admin$ /delete'

I don't know of any registry setting that will remove only that share and
leave the others.

Understand also that anyone with admin privileges to that machine can
recreate that share at any time.

At 01:11 PM 11/4/2002 -0500, Palumbo, Dave (Factiva) wrote:
>Hello,
>
>I have a scenario in which I'd like to remove the ADMIN$ share from a
>Windows 2000 server, but keep the other default shares (c$, d$) available
>for an application...is there any documented/undocumented way to accomplish
>this? If this is documented, please forgive me....but I sure can't find
it.
>I am aware of the
>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareSer
v
>er=0 registry key...but this disables all the default shares (save IPC$).
>Again, I'm just looking to remove ADMIN$.
>
>Any ideas?
>
>Thanks,
>
>Dave Palumbo
>http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x41F746F8

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]