RE: Any way to remove ADMIN$ only?

The general best practice design, since as far back as I go ('95-ish) is based on the fact that when applying both share and file level permissions, most restrictive permissions apply.

Add to that the fact that share permissions only apply when accessed *through that specific share*, but not through other shares that might be higher in the file system heirarchy. Therefore, the only way to ensure that consistent permissions are applied to the users no matter how the data is accessed, you must use file level (NTFS) permissions.

Since file level permissions are in effect and remembering that the most restrictive permissions apply (when combined with share level), there is no significant reason to burden the administrative staff with restrictive share level permissions. These permissions only serve to frustrate troubleshooting of access issues, and effectively double the workload of administrators.

Personally, I like to set all public shares to Authenticated Users|Full Control, and NTFS permission the heck out of things.

-----Original Message-----

From: Evan Mann [mailto:emann@questinc.org] Sent: Wednesday, November 06, 2002 8:09 AM To: focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?

Could this be elaborated more on the list by others? I do not recall any conversations about the practice of which is the "best practice" or "ideal" method of setting permissions between share level and file level within the past year and a half or so that I've begun monitoring the list. Perhaps its a good time to bring the subject up?

-----Original Message-----

From: Zack Berkovitz [mailto:zberkovitz@pga-inc.com] Sent: Tuesday, November 05, 2002 2:27 PM To: Jim Harrison (SPG); Eric; Palumbo, Dave (Factiva); focus-ms@securityfocus.com
Subject: RE: Any way to remove ADMIN$ only?

The best practice is in fact to use default (Everyone=Full) share permissions and to set NTFS security on all drives (with inheritance for 2K and newer systems running NTFS 5 or greater). Share permissions should really only be used when absolutely necessary, such as on FAT volumes where ACE's cannot be applied. Conflicts between share and NTFS perms always cause headaches down the road, and NTFS perms secure the files and directories for locally logged on users as well.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If you are sharing C and D, of which one is the system drive, how will removing the admin$ share (winnt) make the system any more secure, if the drive it resides on is shared out? NTFS permissions seem like a more comprehensive solution. The presence of any of the administrative shares is a security hole, regardless.

• Zack

-----Original Message-----

From: Jim Harrison (SPG) [mailto:jmharr@microsoft.com] Sent: Tuesday, November 05, 2002 9:59 AM To: Eric; Palumbo, Dave (Factiva); focus-ms@securityfocus.com Subject: RE: Any way to remove ADMIN$ only?

 The only problem with using "net share" to create shares is that it  applies default permissions to those shares it creates. These include  "Everyone=Full"; obviously not an ideal scenario, especially given the  default security of Windows drives (Everyone=Full). I've written a  script that will create shares that only allow those accounts listed  in the local server's administrator's group to have access to the  share you choose to create.

http://isatools.org/createshare.zip

• Jim Harrison MCP(NT4/2K), A+, Network+ Services Platform Division

The burden of proof is not satisfied by a lack of evidence to the contrary..

-----Original Message-----

From: Eric [mailto:ews@tellurian.net]
Sent: Monday, November 04, 2002 11:55 AM To: Palumbo, Dave (Factiva); 'focus-ms@securityfocus.com' Subject: Re: Any way to remove ADMIN$ only?

write a script that will launch each time upon machine bootup that 'unshares' that share.

'net share admin$ /delete'

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I don't know of any registry setting that will remove only that share and
leave the others.

Understand also that anyone with admin privileges to that machine can recreate that share at any time.

At 01:11 PM 11/4/2002 -0500, Palumbo, Dave (Factiva) wrote:

>Hello,
>
>I have a scenario in which I'd like to remove the ADMIN$ share from a 
>Windows 2000 server, but keep the other default shares (c$, d$) 
>available for an application...is there any documented/undocumented way

>to accomplish this?  If this is documented, please forgive me....but I 
>sure can't find it. I am aware of the 
>HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShar

>Again, I'm just looking to remove ADMIN$.
>
>Any ideas?
>
>Thanks,
>
>Dave Palumbo 
>
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x41F746F8