Take Care When Disabling Windows' Default Shares

Recently, I received a phone call from a former coworker who left a small Independent Software Vendor (ISV) to take a job in a large corporate IT department. He had some questions about Microsoft Systems Management Server (SMS) that he hoped I could answer. We chatted about the product and his computing environment, then he signed off to install SMS on his test network.

Twenty-four hours later, I received a somewhat panicky phone call: SMS wouldn't install on some of the computers on his test network, and my friend couldn't figure out why. Coincidentally, I had just answered a reader question that indirectly provided me with the solution to the SMS problem: My friend needed to reinstate Windows' default shares on the computers in his network.

Many users, very reasonably, are concerned about the overall security of networked computers. To provide what they feel is the highest possible level of security against outside attacks, they disable some (or all) of the default shares that Windows creates on server and client computers. Some third-party security software products even automate disabling default administrative shares as part of their security solution. This automation is necessary because the Server service that runs on Windows computers recreates the default administrative shares every time the computer is restarted.

However, disabling default shares has a major downside. Products such as SMS, Microsoft Operations Manager (MOM), and many third-party systems management tools depend on the existence of the default shares for proper operation. A little knowledge about these default shares and how to properly manage them can help you avoid problems such as the one my friend experienced with SMS.

Managing administrative shares is simple. Launch the Control Panel Administrative Tools applet, open Computer Management, and double-click the Shared Folders tree to expand it. Click Shares to display the list of administrative shares, and right-click any listed share to stop or start sharing it. Depending on which Windows OS you're using, you'll have at least three of the following default shares enabled: ADMIN$, Netlogon, IPC$, PRINT$, FAX$, and one share for the root of each disk partition or volume (DriveLetter$).

ADMIN$ is the system root folder (%systemroot%—e.g., C:winnt). Most administrative functions require access to this share. Netlogon is necessary to process logon requests. IPC$ is the interprocess communications share that named pipes use for interserver communication. PRINT$ is required for remote printer administration, and client fax services use FAX$.

Administrative shares also have one unique property: When created, their default access permission is that all Administrators have full control and all other users have no access (unlike the Everyone permissions granted to other shares). Because of this access permission, you can create administrative shares only through the Computer Management console, not through the individual share's Properties tab.

Managing shares is crucial to keeping your computing environment safe and secure. Just as important is knowing what you're doing before you restrict share access or disable system shares completely because, as my friend found out, you might not be able to foresee the effects these shares have on other programs and tools. If you plan to start disabling default configurations, make sure that you experiment on test or noncritical equipment before you apply these policies networkwide.