NT Gatekeeper: Disable Administrative Shares

To facilitate administration, Windows NT 4.0 automatically creates hidden administrative shares for your system's logical drives. However, because the system creates the shares by default, everyone knows the share names, which makes these names an easy target for attackers. Knowing that you can't lock out an Administrator account, attackers have unlimited time to try Administrator account and password combinations to access the administrative shares. How can I prevent NT from automatically creating these administrative shares?

The problem with administrative shares is that you can't remove them by simply deleting the shares. Deleting an administrative share removes it only temporarily; the share reappears after the next system reboot. Further, you can't set custom share permissions on administrative shares. If you try to do so, you'll receive the error message This has been shared for administrative purposes. The permissions cannot be set.

To permanently remove administrative shares, you can use the registry settings that Table 1 shows. (You must reboot your machine to apply these settings.) You can also use the System Policy Editor (SPE) or the Security Configuration Tool Set (SCTS) to change the settings. (The SCTS is an add-on utility that you can install on systems running Service Pack 4—SP4—or later.) Figure 4 shows how to use the SPE to change the settings. To get to the SPE, type

poledit

at a command prompt, then open a new or existing policy file (i.e., *.pol). Next, clear the Create hidden drive shares (workstation) and the Create hidden drive shares (server) check boxes in default computerwindows nt networksharing. To use the SCTS to change the registry settings, you must create custom entries in the SCTS local policiessecurity options folder, which I explained how to do in the question "Use the SCTS to control application-specific registry settings," June 2001. Disabling the automatic administrative shares won't affect an administrator's ability to manually create custom shares for a system's logical drives.

Another way to protect your systems is to harden the Administrator account. For example, you can rename the account or use the Passprop utility (available in the Microsoft Windows NT Server 4.0 Resource Kit) to apply account lockout rules to the account. See the question "How can I protect the Administrator account from unauthorized use?" March 2001 for information about protecting the Administrator account.