+ Post New Thread
Results 1 to 8 of 8
Windows Thread, Administrative share security issues in Technical; Hi, I was at a teacher PC the other day and needed to get some software off my main PC ...
  1. #1
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    62
    Thank Post
    23
    Thanked 4 Times in 4 Posts
    Rep Power
    9

    Administrative share security issues

    Hi,

    I was at a teacher PC the other day and needed to get some software off my main PC (running XP SP3) so I broswed to
    \\MyPcName\E$ and all was good.

    Later, out of interest, I tried this from a non-admin pupil account and it worked and even allowed me to create/delete files !!!

    Obviously this is a bit of a security hole but I'm not sure of best technique to plug it.

    I read that you can disable sharing administrative shares but it will be re-anabled on reboot by windows.

    Also read I could have a startup/login/scheduled batch file to do e.g. NET SHARE E$ /delete

    Or is there a group policy fix ? (We are running server 2008 R2 Standard)

    Or maybe better to change security permissions locally for E: etc ?

    But what about all the other laptops / PCs used in office and by teachers as they will have the same issue.
    Don't want to have to manually set permissions on all computers individually ?!!

    Not sure why these admin shares exist anyway, should I blame Microsoft or the people who originally set up
    our network ?

    Thanks for any advice

  2. #2
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    4,002
    Thank Post
    983
    Thanked 477 Times in 398 Posts
    Blog Entries
    12
    Rep Power
    98
    The root E: drive should not have permissions for anyone other than admins.

  3. #3
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    62
    Thank Post
    23
    Thanked 4 Times in 4 Posts
    Rep Power
    9
    E has permission entries for "Administrators", "Authenticated users", "users" and "SYSTEM"
    Of course I could tweak these for my PC but how do I fix similar issues system wide in one fell swoop ?

  4. #4
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    62
    Thank Post
    23
    Thanked 4 Times in 4 Posts
    Rep Power
    9
    Bump,
    no one got any ideas ?

  5. #5

    Garacesh's Avatar
    Join Date
    Jan 2012
    Posts
    3,428
    Thank Post
    1,310
    Thanked 503 Times in 369 Posts
    Rep Power
    240
    Not sure if this is correct - yay for being an apprentice - but wouldn't a combo of permissions on the share and permissions on the actual folder limit this?
    Making it so the folder has 'list folder contents' unchecked and the share has no read permission for the student group/s?

  6. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226
    Your network is incorrectly configured. The default administrative shares do not allow normal users to browse them.

    At a guess, I suspect someone has added a domain group to a local computer group or domain users to a domain group that allows them local administrative access.

    So check the membership of your domain and local groups.

  7. #7
    MacGeek's Avatar
    Join Date
    May 2011
    Location
    Yorkshire
    Posts
    52
    Thank Post
    1
    Thanked 9 Times in 7 Posts
    Rep Power
    11
    The "Authenticated Users" group needs removing. You need to asses what impact this would have on any other files, folder and shares stored on the E: partition before you do though!

  8. #8
    mrstrong's Avatar
    Join Date
    Nov 2010
    Location
    England
    Posts
    62
    Thank Post
    23
    Thanked 4 Times in 4 Posts
    Rep Power
    9
    Ok thanks for the info I'll investigate manually for my PC.

    But what about all the other staff PCs on site, is there any way to automate the investigation and a subsequent fix (like removing authenticated users) ?

    Also I've got a USB drive plugged in and it is being shared as I$, but I can't set any security permisiions on it.
    Maybe as it's formatted as FAT32?
    So anyone can browse it, Ouch !!!



SHARE:
+ Post New Thread

Similar Threads

  1. PROMISOR ADMINISTRATOR / ESM SERVER ISSUES
    By lsheldon in forum Educational Software
    Replies: 37
    Last Post: 26th June 2009, 12:36 PM
  2. [MS Office - 2007] Outlook 2007 - Calendar Sharing Permission Issue?
    By Crispin in forum Office Software
    Replies: 3
    Last Post: 11th June 2009, 09:41 AM
  3. Server security issue
    By steve_nfi in forum Windows
    Replies: 5
    Last Post: 1st July 2008, 03:09 PM
  4. networking PDA's & security issues
    By projector1 in forum Hardware
    Replies: 3
    Last Post: 12th April 2008, 11:18 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •