Windows XP Security

Microsoft has been in the habit of creating applications with security vulnerabilities for years. Windows XP is no exception. Even more disturbing are the default settings that come with a typical installation of Windows XP SP2 for example.

Hidden Administrative Shares

By default, Windows creates hidden administrative shares of all drives attached to the computer. The purpose of which is to allow for remote administration in a Windows Network environment. This means that the uninformed user that creates multiple accounts on his Windows machine may be at risk of intrusion by hackers depending on his network environment. The hidden administrative shares are typically displayed as:

IPC$ This is used for named pipes and required for communication between programs. It cannot be disabled by default as far as the author knows. It is used during remote administration and when viewing a computer's shared resources.
ADMIN$ Shares the Windows system path directory, where Windows is installed, and all subfolders thereof with Administrators. This is used during Remote Administration.
C$ D$ etc... Shares the root of every drive and every partition including all subfolders thereof with Administrators and Backup Operators over the Microsoft Windows Network.

These hidden shares can be viewed in the Computer Management console via Start -> Control Panel -> Administrative Tools -> Computer Management. An example of the console with the hidden administrative shares is shown below in Figure 1.



Figure 1. Windows XP Hidden Administrative Shares

An alternative method of verifying the existance of the shares on your PC is to attempt to access the share from your PC directly. The test can be performed via Start -> Run and then typing in \\ComputerName\C$\ where ComputerName is the name of your computer on the Microsoft Windows Network. If you do not know the name of your computer, then it can be found via Start -> Control Panel -> System under the tab entitled "Computer Name". If a folder opens up showing the contents of your C-drive, then the hidden administrative share is enabled on your computer.

Disabling the Hidden Administrative Shares

The hidden administrative shares can be disabled temporarily via the Computer Management console (right-click the share and select "Stop Sharing"). However, upon reboot of your computer, the hidden administrative shares will reappear!

In order to permanently disable the hidden administrative shares, two entries must be added to the registry via Start -> Run and type in regedit. The Windows Registry Editor application will appear as shown below in Figure 2.



Figure 2. Registry Entries to Disable Windows XP Hidden Administrative Shares

Navigate through the folders in the left pane to:
MY COMPUTER\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
and right-click in the right pane to select New -> DWORD Value. In this manner, create the two keys:

Name Type Data
AutoShareServer REG_DWORD 0
AutoShareWks REG_DWORD 0

An alternative method to using regedit as described above is to create a text file in Notepad via Start -> Programs -> Accessories -> Notepad. Copy the following text and paste it into Notepad:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000

Save the file as DisableHiddenShares.reg. Then double-click the file to import the information into the registry. Upon reboot of your computer, the hidden administrative shares will no longer exist by default.

  Registry editing is dangerous to your computer if not performed correctly. Author assumes no responsibility for any damage or problems that may occur due to registry editing.
Copyright © 2008 Pierre Dufilie IV. All Rights Reserved.