2

I have an XP Pro computer acting as a Quickbooks server. I've noticed that any user on the domain can access the computer via \\quickbooks\c$. I've looked in the local Administrators group on the quickbooks server and there is no group that any domain user would be a part of. I've checked the access on all of my Windows Server 2008 machines and they work as expected (Domain Users cannot access c$ share). It's just this one computer that is allowing them.

I can't find any hint as to why it's allowing access for everyone. Any ideas on where else I can check?

JohnThePro
  • 2,595
  • 14
  • 23
Safado
  • 4,786
  • 7
  • 37
  • 54
  • Look at the NTFS permissions on the C drive. – joeqwerty Feb 08 '12 at 17:52
  • 1
    Check the domain groups "Domain Users" and "Users", are either of them members of a group which would elevate access? – jscott Feb 08 '12 at 18:26
  • They're part of Domain Users, yes, but no groups with elevated access. I created a vanilla test user and was still able to get in. joeqwerty -- I looked at the NTFS permissions and have removed as much as I could and they still had access. If I explicitly denied Domain Users, though, it blocked me. This is a less than ideal solution.... – Safado Feb 08 '12 at 19:43

2 Answers2

3

Probably has nothing to do with domain permissions. You should just disable the c$ administrative share and set appropriate permissions on any other shares you do have.

Link to disabling administrative shares.

I haven't tried it but I generally find decent info there.

ErnieTheGeek
  • 2,037
  • 16
  • 22
  • From what I've found, the share just recreates itself whenever the file share service is restarted or when the computer is rebooted. Is there a built-in way to disable it permanently? – Safado Feb 08 '12 at 19:22
  • Added in a link to a technote on it. – ErnieTheGeek Feb 08 '12 at 21:55
0

What version of XP are you running? SP3 disables Administrative Share access over the network.

You can enable it by following the very simple steps listed here:

http://en.wikipedia.org/wiki/Administrative_share#How_to_enable_in_Windows_XP_Service_Pack_1.2C_2.2C_and_3

But in short, if you're looking to disable this behavior by default (XP SP2 and prior allow this kind of access) you should upgrade that XP machine to SP3.

EDIT: Given the uproar about this particular solution, I should make it clear that IF DOMAIN USERS CAN ACCESS ADMINISTRATIVE SHARES OVER THE NETWORK, it is because they have permission to do so. Somewhere along the way, one or all users were given the permissions to access this. Administrative shares ($) are only supposed to be accessible by Administrator level accounts. Period.

JohnThePro
  • 2,595
  • 14
  • 23
  • This will only work for non-domain computers. Toggling the "Simple Sharing" option will have no effect -- it will be disabled for domain members. – jscott Feb 08 '12 at 18:24
  • I was just saying that it seems as though he wants to disable access to the C$ share. Installing SP3 disables access to this share from over the network, even in domain environments (best as I've been told). – JohnThePro Feb 08 '12 at 18:36
  • 2
    @JohnThePro it doesn't - at least not for me – the-wabbit Feb 08 '12 at 18:40
  • 1
    As best you've been told? Gotta link? Preferably something from MS? I'm not seeing the behavior you describe. I just imaged an XPSP3 machine, enabled Simple Sharing, joined the machine to a test domain (no additional GP) and the `C$` became available to domain administrators. – jscott Feb 08 '12 at 18:45
  • No link. Previous team member. Why would you enable Simple Sharing? That's the opposite of the behavior he wants. In any case, original answer has been edited. – JohnThePro Feb 08 '12 at 18:58
  • I am indeed on SP2. I have to put in a request for downtime before I can test this out, but I've seen other people say the same thing, that SP3 disables the Administrative shares via "Simple Sharing". However, I've also read that having this enabled disregards security on any normal share you have on the computer. Can anyone with xp pro SP3 confirm that for me? – Safado Feb 09 '12 at 17:06
  • http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/615c63c7-4082-4ef6-bd90-9287d57f9242/ - 4th post down. – JohnThePro Feb 09 '12 at 19:00
  • "When Simple File Sharing is turned on, remote administration and remote registry editing does not work as expected from a remote computer, and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest. Guest accounts do not have administrative rights. When Simple File Sharing is turned on, if you configure specific user ACEs, remote users are not affected when Simple File Sharing is turned on because all remote users authenticate as Guest when Simple File Sharing is turned on." - Taken from http://support.microsoft.com/kb/304040 – JohnThePro Feb 09 '12 at 19:04