It's nice to feel that in a world where you constantly have to worry about spyware, phishing and hacking attempts wireless networks, there is something constant - as before, Windows itself opens the door friendly to all these threats. You are so pleased that you simply lose your temper at the mere thought of it.
It turns out that every Windows 7 has a secret passage through which anyone can get to any file on your computer; this vulnerability also exists in Windows 2000, XP and Vista.
By default, hard drives on your computer are open. general access. You understood everything correctly, all hard drives can be accessed externally.
What's worse is that these connections are hidden, meaning the drives don't show up in the Network folder in Windows Explorer, so most users have no idea how their data is at risk.
In order to hide any shared folder, when creating a share, add a $ symbol to its name - for example, Desktop$. Now, to access this folder, enter its UNC path in the Windows Explorer address bar (for example, \\Xander\ Desktop$) and press Enter.
You can check your computer: open Windows Explorer(better yet, open Windows Explorer on another computer on the network) and enter the name of your computer in the address bar, followed by the name of the administrative share for the C: drive, for example:
\\your_computer\c$
and press Enter. If the content opens hard drive, this means that administrative access to shared resources is allowed on your computer. (You can view a list of all shared folders - hidden and open - using the Computer Management utility, which will be discussed later.)
Presumably the settings for Windows default 7 prohibit network access to administrative shares. If you can view the contents of the C$ share from your computer, but not from others, then “your computer is not in danger from this point of view. But do not be surprised if you see the contents of your C: drive from another computer on the network. Microsoft assures , which fixed this hole, but practice proves the opposite. The next subsection describes how to maintain administrative access to shared resources, but hide them from remote computers.
Unfortunately, to disable administrative shares, it is not enough to simply disable remote access to the disks. You need to disable the mechanism that automatically resolves it every time you turn on the computer. Do the following:
1. Open Registry Editor (see Chapter 3).
2. Expand the branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
4. Now double click on the AutoShareWks parameter, enter 0 in the Value data field and click OK. (Again, if there is no such parameter, create it with a similar command.)
5. Close Registry Editor.
6. Open the Start menu, type compmgmt.msc in the search field and press Enter. The Computer Management utility will open. It can also be opened by right-clicking Computer in the Start menu and selecting Manage.
7. In the left pane, expand System Tools, then Shared Folders, and click the Shares folder.
This displays a list of all shared folders on your computer, whether they are hidden or not. Even if you don't care about administrative shares, this tool is useful for tracking existing connections. By the way, the list of shared resources can also be viewed in Command line by running the command net view /all Wlocalhost. To delete a shared resource, use net command use /delete resource, where resource is the name of the shared resource.
8. To manually delete administrative shares, right-click on each of them (C$, D$, E$, etc.) and context menu select Stop Sharing. Answer Yes in both prompts.
Here you can remove any hidden shares (that is, anything with a name ending with a dollar sign), except for the following three:
Few people need this in a creative environment). It has been proven that hacking a computer through the 1PC$ share is possible, but the only way to disable it is to permanently deny sharing access to any files. You can temporarily stop sharing the 1PC$ resource - Windows will still recreate the connection the next time you start it;
use for malicious purposes, it is better not to disable it if a shared printer is connected to your computer;
p is used as a web server or network software development platform.
9. When finished, restart Windows. Open Computer Management again to ensure that administrative shares have not risen from the ashes.
Some administrators do not approve of this approach. After all, hidden administrative shares are invented for a reason. They allow network administrators to install programs, defragment disks, access the registry, and perform other computer maintenance tasks remotely. However, ask yourself, how often do you do this?
Administrative shares are also required features Previous versions(Previous Versions) (this was discussed in the section “Back to the past - using restore points and shadow copies”). Disable administrative community access, and the Previous Versions tab in the Properties window of any file will be cleared. Next, I will tell you how to plug the security hole while maintaining the ability to access previous versions.
I encountered the problem that I cannot remotely connect to the default administrative shares (the ones with the dollar) on a computer with Windows 10 under a user who is a member of the local administrators group. Moreover, this access works under the built-in local administrator account ().
A little more detail about what the problem looks like. I'm trying with remote computer access built-in administrative resources Windows computer 10 member of a workgroup (with the firewall disabled) in this way:
- \\win10_pc\C$
- \\win10_pc\D$
- \\win10_pc\IPC$
- \\win10_pc\Admin$
In the authorization window I enter the name and password of an account that is a member of the Windows 10 local administrators group, to which an access error appears (Access is denied). However, access to shared network folders and printers on Windows 10 works fine. Access to administrative resources under the built-in administrator account also works. If this computer is turned on Active domain Directory, then under domain accounts with administrator rights, access to admin shares is also not blocked.
The point is in another aspect of the security policy that appeared in UAC - the so-called Remote UAC(User Account Control for Remote Connections) which filters access tokens local records and Microsoft accounts, blocking remote administrative access to such accounts. When accessing under a domain account, this restriction is not imposed.
You can disable Remote UAC by creating a parameter in the system registry
Advice. This operation slightly reduces the security level of the system.
Note. You can create the specified key with just one command
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d 1 /f
After downloading, try to remotely open the C$ administrative directory on your Windows 10 computer. Log in using an account that is a member of the local administrators group. An Explorer window should open with the contents of the C:\ drive.
Note. Other remote functionality will also become available. Windows management 10, including now you can remotely connect to your computer using a snap-in Computer Management(Computer Control).
So, we figured out how to use the LocalAccountTokenFilterPolicy parameter to allow remote access to hidden admin resources for all local administrators of a Windows computer. These instructions also apply to Windows 8.x, 7 and Vista.
One of the tasks of system administration in a corporate network is access control. In particular, access to computers with administrator rights should be strictly regulated.
Since Windows 2000 and Windows XP, there has been a built-in local administrator account, which creates a lot of problems for access control: one password for hundreds or thousands of computers, known to many people without the ability to change it for many years - trouble! It has long been recommended to rename or disable this account and create your own. This makes it difficult to carry out attacks using local administrative scientific records, but does not eliminate such threats.
Not long ago, a tool appeared for periodically changing the password for the local administrator account -. It can help solve many problems, but not all. For example, what if there are several groups of service personnel and enterprise policy requires each group to have its own local administrative account?
But let's get back to the threats. It is clear that, having local access to the computer, an attacker can hack the system Windows security, gain access to the password cache of the local administrator (or other administrative account) and use it to connect to other computers over the network.
The only way to ban remote connection to a computer using a local administrative account is to specify the account SID in the “Deny access to this computer from the network” policy (and possibly “Deny log on through Remote Desktop Services”). If there are many such accounts, you will have to list them all in Group Policy. And this is a human factor, and there is a possibility that there will be errors in the configuration.
The good news is that starting from Windows versions 8.1/2012 R2, implemented new opportunity: you don’t have to list local ones Accounts, but indicate the SID common to all of them. There are two such SIDs: “all local accounts” and “all local administrative accounts”:
S-1-5-113: NT AUTHORITY\Local account
S-1-5-114: NT AUTHORITY\Local account and member of Administrators group
The good news is that this feature has been ported to Windows 7/8/2008 R2/2012 (KB 2871997).
It should be noted that there is another simple method of partial protection against the threat in question - a firewall. There are two points.
- Using group policies, you can specify from which addresses or networks you can make remote connections to the computer’s control interfaces. As a rule, an enterprise's security policy requires that administrators' computers be located at least on a special management network, or even on hard-coded addresses.
- Separately, you need to pay attention to the permission to connect to balls located on personal computers. There is no general solution. But usually the company’s policy in this regard is strict - no user shares. If allowed, then only access to administrative shares and this should be allowed only to administrators as indicated in paragraph 1. But if shared printers are used on personal computers, then the only simple way to allow this without destroying the security system is to add a permission (rule) for Local Network (otherwise users will not be able to connect shared printers from a neighboring computer).
And one last addition. Don't forget about
It's nice to feel that in a world where you constantly have to worry about spyware, phishing and attempts to hack wireless networks, there is something constant - as before, Windows itself opens the door to all these threats in a friendly manner. You are so pleased that you simply lose your temper at the mere thought of it.
It turns out that every Windows 7 has a secret passage through which anyone can get to any file on your computer; this vulnerability also exists in Windows 2000, XP and Vista.
By default, hard drives on your computer are shared. You understood everything correctly, all hard drives can be accessed externally. What's worse is that these connections are hidden, meaning the drives don't show up in the Network folder in Windows Explorer, so most users don't even realize how much their data is at risk.
To hide any shared folder, when creating a share, add a $ symbol to its name - for example, Desktops. Now, to access this folder, enter its UNC path in the Windows Explorer address bar and press Enter.
You can check your computer: Open Windows Explorer and enter the name of your computer in the address bar, followed by the name of the administrative share for the C: drive, for example:
\\your_computer\c$ and press Enter. If the contents of your hard drive open, it means that administrative access to shared resources is allowed on your computer.
Unfortunately, to disable administrative shares, it is not enough to simply disable remote access to the drives. You need to disable the mechanism that automatically resolves it every time you turn on the computer. Do the following:
1. Open Registry Editor.
2. Expand the branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters.
3. Double-click the AutoShareServer parameter in the right pane, enter 0 in the Value field, and click OK. Create DWORD Value)
4. Now double click on the AutoShareWks option, enter 0 in the Value field and click OK.
5. Close Registry Editor.
6. Open the Start menu, type coirpmgmt.msc in the search field and press Enter. The Computer Management utility will open. You can also open it by right-clicking Computer in the Start menu and selecting Manage.
7. In the left pane, expand Utilities, then Shared Folders, and click the Shared Resources folder.
This displays a list of all shared folders on your computer, whether they are hidden or not. Even if you don't care about the administrative problem. To delete a shared resource, use the command net use /delete resource, where resource is the name of the share.
8. To manually delete administrative shares, right-click on each of them and select Stop Sharing from the context menu. Answer Yes in both prompts.
Here you can delete any hidden shares, except for the following three:
1PC$, which means Inter-Process Communication. This share is used to remotely control the computer. It has been proven that hacking a computer through the 1PC$ share is possible, but the only way to disable it is to permanently deny sharing access to any files. You can temporarily stop sharing the 1PC$ resource - Windows will still recreate the connection the next time you start it;
Print. This share is used to share printer driver files in an environment where there is a shared printer. Although this shared folder could theoretically also be used for malicious purposes, it is best not to disable it if you have a shared printer connected to your computer;
wwwroot$. This share is listed when installed on your computer. software Microsoft Internet Information Server. Do not change it if your computer is used as a web server or network software development platform.
9. When finished, restart Windows. Open Computer Management again to make sure that administrative shares have not risen from the ashes.
Some administrators do not approve of this approach. After all, hidden administrative shares are invented for a reason. They allow network administrators to install programs, defragment disks, access the registry, and perform other computer maintenance tasks remotely. However, ask yourself, how often do you do this?
Administrative Shares also require the functionality of Previous Versions. Disable administrative community access, and the Previous Versions tab in the Properties window of any file will be cleared. Next, I will tell you how to plug the security hole while maintaining the ability to access previous versions.
If you are still hesitating, remember that Windows passwords can be broken in many ways. Is the problem obvious now? If your computer is not part of a corporate network and you never use remote control, then by leaving the loophole open, you gain nothing - but you can lose everything.
