//
you're reading...
Tips

Securing Windows Against Stupid Simple Attacks: Pt 3 Auto Share Server aka Administrative Shares

Most users and admins of windows machines don’t know that each drive has an administrative share for each Logical Volume(partition). These shares are hidden from browsing by putting a ‘$’ at the end of the share name ie ‘c$’ ‘d$’ etc. These shares can lead to information disclosure or be potentially used to place a malicious file on a system’s hard drive.

Below is what it looks like when GFI alerts over an Administrative Share misconfiguration, which is default on a Windows machine.

AutoShareServer
The administrative shares (C$,D$,ADMIN$,etc) are available on this machine. For Internal networks these are normally turned on for administrative purposes. For Web server(s) these are normally turned off in order to solidify the possible entry points (since it is more exposed to attacks.). If you don't use them set HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer to 0 to prevent creation of these shares. For more information, visit: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

AutoShareWKS
The administrative shares (C$,D$,ADMIN$,etc) are available on this machine. For Internal networks these are normally turned on for administrative purposes. For Web server(s) these are normally turned off in order to solidify the possible entry points (since it is more exposed to attacks.). If you don't use them set HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks to 0 to prevent creation of these shares. For more information, visit: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

Running the following from an elevated shell should do the trick!

reg add "HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v AutoShareServer /t REG_DWORD /d 0x0 
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v AutoShareWks /t REG_DWORD /d 0x0

This simple vulnerability falls under the idea of this thread because normally you would use a Domain or Local GPO or a machine via gpedit.mmc to disable AutoRun. That is perfectly fine for an experienced Domain Administrator, but out of the question for most Windows users and decidedly inconvenient for other administrators that would have to manually perform the task on a large number of machines.

Advertisements

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: