Hidden Shares?

  • Thread starter Thread starter boe
  • Start date Start date
B

boe

Does Vista still have hidden shares - e.g. c$?

I can't seem to get there using my windows XP pro SP2 machine but I can get
to the other shares on my Vista PC
 
Works OK for me. On Windows Server 2003 R2 in Start, Run, key

\\VistaComputerName\c$

press Enter

Windows Explorer opens with content of the C partition on the Vista computer
showing.

What symptom do you get exactly?
 
I keep getting the logon ID and pasword prompt over and over again. Have
you tried it from an XP machine?

If I creat a share, I can get on but the hidden shares from an XP Pro SP2 to
vista does not work for me.
 
Works for me. Be aware that in Vista, the built-in user account called
Administrator is disabled by default and can't be used locally or remotely.

In Vista, look in Control Panel, User Accounts, Manage User Accounts for the
username that is is a member of the "Administrators" group - that should
work.

Also, be aware that both XP and Vista, by default, will only allow
connection to shares with a user account that has a password (one that is
not blank).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
So you are able to attach to the hidden shares (not shares you created) from
an XP machine to a Vista machine?
 
Yes.

However, your post prompted me to do some more tests. The computers I
usually use are all members of a Windows Domain (Windows 2003 R2) that I
have here at home, or in a Domain at work.

Here's what I found:
1. if the target Vista computer is a Domain member, I can connect to the
hidden, administrative shares (e.g. c$) using a Domain user account that is
a member of the local Administrators group on the Vista computer. This
works from an XP or Vista computer regardless of whether the XP computer is
a domain member or not.
2. if the target Vista computer is a Domain member, I can NOT connect to the
hidden, administrative shares using a local user account that is a member of
the local Adminsitrators group from either XP orVista
3. if the target Vista computer is NOT a Domain member, I can NOT connect to
the hidden, administrative shares using any account from XP or Vista

4. from any computer (XP or Vista), I can connect to "normal" shares on a
Vista computer using any account that has the appropriate permissions

From this I conclude that the hidden, administrative shares are only useful
for Vista computers in domains.


--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Excellent detail - very helpful - thanks!

Bruce Sanderson said:
Yes.

However, your post prompted me to do some more tests. The computers I
usually use are all members of a Windows Domain (Windows 2003 R2) that I
have here at home, or in a Domain at work.

Here's what I found:
1. if the target Vista computer is a Domain member, I can connect to the
hidden, administrative shares (e.g. c$) using a Domain user account that
is a member of the local Administrators group on the Vista computer. This
works from an XP or Vista computer regardless of whether the XP computer
is a domain member or not.
2. if the target Vista computer is a Domain member, I can NOT connect to
the hidden, administrative shares using a local user account that is a
member of the local Adminsitrators group from either XP orVista
3. if the target Vista computer is NOT a Domain member, I can NOT connect
to the hidden, administrative shares using any account from XP or Vista

4. from any computer (XP or Vista), I can connect to "normal" shares on a
Vista computer using any account that has the appropriate permissions

From this I conclude that the hidden, administrative shares are only
useful for Vista computers in domains.


--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
boe said:
Does Vista still have hidden shares - e.g. c$?

I can't seem to get there using my windows XP pro SP2 machine but I
can get to the other shares on my Vista PC

I found this in another posting, hope this helps:

By default, Windows Vista prevents local administrators from using their
administrator powers over the network. This results in the inability to
remotely administer a computer using filesharing and tools that use
similar technology (such as the computer manager MMC snap-in and the
administrative shares, such as C$). However, this DOES NOT affect Remote
Desktop in any way. Also, domain-level admins are not affected.

For example: you have an admin account set up on VISTAMACHINE, and log
in to VISTAMACHINE from your other computer XPMACHINE via the network
(net use or whatnot), and try to access VISTAMACHINE's administrative
share C$. Technically you have access to that share; however, due to the
token filtering, you are returned access denied, since the system is
ignoring the fact that you are an administrator.

To allow administrators local to a computer to use their administrator
powers when accessing the Vista computer remotely, you can follow these
steps:

- Click start
- Type: regedit
- Press enter
- In the left, browse to the following folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
- Right-click a blank area in the right pane
- Click New
- Click DWORD Value
- Type: LocalAccountTokenFilterPolicy
- Double-click the item you just created
- Type 1 into the box
- Click OK
- Restart your computer

Best Regards,

Dave
 
AH! Thank you Dave! Seems to work on my in office Vista computer - I'll
try at home later.

Note: had to key targetcomputername\ in front of the local administrative
user account in the credentials box.

Be aware that setting LocalAccountTokenFilterPolicy to 1 means that many
"administration" functions will be enabled for remote use of the local
administrative user accounts, which could significantly reduce the security
of the Vista computer becuase the administrative user accounts will
automatically get "elevated" when used remotely.

For those interested, here are a few references about the
LocalAccountTokenFilterPolicy setting. Unfortunately, there does not appear
to be a way to set this using the Local Security Policy administrative tool
or gpedit.

http://blogs.msdn.com/vistacompatteam/archive/2006/09/22/766945.aspx
http://msdn2.microsoft.com/en-gb/library/aa826699.aspx
http://support.microsoft.com/kb/927832
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=1086227&SiteID=1
 
Works at home with Vista computers that are NOT in a domain.

It is not necessary to restart the computer after changing the registry
entry, the change takes affect immediately.

So, one can create two files for toggling this setting on or off:
AllowConnectToAdminShares.reg which contains:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000001

and
PreventConnectToAdminShares.reg which contains:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"LocalAccountTokenFilterPolicy"=dword:00000000

If you are logged on with an administrative user account:
To allow connection to the administrative shares, double click on
AllowConnectToAdminShares.reg.

To prevent connection to the administrative shares, double click on
PreventConnectToAdminShares.reg

As I said in my earlier post, setting LocalAccountTokenFilterPolicy to 1
also allows other remote management tasks such as:
1. using Computer Management to manage users and groups
2. using Comptuer Management to manage Shares
3. manage printers (add, delete, change driver, change Properties)

which will, generally speaking, reduce or bypass some of the inherent
security in Vista, so you need to evaluate the benefit against the risk.


--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Back
Top