Windows security - hidden shares

[jbrots04]

Thanks in advance for any assistance.

Is there a way to log connections to a hidden share on a Windows 2000 professional workstation?

I believe that a malicious user has the administrator password to a pc and is connecting to the hidden share \\pcname\C$.

I would like to log these occurrences if possible and also prevent this from happening in the future.

Any feedback is greatly appreciated.

Thanks,
Jeff

 

[wolluf]

Think you can set up auditing to monitor access - but why not just change the Administrator password?

 

[bcastner]

Or remove the hidden Administrative shares?

By default the drive letters are shared (C$, D$, etc.) as hidden shares for Administrator access. Even if you delete the shares manually they will be recreated at next bootup.

To remove these shares for good add the following DWORD registry values :

NT Server :

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Parameters]
AutoShareServer=0

NT Workstation :

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Parameters]
AutoShareWks=0

Note that the IPC$ share will not be removed by setting these registry values.

Note that it will only stop Windows from creating the shares at startup, one have to delete the admin shares one self, but only once after changing the above registry keys. Besides using the standard interface for removing the shares, one can also find and delete the shares by editing the registry database at this location:
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanmanServer \Shares]

http://snakefoot.fateback.com/tweak/winnt/sharing.html#ADMIN_SHARE