none
預設共用C$一問 RRS feed

  • 問題

  • 請問各位,

    可否利用GPO限制預設共用C$??

    謝謝!!

    2010年7月9日 上午 08:10

解答

  • BY the way, you can also try to create a logon script and run via GPO to do that:

    In a batch file you can delete the admin shares individually like this:

    net share c$ /delete
    net share admin$ /delete
    net share IPC$ /delete
    etc

    also using a VB script such as:

    http://www.freevbcode.com/ShowCode.asp?ID=4514

    thx!


    Microsoft MVP for Windows Server-Networking, MCT, http://msmvps.com/blogs/richardwu
    • 已提議為解答 Vincent Lin 2010年7月12日 上午 02:12
    • 已標示為解答 Vincent Lin 2010年7月16日 上午 09:44
    2010年7月9日 上午 08:49

所有回覆

  • Hi,

    You could on one machine disable them as stated below, export the key and then in a GPO import it.

    Disable the default shares
    Windows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.

    The other way is via the Registry by editing

    HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters.

    For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:

      Share Path and Function
    C$ D$ E$ Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
    ADMIN$ %SYSTEMROOT%  This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
    FAX$ On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
    IPC$ Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
    NetLogon This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
    PRINT$ %SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS  Used during remote administration of printers.

    You can reference this link for importing registry setting to the GPO:

    http://www.windowsitpro.com/article/registry2/q-how-can-i-use-group-policy-to-control-whether-the-default-administrative-shares-are-created-.aspx

    thx!


    Microsoft MVP for Windows Server-Networking, MCT, http://msmvps.com/blogs/richardwu
    2010年7月9日 上午 08:47
  • BY the way, you can also try to create a logon script and run via GPO to do that:

    In a batch file you can delete the admin shares individually like this:

    net share c$ /delete
    net share admin$ /delete
    net share IPC$ /delete
    etc

    also using a VB script such as:

    http://www.freevbcode.com/ShowCode.asp?ID=4514

    thx!


    Microsoft MVP for Windows Server-Networking, MCT, http://msmvps.com/blogs/richardwu
    • 已提議為解答 Vincent Lin 2010年7月12日 上午 02:12
    • 已標示為解答 Vincent Lin 2010年7月16日 上午 09:44
    2010年7月9日 上午 08:49