Security Concern with my Windows 7 Box at Work

security windows network-shares windows-domain

This question may be weird and misworded but I'm not a Windows expert by any means so feel free to correct me.

The group I'm in recently got new computers at work. They gave me a new computer and hooked up my old computer to the network for a week so I could take my time transferring necessary files/configs etc. The Support Guy said, "Just go to 'run' and type in \\PCNAME\c$. So I did and, low and behold, there's my old C: drive. I thought to myself, "What a huge security issue. I'll just transfer everything quickly and then 'un-share' it."

The end of the day came and I logged in through remote desktop and right clicked on the C drive. But it was not shared. I called The Support Guy and explained to him that I didn't want my C drive available to everyone on the network all weekend. He seemed confused. He said, "It's not really 'shared'. If you go to the command prompt and type in \\ANYPCNAME\c$ you get their C drive. That's just how it is."

I hung up the phone and walked over to a coworker's desk and looked at his PC name (there's a sticker on every computer) and then walked back to my desk and put a hello file on his desktop.

I don't keep anything personal on my work computer but there are definite security concerns. Not really from within the group I'm in but from the hundreds of other employees on the network (and domain) that I don't know. I'm fine with practical jokes but what if someone has an unknown grudge against me (or someone with a similar name or computer name) and adds nasty language against my boss to documents which are part of a project?

Is this an inherit part of how Windows domains work? Are there any steps I can take to make my box a little more secure? Bear in mind that I do have admin rights to the box but I can't change anything as far as the network or domain goes. Even just an explanation of what's going on would be a big help as this goes against everything that I know to be 'pretty basic' about computer systems in general. I'm more familiar with Linux so Windows World is a little foreign to me.

Follow Up

Voiced my concerns about this at work. I was told, "Nobody knows about the drive$ thing so there's nothing to worry about." Followed Darth's solution and added that registry key. Now I'll wait and see if anyone gets alerted.


Solution 1:

What you're seeing is one of the Administrative Shares which is enabled on every Windows machine for all non-removable drives as \\computername\driveletter$. However, it should only be accessible to someone who is in the local Administrators group (it sounds like the Domain Administrators or Domain Users group has been added to the local Administrators group).

The sad fact of life is you can't really disable them completely without losing something else in turn (You can disable filesharing, for example, but then you can't share files...). Since they are hidden shares (as denoted by the $ at the end), you can't view them when broswing \\computername, but they will show if you type net share in a command prompt.

Disabling them shouldn't be your first course of action if Support Guy is willing to listen to a bit of reason-- Ask him to restrict the permissions that regular users have on computers over the network so that they cannot mess with each other's files, or see if he will move user profiles and documents to a server fileshare (the better, but much more involved solution).

If he can't or won't fix this, you can disable them temporarily by typing net share c$ /delete, but Windows will recreate them every time the computer is rebooted. You might be able to stick these commands into a batch file that's run on startup.

If you really wish to secure your computer, there's also hidden shares called admin$ and IPC$ which could both reveal lots of information about your computer and it's files to someone on the network which you can disable.

As pointed out in other answers, there may be programs that depend upon these shares being available, and this might get Support Guy's attention if he's trying to use one of the administrative shares to help maintain your system and can't access it.

Edit:

It seems you can disable the root partition shares (c$, d$, etc.) with the following registry key (create it if it doesn't exist):

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareWks
Data Type: REG_DWORD
Value: 0

This will not disable the IPC$ share, however.

Solution 2:

Your user account is probably set as Administrator on all the PCs on the network. There can be various reasons for this, most of them not the best.

Every computer on a domain has each drive shared with what is called and Administrative Share. This share is always the drive letter followed by $. As you saw it: C$. This is always available to all users whose accounts are administrators on that computer.There are good reasons for it. Most patching programs use this, as do many security programs. Also, SupportGuys like me use it for getting files to and from the computers for repair, diagnosis, troubleshooting, and user assistance, just to name a few.

You generally do not want to delete an adminstrative share unless you are sure there are no necessary programs on your network that require it. For instance: SupportGuy may need to use this share to deploy critical updates to your computer.

The problem occurs when all regular user accounts on the network as administrators. This is the problem and this is what ought to be addressed in your office. You should be users or power users, depending on the necessary permissions. With special cases given for people who actually need administrator rights.

UPDATE Addressing other answers: I would highly recommend against disabling the administrative share unless you really know there are no systems requiring it. The first course of action should be finding out why your account has domain administrator permissions and if that is really necessary. Doing this will fix security problems in the whole network, not just one little symptom problem you've discovered here. If there is no legitimate reason for you to have domain administrator rights and the SupportGuy is unwilling to remove said rights should you consider actually removing the administrative share.

Solution 3:

The C$ is the administrative share. You probably should not disable it, as it may break things.

The real security issue here is that it sounds like they made everyone administrators on every machine (maybe through domain users being added to the local administrators group).

In some ways that should not be an issue since, personally, I don't believe anything should be stored locally in the first place, and that "My Documents" should be redirected to your personal mapped drive on the server, which they would not have access to unless there were an even greater security lapse.

Solution 4:

As everyone has said driveletter$ is a fact of windows life.

But why are you an administrator on you co-workers desktop? And.. I would confirm is he an administrator on your desktop? THIS is the real issue here.

Even if you were to remove the admin share.. there is nothing preventing people from logging onto your desktop and accessing your files because they are an administrator on your machine. The share, is just a handy way to bypass logging on.

Since you're an admin on your machine, I would take a look at the admin group, add yourself explicitly and then remove the domain users group that is probably there.

Related

How to run programs from a linux terminal without blocking the terminal?
How to delete a file that contains a backslash in the name under Windows 7? [duplicate]
Install FFmpeg on OS X
Windows 10 notification center hotkey
Create a new file in Total Commander
How can I pass an alias to sudo?
"watch" the output of a command until a particular string is observed and then exit
Did Debian lenny repositories vanish?
When does Excel decide to overflow text into adjacent cells, or cut them at the boundary?
List of all available man pages
Creating a symbolic link to mapped network drive in Windows
The @ symbol and systemctl and vsftpd