| VID |
28344 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
Automatic hidden shares has been detected as being enabled on the target Windows host.
By default, Windows NT and Windows 2000 creates the administrative shares (C$, D$, ADMIN$) for all physical drives. Although you delete these shares, they will be recreated when you reboot. If a remote attacker could log in to the affected host with administrator account, then this setting would allow the attacker to access arbitrary files by mapping the network drive.
* Platforms Affected:
Microsoft Windows NT Any version
Microsoft Windows 2000 Any version
Microsoft Windows XP Any version
Microsoft Windows Server 2003
Microsoft Windows 7, 8
Microsoft Windows Server 2008, 2012 |
| Recommendation |
If security is a concern the administrative share can be disabled. This will prevent users in the administrators group from accessing your drives. If an application depends on this server this feature must not be disabled.
To disable this feature, using regedit, edit the following Registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On Windows NT/2000/2003 Server, double click on AutoShareServer and set it to 0.
On Windows NT/2000/XP Workstation, double click on AutoShareWks and set it to 0.
If the entry is not present, Create the registry entry above and add value of type REG_DWORD.
Restart Windows and the automatic shares should not be created. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
2580,2581,4603 (ISS) |
|
