Windows Vista, And Administrative Shares

Under Windows XP and earlier versions of Windows, any administrator of a server could gain access to any portion of any drive on the server, through the network. Even if no share was defined, any drive was always available, in its entirety, to anybody with administrative access.

This ability was known as an administrative share. Besides any explicitly defined shares, every server would have a "C$" share (and a "D$", etc, for additional drives). The shares weren't browsable - they wouldn't show up in Network Neighbourhood, and a server with no explicitly defined shares would even show up, at all, under Windows XP. But anybody with administrative access could map a share to "C$" and have access to the entire C drive, instantly.

Windows Vista has removed the administrative share from the default server configuration. Fortunately for many, this ability can be restored, with a simple registry entry.

For registry key [HKLM\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ system], add a DWord value LocalAccountTokenFilterPolicy of "1". Then restart the computer.

>> Top