entranceAdministrative access to local disks. Remote administrative access to Windows
Faced that it is not possible to remotely connect to default administrative balls (which with a dollar) on a computer with Windows 10 under the user belonging to the group of local administrators. Moreover, under the integrated local administrator account (), such access is working.
A little more about what the problem looks like. I am trying with a remote computer will turn to the built-in administrative resources. windows Computer 10 consisting in working Group (with a firewall disconnected) so:
- \\\\ win10_pc \\ c $
- \\\\ win10_pc \\ d $
- \\\\ win10_pc \\ ipc $
- \\\\ win10_pc \\ admin $
In the authorization window, I enter the account name and password consisting in the Local Group windows administrators 10, to which access error appears (Access IS Denied). At the same time, access to shared network directories and printers on Windows 10 is working normally. Access under the built-in Administrator account to administrative resources also works. If this computer is included in the Active Directory domain, then under domain accounts with administrator rights access to admin balls is also not blocked.
The case is in another aspect of the security policy that appears in the UAC - the so-called Remote UAC (Control of accounts for remote connections), which filters tokens of access of local entries and Microsoft accounts, blocking remote administrative access to such accounts. When accessing a domain account, such a restriction is not imposed.
Disable Remote UAC by creating in system Registry Parameter
Council. This operation slightly reduces the system security level.
Note. Create a specified key can be only one command.
rEG Add "HKLM \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ System" / V "LocalaccountTokenFilterPolicy" / T reg_dword / d 1 / f
After download, try remotely open the C $ Administrative Catalog directory on Windows 10 Computer. Log in to a record included in the Local Administrators group. A conductor window must open with the contents of the C: \\ disk.
Note. The other functionality of the remote windows management 10, including now you can remotely connect to a computer using a snap Computer Management. (Computer Management).
So, we dealt with how using the LocalacCountTokenFilterPolicy parameter to allow remote access To hidden admin resources for all local Windows computer administrators. This instruction Applicable also to Windows 8.x, 7 and Vista.
It's nice to feel that in the world where you constantly have to worry about spyware, phishing and hacking attempts wireless networks, there is something permanent - as before, Windows itself friendly opens the doors for all these threats. You are so nice that you simply come out of myself with one thought about it.
It turns out that each Windows 7 has a secret passage through which anyone can get to any file on your computer; This vulnerability also exists in Windows 2000, XP and Vista.
Default to hard disks on the computer is open general access. You all understood everything, to all hard disks you can contact the outside. More worse, these connections are hidden, that is, the discs are not displayed in the Windows Explorer network folder, and therefore most users do not even suspect which threat their data is subject to.
In order to hide any common folder, when creating a shared resource, add a $ symbol to its name - for example, Desktops. Now to contact this folder, enter in address line Windows Explorer Its UNC path and press ENTER.
You can check your computer: Open Windows Explorer and enter the name of your computer in the address bar, and then the name of the administrative overall resource for the disk with:, for example:
\\\\ Your_computer \\ C $ and press ENTER. If opened content hard Disk, it means, on your computer, administrative access to shared resources is allowed.
Unfortunately, in order to disable administrative shared resources, not enough to disable remote access to discs. You need to disable the mechanism that automatically permits it every time the computer is turned on. Make the following:
1. Open the registry editor.
2. Expand the HKEY_LOCAL_MACHINE \\ SYSTEM \\ CURRENTCONTROLSET \\ SERVICES \\ LANMANSERVER \\ PARAMETERs branch.
3. Double-packet on the AutoShareServer parameter twice, enter 0 in the value field and click OK. Create a DWORD parameter).)
4. Now double-click on the AutoshaReWKS parameter, enter 0 in the value field and click OK.
5. Close the registry editor.
6. Open the Start menu, enter the COIRPMGMT.MSC in the search field and press ENTER. The Computer Management utility opens. It can also be opened by right-clicking on the computer item in the Start menu and select Management.
7. In the left pane, expand the service program item, then shared folders and click the Shared Resources folder.
The list of all is displayed here. common folders On a computer, regardless of whether they are hidden or not. Even if the problem of administrative is not worried. To delete a shared resource, the Net Use / Delete command is used, where the resource is the name of the common resource.
8. In order to manually delete administrative shared resources, click on each of them right-click and in context menu Select Save Share. In both query windows, answer yes.
Here you can delete any hidden shared resources, with the exception of the following three:
1RC $, which means Inter-Process Communication. This shared resource is used to remotely manage the computer. It is proved that the breaking of a computer through a total resource of 1 trace $ is possible, however, the only way to disable it is forever to prohibit common access to any files. You can temporarily stop the total access to the $ 1-Windows resource - Windows still recreate the connection when you next start;
Print. This shared resource is used to exchange the printer driver files surrounded where there is a shared printer. Although theoretically, this common folder can also be used in malicious purposes, it is better not to turn it off if a common printer is connected to your computer;
wwwroot $. This shared resource is present in the list when the computer is installed software Microsoft Internet Information Server. HE Change it if your computer is used as a web server or network software development platform.
9. When finished, restart Windows. Open the computer management utility to make sure that the administrative shared resources have not rebelled out of the ashes.
Some administrators do not approve such an approach. In the end, hidden administrative shared resources are invented not just like that. They allow network administrators to install programs, perform disk defragmentation, refer to the registry and remotely carry out other computer maintenance activities. However, ask yourself, do you often do it?
Administrative shared resources also need functions. Previous versions. Disable administrative communities Access, and the Previous versions tab in the Properties window of any file will be cleaned. Further, I will tell you how to shut down the hole in security, saving the ability to access the previous versions.
If you still hesitate, remember that windows passwords can be broken by a variety of ways. Is the problem now obvious? If your computer is not included in the corporate network, and you never resort to remote control, then leaving the loophole open, you do not acquire anything - you can lose everything.
It's nice to feel "that in the world where you constantly have to worry about spyware, phishing and attempts to hack wireless networks, there is something constant - as before, Windows itself friendly opens the doors for all these threats. You are so nice that you simply come out of myself with one thought about it.
It turns out that each Windows 7 has a secret passage through which anyone can get to any file on your computer; This vulnerability also exists in Windows 2000, XP and Vista.
By default, accessory access to hard disks is open. You all understood everything, to all hard disks you can contact the outside.
More worse, these connections are hidden, that is, the disks are not displayed in the Windows Explorer (Network) folder, and therefore most users do not even suspect which threat their data is exposed.
In order to hide any common folder, when creating a shared resource, add a $ symbol to its name - for example, Desktop $. Now, to refer to this folder, enter its UNC path in the address bar (for example, \\\\ Xander \\ Desktop $) in the address bar (for example, press ENTER.
You can check your computer: Open Windows Explorer (even better - open Windows Explorer on another computer on the network) and enter the name of your computer in the address bar, and then the name of the administrative share for the disk with:, for example:
\\\\ your_computer \\ C $
and press ENTER. If the contents opened hard diskSo, on your computer, administrative access to shared resources is allowed. (List of all shared folders - hidden and open - can be viewed using the Computer Management Management utility, which will be discussed further.)
Presumably settings for the default of Windows 7 Prohibit network access to administrative shared resources. If you manage to view the contents of the shared resource with $ from your computer, but not from others, it means, "your computer does not threaten anything from this point of view. But do not be surprised if you see the contents of your disk from: from another computer on the network. Microsoft assures that he embarked this hole, but practice proves the opposite. On how to keep administrative access to shared resources, but hide them from remote computers, Talks in the next subsection.
Unfortunately, in order to disable administrative shared resources, not enough to disable remote access to discs. You need to disable the mechanism that automatically permits it every time the computer is turned on. Make the following:
1. Open the registry editor (see Chapter 3).
2. Expand the HKEY_LOCAL_MACHINE \\ SYSTEM \\ CURRENTCONTROLSET \\ SERVICES \\ LANMANSERVER \\ PARAMETERs branch.
4. Now double-click on the AutoShaReWKS parameter, enter 0 in the value field (Value Data) and click OK. (And again, if there is no such parameter, create it a similar command.)
5. Close the registry editor.
6. Open the Start menu, enter the COMPMGMT.MSC in the search field and press ENTER. Computer Management (Computer Management) opens. It can also be opened by right-clicking on the computer (Computer) in the Start menu and select Manage (Manage).
7. In the left pane, expand the System Tools item (System Tools), then shared folders (Shared Folders) and click on the ShareS) folder.
Here the list of all public folders on the computer is displayed regardless of whether they are hidden or not. Even if you do not care about the problem of administrative shared resources, this tool is convenient to apply to track existing connections. By the way, the list of shared resources can be viewed in Command lineBy commanding the NET View / All Wlocalhost command. To delete a shared resource, the Net Use / Delete command is used, where the resource is the name of the common resource.
8. In order to manually delete administrative shared resources, click on each of them (from $, d $, e $ etc.) Right-click and in the context menu, select Save Sharing (Stop Sharing). In both query windows, answer yes (yes).
Here you can delete any hidden shared resources (that is, everything, the name of which ends with the dollar sign), except for the following three:
tive environment is few people need). It is proved that the breaking of a computer through a total resource of 1 trace $ is possible, however, the only way to disable it is forever to prohibit common access to any files. You can temporarily stop the total access to the $ -Windows resource of $ -windows anyway recreate the connection when you next start;
flaw in malicious purposes, it is better not to disconnect it if a common printer is connected to your computer;
p is used as a web server or network software development platform.
9. When finished, restart Windows. Open the Computer Management (Computer Management) utility again to make sure that the administrative shared resources have not rebelled out of the ashes.
Some administrators do not approve such an approach. In the end, hidden administrative shared resources are invented not just like that. They allow network administrators to install programs, perform disk defragmentation, refer to the registry and remotely carry out other computer maintenance activities. However, ask yourself, do you often do it?
Administrative shared resources also need functions Previous versions (PREVIOUS VERSIONS) (this was stated in the section "Back to the Past - use the recovery points and shadow copies"). Disable administrative communities Access, and the Previous Version tab (Previous Versions) in the Properties window of any file will be cleaned. Further, I will tell you how to shut down the hole in security, saving the ability to access the previous versions.
One of the tasks of system administration in corporate network - Access control. In particular, access to computers with administrator rights should be rigidly regulated.
SO windows times 2000 and Windows XP There is a built-in local administrator account, which creates a lot of problems to control access: one password for hundreds or thousands of computers known for many people without the possibility of changing it for long years - trouble! It has long been recommended to rename, or turn off this account and create your own. This makes it difficult to implement attacks using local administrative scientists, but does not exclude such threats.
Not so long ago, a means for a periodic change of a password of the local administrator account was replaced. With it, you can solve many problems, but not all. For example, what if there are several groups of service personnel and the enterprise policy prescribes to have its local administrative account?
But let's return to threats. It is clear that, having local access to the computer, the attacker can hack the system windows security, Get access to the Local Administrator Password Cash (or other administrative account) and use it to connect to other computers over the network.
The only way to ban remote connection To a computer using a local administrative entry, it is to specify an account of the account in the "Deny Access to This Computer from The Network" policy (and possibly "Deny Log On Through Remote Desktop Services"). If there are many such account recordings, you will have to list them all in Group Policy. And this is already a human factor, and there is a chance that there will be errors in the configuration.
The good news is that, starting with windows version 8.1 / 2012 R2, implemented new opportunity: You can not list Local accounts, And specify the common SID for all of them. Such SIDs Two: "All Local Accounts" and "All Local Administrative Accounts":
S-1-5-113: NT AUTHORITY \\ LOCAL ACCOUNT
S-1-5-114: NT Authority \\ Local Account and Member of Administrators Group
The good news is also that this feature is ported on Windows 7/8/2008 R2 / 2012 (KB 2871997).
It should be noted another simple way of partial protection against the threatment under consideration - Faerwal. There are two points.
- Via group Policy You can specify from what addresses or networks you can perform a remote connection to the computer control interfaces. As a rule, the company's security policy prescribes that administrators computers are at least in a special management network, or even in rigidly given addresses.
- Separately, it is necessary to pay attention to permission to connect to the balls located on personal computers. There is no general solution. But usually the company's policy in this respect is a rigid - no custom ball. If it is permitted, only access to administrative balls and this must be allowed only to administrators as specified in clause 1. But if there are shared printers on personal computers, the only simple way to allow it without destroying the protection system is to add permission (rule) for Local Network (otherwise users will not be able to connect shared printers from a neighboring computer).
And the last addition. Do not forget pro