Skip to main content

 

Admin shares available to non-administrative users over loopback address

 Scenario.

A non-administrative user starts Excel on a RemoteApp host. They open the "file open" window and in file name type \\127.0.0.1\c$. They are presented with the c:\ drive of the system. The same is true of c$ d$ admin$ etc...

The same user typing \\127.0.0.1\c$ in the address\location bar of open file window is told that this has been restricted by their system administrator.

The same user attempting to access the admin shares from another machine is prompted for credentials.

"This behavior occurs because the administrative share's default share permission was changed in Windows Server 2008, which allows the active logon account to access the administrative shares.

Resolution :

The administrative share's default share permission is controlled by the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcShareAdminConnect.

To configure Windows Server 2008 to behave the same as Windows Server 2003, we can export the registry value above from Window Server 2003, and import it to Windows Server 2008. Please Note: We need to restart the server for the change to take effect."

I have tested this fix on my W2K8 R2 SP1 machine and i can confirm that non-administrative users started getting the prompt for user name & password.

For those wanting to achieve the same behavior, you can find the registry binary data you need to import below.


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity]
"SrvsvcShareAdminConnect"=hex:01,00,04,80,64,00,00,00,70,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,25,02,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,27,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,\
  00,00,00,05,12,00,00,00

Comments

Post a Comment

Popular posts from this blog

  PowerShell DSC log amount issue on operating system drive Overview Problem Impact Microsoft Ticket (Workaround) solution References Overview When using PowerShell DSC on a configured system in some (seldom) cases it can lead to log amount issues in a specific folder. The following folder grows (over time) so several GB size holding hundreds and thousands of JSON log files as visible in the following screenshot: Also sometimes it looks like this: Problem The problem is (but must not be) related to DSC configuration issues as far as it could be analyzed. The log folder „Configuration Status“ is filled with sometimes up to 7 Megabyte sized JSON files. This log folder (based on our analysis) is used for sending reports to report server but is not cleaned up automatically. Impact Some PowerShell DSC managed systems need extensive disk space due to log directory grown to 40 Gigabyte plus. This causes an alert in disk space / availability monitoring and could in some cases lead to non w...
Post a Comment
Read more

Vm backup failling with snapshot error (156)An error occurred while saving the snapshot: Failed to quiesce the virtual machine.

  Hi Everyone, I am here back with another issue. If anyone is getting error taking backup snapshot of a virtual machine and getting the below error. Vm backup failling with snapshot error (156)An error occurred while saving the snapshot: Failed to quiesce the virtual machine. Apr 28, 2021 2:22:55 AM - Critical bpbrm (pid=15849) from client XXXXX: FTL - vSphere_freeze: Snapshot task for virtual machine XXX-YYY (/vmmor/vm-341) failed, 0 retries remaining, error type: 263, error message: An error occurred while saving the snapshot: Failed to quiesce the virtual machine.. Apr 28, 2021 2:23:08 AM - Critical bpbrm (pid=15849) from client XXXX: FTL - vfm_freeze: method: VMware_v2, type: FIM, function:...
Post a Comment
Read more

How To Resolve VSS Writer Errors Without Rebooting (VShadow)

Background This article describes how to resolve VSS Writer errors without rebooting Windows. Here are the scenarios in which you'd want to use these instructions: Scenario 1: Failed VSS Writers. There are instances when backups are failing due to an agent's VSS writers being in a failed state, but it is impossible or not desirable to restart the server until at least after business hours. Scenario 2: VSS Writers Not Started There may also be a writer that is not running and needs to be. Running the command  - " vssadmin list writers"  will only show a list of writers that are currently started Scenario 3: Using VShadow for Windows Server 2003 or XP VSS is available in the Volume Shadow Copy Service 7.2 SDK, which you can download from the Windows Download Center . Troubleshooting Troubleshooting Scenario 1: Failed VSS writers Find the failed VSS writers and their associated services, and restart them: 1) Run Command Prompt as Administrator (...
Post a Comment
Read more