解释的admin$份额
我在过去几年接受了许多电子邮件要求什么admin$份额为,并且什么使用是安全涵义,当使用它时。
这个份额是存在窗口的所有“NT”版本。 这意味着视窗NT 3.1, 3.5, 4.0, 2000年, XP, 2003年和景色。
份额是在窗口自动地被创造一些的一部分。 另是c$。 为什么他们以一$结束? 这用于告诉窗口掩藏份额。 例如,如果我浏览到我的桌面从我的膝上计算机在网络…这是什么我看见: (我点击开始,然后跑的和被键入的\ \ laptopsw -膝上计算机的名字)
现在看那您认为唯一的份额可利用在那个系统是“用户”。
不真实。 我们可以浏览到我们暗藏的份额通过键入全路径入探险家:
如果您仔细地看您注意admin$份额简单地指向C:\Windows文件夹。
如此什么是这为? 并且为什么微软放此入窗口?
它具体地用于遥远地部署软件。 如果您有`被推挤的’软件到一台计算机横跨您的网络,则您使用了admin$份额。
当软件被推挤时,它使用这个份额上装文件。
这怎么它运作。
1. 您连接到遥控器的admin$份额。 如果您有地方掌官权利,则您立即连接-否则您提示对于用户名和密码。
2. 您复制在文件或者文件到遥控器。 要执行遥远地,那些文件之一必须是服务。
3. 在第2步被复制安装的服务,并且开始。
4. 现在您的软件被推挤了。
admin$份额能为许多其他事明显地使用。 在窗口可以被设置通过改变在c:\windows的一个文件的任何可以更新这样。 或病毒能更加恶毒地使用这个份额横跨您的网络繁殖。
在窗口的更早的版本, admin$份额是大开。 有许多给它坏名声的弱点在NT 4和2000年。 主要它是没有实施问题,而是一个问题以地方掌官密码。 许多管理员简单地任它空白!
迅速移动回到今天,并且我们是在一个完全不同的环境里。 微软锁了在重大文件分享下。 A few rules are now in place that can keep the admin share, and all file sharing from working properly.
Here are some of the new restrictions (Mostly on XP SP2 and higher) on file sharing:
1. Windows will not allow connections using accounts that have no password. It simply will keep asking you for the password as if you entered it incorrectly.
2. The hostname must be correct. For example, the hostname of the machine is LAPTOPSW, and you create a host entry pointing to the same ip called MYLAPTOP. Now if I attempt to browse to the machine using that new hostname…I will be denied access.
3. In a similar situation to number 2, if I try to use the IP address, I will be denied access. It will simply keep asking for the username and password as if I typed it wrong.
In addition to those new rules, Microsoft ships Windows XP with a feature called “Simple File Sharing” (Turned on by default)
Simple file sharing should be called “Broken insecure file sharing”. When this feature is turned on you have no admin share - and that is a good thing. Why? Because all other shares have no security and no passwords. No choice.
This is burned into XP Home, no way to turn it off.
So step 1 to getting the admin share working properly under XP SP2, is to disable simple file sharing. I have an article on the subject if you are interested.
An additional roadblock is the firewall built into XP. By default it disables all access to file and printer sharing. This needs to be turned back on if you want to access the admin share. The article I linked above shows you how to do that too.
Still, I can feel your concern. Why turn all this stuff back on when MS thinks it is a big security hole?
To give you a choice. If you are not aware of it, then the default is to lock down. This is a good thing. The risks are:
1. Blank passwords, or simple passwords. Any password that could be easily guessed by a virus roaming your network would be bad. Pick hard to guess passwords for your administrator accounts. I have seen viruses that have 10,000 of the most common passwords built into them so they can try to get in that way.
2. Direct internet access. If your computers are safe behind a firewall, then you can feel safe in the fact that only other local computers can access your share. If your computer is going to be directly connected to the internet I would never allow traffic for file and printer sharing.
3. Make sure you have adequate anti-virus installed. Since your attack surface has been reduced (You only need to worry about machines you know on your network, and not the entire net)…A good anti-virus on every machines is the best defense against viruses propagating using the admin share.
4. Limits on the administrator account. Very few people should have, and should login as a domain administrator. The less that do, the smaller the chance that the admin share can be used for bad purposes.
So if you know the risks, properly secure your computers, and use some common sense - you can enable the admin share, and enjoy the benefits of using it.
Written by Steve Wiseman. Read more great feeds at is source WEBSITE
no comments.
Read more articles on software.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
