admin$份額解釋了
我在過去幾年接受了許多電子郵件要求什麼admin$份額為,并且什麼使用是安全涵義,當使用它時。
這個份額是存在窗口的所有「NT」版本。 這意味著視窗NT 3.1, 3.5, 4.0, 2000年, XP, 2003年和景色。
份額是在窗口自動地被創造一些的一部分。 另是c$。 為什麼他們以一$結束? 這用於告訴窗口掩藏份額。 例如,如果我瀏覽到我的桌面從我的膝上計算機在網絡…這是什麼我看見: (我點擊開始,然後跑的和被鍵入的\ \ laptopsw -膝上計算機的名字)
現在看那您認為唯一的份額可利用在那個系統是「用戶」。
不真實。 我們可以瀏覽到我們暗藏的份額通過鍵入全路徑入探險家:
如果您仔細地看您注意admin$份額簡單地指向C:\Windows文件夾。
如此什麼是這為? 并且為什麼微軟放此入窗口?
它具體地用於遙遠地部署軟件。 如果您有`被推擠的』軟件到一臺計算機橫跨您的網絡,則您使用了admin$份額。
當軟件被推擠時,它使用這個份額上裝文件。
這怎麼它運作。
1. 您連接到遙控器的admin$份額。 如果您有地方掌官權利,則您立即連接-否則您提示對於用戶名和密碼。
2. 您複製在文件或者文件到遙控器。 要執行遙遠地,那些文件之一必須是服務。
3. 在第2步被複製安裝的服務,并且開始。
4. 現在您的軟件被推擠了。
admin$份額能為許多其他事明顯地使用。 在窗口可以被設置通過改變在c:\windows的一個文件的任何可以更新這樣。 或病毒能更加惡毒地使用這個份額橫跨您的網絡繁殖。
在窗口的更早的版本, admin$份額是大開。 有許多給它壞名聲的弱點在NT 4和2000年。 主要它是沒有實施問題,而是一個問題以地方掌官密碼。 許多管理員簡單地任它空白!
迅速移動回到今天,并且我們是在一個完全不同的環境裡。 微軟鎖了在重大文件分享下。 A few rules are now in place that can keep the admin share, and all file sharing from working properly.
Here are some of the new restrictions (Mostly on XP SP2 and higher) on file sharing:
1. Windows will not allow connections using accounts that have no password. It simply will keep asking you for the password as if you entered it incorrectly.
2. The hostname must be correct. For example, the hostname of the machine is LAPTOPSW, and you create a host entry pointing to the same ip called MYLAPTOP. Now if I attempt to browse to the machine using that new hostname…I will be denied access.
3. In a similar situation to number 2, if I try to use the IP address, I will be denied access. It will simply keep asking for the username and password as if I typed it wrong.
In addition to those new rules, Microsoft ships Windows XP with a feature called “Simple File Sharing” (Turned on by default)
Simple file sharing should be called “Broken insecure file sharing”. When this feature is turned on you have no admin share - and that is a good thing. Why? Because all other shares have no security and no passwords. No choice.
This is burned into XP Home, no way to turn it off.
So step 1 to getting the admin share working properly under XP SP2, is to disable simple file sharing. I have an article on the subject if you are interested.
An additional roadblock is the firewall built into XP. By default it disables all access to file and printer sharing. This needs to be turned back on if you want to access the admin share. The article I linked above shows you how to do that too.
Still, I can feel your concern. Why turn all this stuff back on when MS thinks it is a big security hole?
To give you a choice. If you are not aware of it, then the default is to lock down. This is a good thing. The risks are:
1. Blank passwords, or simple passwords. Any password that could be easily guessed by a virus roaming your network would be bad. Pick hard to guess passwords for your administrator accounts. I have seen viruses that have 10,000 of the most common passwords built into them so they can try to get in that way.
2. Direct internet access. If your computers are safe behind a firewall, then you can feel safe in the fact that only other local computers can access your share. If your computer is going to be directly connected to the internet I would never allow traffic for file and printer sharing.
3. Make sure you have adequate anti-virus installed. Since your attack surface has been reduced (You only need to worry about machines you know on your network, and not the entire net)…A good anti-virus on every machines is the best defense against viruses propagating using the admin share.
4. Limits on the administrator account. Very few people should have, and should login as a domain administrator. The less that do, the smaller the chance that the admin share can be used for bad purposes.
So if you know the risks, properly secure your computers, and use some common sense - you can enable the admin share, and enjoy the benefits of using it.
Written by Steve Wiseman. Read more great feeds at is source WEBSITE
no comments.
Read more articles on software.
- [+] Digg: Feature this article
- [+] Del.icio.us: Bookmark this article
- [+] Furl: Bookmark this article
