Jon, > I have two [NT and 2K] servers that have an > administrative share named > SPM2000$. > This share has full access rights to drive C for the > Everyone group. > I can deactivate it, but since it's an > administrative share it's going to > come back at reboot. Can you please elaborate on this last statement? Just b/c a share is a "hidden" share by virtue of the "$" appended to the end of the name, that doesn't mean that it's an administrative share that's going to return on reboot. Even so, the administrative shares are rather trivially disabled w/ a simple Registry edit...one can disable the appearance of C$, D$, etc, quite easily. Let me ask you this...is this a statement you've made based on assumption or experience? By experience, I mean have you deleted the share, rebooted, and found it there again? > After "Googling" the string, I found something > called Service Pack Manager > 2000, but I don't think that's what created this as > this software uses the > default ADMIN$ share. > Have any of you seen this share anywhere before? That's a good question. And I think it's equally important to ask how it got there? If you cannot attribute the share to an authorized installed application, then perhaps a compromise should be considered. Harlan __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 13:00:22 PST