How does a network administrator share the system by default? (1)

I don't know when to turn off C $, D $, IPC $ and Other Default sharing in Windows systems, which has become the most basic security precaution. The stunned birds have responded to the call, declare war on default share. However, there is a reason, and the default share exists. Do you know that blindly Disabling these default shares will bring some very serious harm? It seems that you still don't know. It doesn't matter. This article will introduce you to the typical problems that may occur after you disable default sharing and how to solve these problems. Now, let's move closer to default sharing.

By default, sharing is automatically enabled after Windows 2000 and later operating systems are installed. As long as you know the Administrator account of a computer on the network, you can access resources on the computer by default.

Microsoft released default sharing to facilitate administrator management of computers in the network. In particular, the network in the established domain has several default sharing functions used to store user configuration files. However, there are advantages and disadvantages in everything. Enabling default sharing and convenient management brings security risks to computers. If you know the Administrator account and password, anyone can access others' computers. This is also the reason why some people with common security knowledge will share and disable it by default.

Shared items cannot be disabled by default.

Since Microsoft provides us with the default share function, it naturally plays a role, just like we have installed a lock for the room, and only has a valid key (administrator privilege) to open the room door. If we unmount the lock, people who can normally access the lock will not be able to access it. Therefore, the harm of disabling default sharing is the same as in the example above. Access by legal users is also blocked while preventing illegal users from entering the system.

In practice, we may often use the "net share default share name/delete" command to disable the corresponding default share, or edit HKEY_LOCAL_MACHINESy in the registry.

StemCurrentControlSetServicesLanmanServerParameters: Set the AutoShareServer and AutoShareWks values in the LanmanServerParameters subitem to 1. After the system is started, the default share originally opened will be disabled. Later, when we run the net share command, we cannot find any shared resources when viewing the sharing information of the Local Computer (figure 1 ).

Figure 1 run the net share command

Some readers may have disabled the default share, and there is no fault in actual use. In fact, default sharing is only used in some cases. Disabling default sharing does not affect common operations such as online chat and sending and receiving emails, however, for environments where the C/S type of software is used in the domain controller or network, blind deletion of default share brings great harm. Below, I will select several representative readers from the numerous faults for analysis, hoping to attract everyone's attention to default sharing.

Symptom 1

Hazard index:★★★★

Hazard object: client for accessing the domain environment

Environment: domain environment

When I disable all the default shares on the domain controller, a problem occurs when a client computer in the network wants to join the domain. When the client computer of Windows 98 or Microsoft Windows Millennium Edition logs on to the domain, a message such as "Incorrect domain logon password" or "no permission to renew domain" appears. Some Windows 2000 or Windows XP computers may also see "Domain Server unavailable" and other information when logging on to the network. If we manually add the computer to the domain, the message "Domain Controller name not found" appears.

After the above information is displayed, our client cannot join the established domain, and can only log on to the local machine. The security and management aspects cannot be unified, so that enterprise network management cannot proceed normally, the specified domain cannot run.

Why can't the client be added to the domain normally? The reason is that the client searches for the default share of NETLOGON $ through broadcast when searching for the domain controller. If the share is disabled, a fault may occur.

Symptom 2

Hazard index:★★★

Hazard object: Network Sharing Service

Environment: workgroup environment and domain environment

After all default sharing is disabled on any computer in the network, use the UNC path, mapped drive, net use command, net view command on other computers in the network, or browse the network in "Network neighbors, when you access or view a computer that is disabled by default, you will receive information such as "remote server access not allowed", "system 53 error, and network path inaccessible.

After the preceding information is displayed, other computers in the network cannot access and disable the computers shared by default.