Windows Server: seven tricks to disable the default shared channel

Author: Fengfeng

In a Windows Server System, the C and D disks of the system are automatically set to hide and share each time the server is started successfully, although these default shares can make Server Management and Maintenance more convenient, these default shares are often exploited by some illegal attackers while enjoying the convenience, this can easily cause security threats to the server. If you do not want the server to be vulnerable to illegal attacks, you must cut off the default "channel" shared by the server in a timely manner ". Below, this article recommends the following tips for you to easily disable default server sharing.

　　Function configuration method

In this way, the msconfig command in Windows XP or Windows 2003 is used to disconnect the server from sharing the "channel" by default. To use this method, follow these steps:

Click the "Start"/"run" command, enter the string command "msconfig" in the system running setting box that appears, and click "OK, open a Setup window titled System Configuration Utility;

Click the "service" tab in the window. On the option settings page shown in 1, find the "Server" project, check whether a check mark exists in front of the project. If yes, cancel the check. Click OK to restart the server system, the C and D disks of the server will not be automatically set to default share.

Figure 1

TIPS: although the Windows 2000 server system does not have the System Configuration Utility Function, considering that the system kernel is similar to the Windows 2003 system kernel, you can use the msconfig.exe file and msconfig in the Windows system. the chm file is directly copied to the Windows 2000 system directory. You can also directly start the System Configuration Utility Function in the running dialog box of the system. If an error Prompt window pops up during the process of starting this function, you can ignore it and click "cancel" to view the System Configuration Utility setting window.

　　"Force" Stop Method

The so-called "forced" Stop method is actually to use the computer management function of the Windows server to stop the sharing command for the existing default shared folder, so that the sharing status can be canceled, at the same time, make sure that these folders cannot be automatically set to share next time. To forcibly stop the sharing of default shared folders, follow these steps:

Click "start"/"run" command, and enter the string command "compmgmt. msc, click OK to open the "Computer Management" interface of the Windows server system;

In the left-side list area of the page, expand the "System Tools", "Shared Folders", and "shared" Folders one by one with the mouse. In the subwindow on the right of the "shared" folder, you will find that all the file folders that have been shared in the server system are automatically displayed, and the shared folder with the "$" symbol after the shared name is displayed, is the default shared folder automatically generated by the server;

To cancel the sharing status of these shared folders, you just need to select them one by one with the mouse, and then right-click them. In the shortcut menu that opens, select the "stop sharing" option, then, a dialog box shown in 2 is displayed, asking you to confirm whether you really want to stop the selected sharing. Then, click "yes, the sharing icon of all selected default shared folders will automatically disappear, indicating that their sharing status has been forcibly stopped. In the future, even if the server system is restarted, the C and D disks of the server will not be automatically set to share by default.

Figure 2

Delete one by one

The so-called one-by-one deletion method is actually to use the built-in "net share" command on the Windows server to share the default shared folder, delete one by one (of course, the deletion here only indicates deleting the sharing status of the default shared folder, rather than deleting the content in the default folder), but this method has a fatal defect, it means that the "once and for all" deletion effect cannot be achieved. As long as the server system restarts, the default shared folder will be automatically generated. When using this method to delete the sharing status of the default shared folder, you can refer to the following steps:

First, execute the "run" command in the system Start Menu, open the system running settings box, enter the string command "cmd" in the dialog box, and then click "OK, in this way, the Windows server will automatically switch to the doscommand line working status;

Then, in the doscommand line, enter the string command "net share c $/del" and click the Enter key. Then, the sharing status of the c-drive partition in the server is automatically deleted; if there are still D and E partitions in the server, you can follow the same method, run the string commands "net share d $/del" and "net share e $/del" to delete their sharing statuses;

In addition, for default shared folders such as IP $ AND Admin $, you can also run the string commands "net share ipc $/del" and "net share admin $/del ", in this way, illegal attackers cannot use these hidden sharing channels to attack Windows servers at will.

　　Automatic deletion method

If the server contains many hidden shared folders, It is very troublesome to delete them one by one using the "net share" command. In fact, we can create a batch file to allow the server to delete the sharing status of all default shared folders at one time. When creating a batch file, you only need to open a text editing tool like notepad and enter the following source code command in the editing window:

@ Echo off
Net share C $/del
Net share D $/del
Net share ipc $/del
Net share admin $/del
......

After entering the above Code, click the "file"/"save" menu command in the text editing window, and enter the file name as "delshare. bat, and set the specific save path, and then click the "save" button to automatically delete the default shared folder batch file creation. When you need to delete the sharing status of these default shared folders in the future, you only need to double-click "delshare. bat" batch processing files, and all default sharing "channels" in the server system will be automatically cut off.

After the server is restarted, all the default shared folders will be "re-launched". Therefore, you can use the following method to enable the server to automatically run "delshare. bat "batch processing files to automatically delete default shared folders:

First, open the system running dialog box and enter the string command "gpedit. msc, click OK to open the Group Policy Edit window of the server system, expand the "Computer Configuration" folder, "Windows Settings" folder, and "script (start/stop)" folder in the window;

In the subwindow on the right of the corresponding "script (start/shut down)" folder, double-click the "Start" option and click the "add" button in the displayed "Start Property setting" dialog box, in the dialog box shown in 3, click the Browse button at the "Script Name" setting item, in the open file selection dialog box, set the "delshare" batch file created above. bat "is selected and imported in, click" OK ", and then restart the server system. In this way, the default share in the server system will be automatically canceled.

Figure 3Permission Allocation Method

The so-called "permission allocation method" is actually to assign user rights by using the Group Policy of the server, so that illegal users cannot access any content on the server through the network, by default, the shared folder will not become a channel for illegal user intrusion into the server. To deny unauthorized access to the server through the network, follow these steps:

First, run the "run" command in the "Start" menu of the server system. In the pop-up system running settings box, enter the string command "gpedit. msc, click OK, and then in the displayed group policy editing window, expand the "Computer Configuration" folder, "Windows Settings" folder, "Security Settings" folder, "Local Policy" folder, and "user permission assignment" folder one by one with the mouse;

In the subwindow (4) on the right of the corresponding "user permission assignment" folder, select the "Deny access to this computer from the network" project and double-click it with the mouse, in the "Deny Access From the network to this computer" attribute window that appears later, click "add" and then select an account from the displayed window, select and import logon accounts of Valid users, and exclude all untrusted user accounts. Then, click OK, as a result, untrusted users will not be able to access all the content on the server through the network in the future. On the contrary, the imported user accounts can still efficiently manage and maintain servers through the default shared folder.

Figure 4

　　System Policy Method

If your server system is Windows 2000 Ser