The Administrative Shares are the default network shares created by all Windows NT-based operating systems (NT/2000/XP/2003). These default shares share every hard drive partition in the system. These shares will allow anyone who can authenticate as any member of the local Administrators group access to the root directory of every hard drive on the system. They are not typically used or useful outside an enterprise environment.

Share names

Administrative shares are the term Microsoft defined for the collection of by-default automatically shared filesystem resources including the following:

any drive letter + $ (only the local disk volumes, not any removable devices such as CD/DVD drives, USB drives)

admin$ (which shares access to %SYSTEMROOT%, which is typically C:\WINDOWS or C:\WINNT)

The "$" appended to the end of the share name means that it's a hidden share. Windows will not list such shares among those it defines in typical queries by remote clients to obtain the list of shares. This means that one needs to know the name of an administrative share in order to access it.

It is frequently believed that any share that includes the final '$' character defines it as an administrative share. According to Microsoft's use of the term "administrative share", this is false. While any share (even non-administrative shares) can include a '$' character at the end of its name, only those by-default shares created by Windows containing the '$' suffix are considered administrative share.

Generic UNC Address for an Administrative Share:

\\NetworkComputerName\(Drive letter)$

For Example:

\\MyComputer\c$

This represents the administrative share for the "C" drive on the computer "MyComputer". This works just as well for any other local drive on the computer, e.g. \\MyComputer\d$, \\MyComputer\e$ (assuming those are local drives and not removable drives).

\\MyComputer\ADMIN$

This represents the administrative share for the %SYSTEMROOT% object on the computer "MyComputer".

How to disable

The shares can be deleted by a user with Administrators membership but they will be recreated at the next reboot. The easiest way to correct this is by editing the Windows Registry e.g. using Regedit. If the setting is not present then you must create it. (Be careful editing the Registry: A simple mistake can cause serious malfunctions.)

Servers

Windows NT 4.0 Server, Windows 2000 Server, Windows Server 2003

Regular workstation

Windows NT 4.0 Workstation, Windows 2000 Professional, Windows XP

Security and Prevention

Preventing Access

However, disabling the Administrative shares doesn't mitigate any real significant security risks, but only keeps administrators from casually browsing the shared contents. This is because anyone who has membership in the local Administrators group can either (a) re-enable the administrative shares or (b) create new shares (hidden using the "$" suffix or not). Merely disabling the administrative shares doesn't make it any harder for a technically astute user to gain access to the disk contents.

Better ways to prevent remote browsing of the disk contents is to:

disable File and Printer Sharing (or unbind the NetBT protocol)

Stop and/or Disable the Workstation service

set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp

remove membership in the Administrators group for those users/groups you wish to block

encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the files

Security of the Shares

Note: the DACLs on the administrative shares can't be modified, even by the local .\Administrator account.