Securing shared drives

In Windows 2000, all drives on your computer, such as drive C or D, are automatically shared using the name drive letter$, such as C$ or D$. These drives are not shown with the hand icon that indicates sharing in My Computer or Windows Explorer, and they are also hidden when users connect to your computer remotely.

However, any user can gain access to your computer over a network or the Internet if the user knows your computer name, and the user name and password of a user who is a member of the Administrators, Backup Operators, or Server Operators group. A user who gains access to your drive over the network or Internet can view all folders and files on that drive, even those that are protected using NTFS permissions, provided the NTFS permissions allow access to members of the Administrators, Backup Operators, or Server Operators group.

To keep your drives secure, you should:

• Create a difficult password for the Administrator account. Many people leave this password blank, which leaves the computer vulnerable to security breaches because any user can log on as the Administrator using a blank password. It is also a good idea to rename the Administrator account using the Local Users and Groups snap-in.

If for some reason you must leave your Administrator password blank, you can disable sharing by doing one of the following:

• Disable the Server service. Disabling this service removes the ability to share folders on your computer. No user will be able to connect to any drive or folder on your computer. However, you can still access shared folders on other computers. When you disable the Server service, under Startup, be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.
• Uninstall File and Printer Sharing for Microsoft Networks. This option appears when you view the properties of any connection in Network and Dial-up Connections. Click the Uninstall button to remove this component; clearing the File and Printer Sharing for Microsoft Networks check box will not work.

 Note: To stop sharing a drive temporarily, right-click it, click Sharing, and then click Do not share this folder. However, keep in mind that Windows 2000 will share the drive again once the computer is restarted 

Special shared folders

Depending on the configuration of your computer, some or all of the following special shared folders are automatically created by Windows 2000 for administrative and system use. These shared folders are not visible from My Computer, but can be viewed using the Shared Folders snap-in. In most cases, special shared folders should not be deleted or modified.

drive letter$: A shared folder that allows administrative personnel to connect to the root directory of a drive. Shown as A$, B$, C$, D$, and so on. or example, D$ is a shared folder name by which drive D might be accessed by an administrator over the network.

For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders

ADMIN$: A resource used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).

IPC$: A resource sharing the named pipes that are essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources.

PRINT$:  A resource used during remote administration of printers

NETLOGON: A resource used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.

This resource is provided only for Windows 2000 Server computers. It is not provided for Windows 2000 Professional computers

FAX$: A shared folder on a server used by fax clients in the process of sending a fax. The shared folder is used to temporarily cache files and access cover pages stored on the server.

Securing shared drives

In Windows 2000, all drives on your computer, such as drive C or D, are automatically shared using the name drive letter$, such as C$ or D$. These drives are not shown with the hand icon that indicates sharing in My Computer or Windows Explorer, and they are also hidden when users connect to your computer remotely.

However, any user can gain access to your computer over a network or the Internet if the user knows your computer name, and the user name and password of a user who is a member of the Administrators, Backup Operators, or Server Operators group. A user who gains access to your drive over the network or Internet can view all folders and files on that drive, even those that are protected using NTFS permissions, provided the NTFS permissions allow access to members of the Administrators, Backup Operators, or Server Operators group.

To keep your drives secure, you should:

• Create a difficult password for the Administrator account. Many people leave this password blank, which leaves the computer vulnerable to security breaches because any user can log on as the Administrator using a blank password. It is also a good idea to rename the Administrator account using the Local Users and Groups snap-in.

If for some reason you must leave your Administrator password blank, you can disable sharing by doing one of the following:

• Disable the Server service. Disabling this service removes the ability to share folders on your computer. No user will be able to connect to any drive or folder on your computer. However, you can still access shared folders on other computers. When you disable the Server service, under Startup, be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.
• Uninstall File and Printer Sharing for Microsoft Networks. This option appears when you view the properties of any connection in Network and Dial-up Connections. Click the Uninstall button to remove this component; clearing the File and Printer Sharing for Microsoft Networks check box will not work.

 Note: To stop sharing a drive temporarily, right-click it, click Sharing, and then click Do not share this folder. However, keep in mind that Windows 2000 will share the drive again once the computer is restarted.

To configure how a service is started

1. Open Services.
2. Right-click the service you want to configure, and then click Properties.
3. On the General tab, under Startup, click Automatic, Manual, or Disabled.
4. To specify the user account the service can use to log on, click the Log On tab, and then click System account or This account.

   If you click This account, click Choose User, specify a user account, and then type the password for the user account in Password and Confirm password.

5. To provide a user interface on the desktop that can be used by anyone who is logged on when the service is started, select the Allow service to interact with desktop check box.

 Notes:

• To configure service startup, you must be logged on as an administrator or as a member of the Administrators group.
• To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
• The Allow service to interact with desktop check box is available only if the service is running as a LocalSystem account, as specified in This account.
• If you enable or disable a service and encounter a problem starting the computer, you may be able to start the computer in safe mode. Then you can change the service configuration or restore the default configuration. For more information, see Related Topics.

To enable or disable a service for a hardware profile

1. Open Services.
2. Right-click the service you want, and then click Properties.
3. On the Log On tab, click the hardware profile you want to configure.
4. Click Enable or Disable.

 Notes:

• To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
• Use System in Control Panel to create hardware profiles and set their order of preference.

Safe mode startup options

If your computer will not start, you may be able to start it in safe mode. In safe mode, Windows 2000 uses default settings (VGA monitor, Microsoft mouse driver, no network connections, and the minimum device drivers required to start Windows).

For example, if your computer will not start after you install new software, you may be able to start it with minimal services in safe mode and then change your computer settings or remove the newly installed software that is causing the problem. You can reinstall the service pack or the entire operating system, if necessary.

If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes.

The safe mode options are:

Safe Mode: Starts Windows 2000 using only basic files and drivers (mouse, except serial mice; monitor; keyboard; mass storage; base video; default system services; and no network connections). If your computer does not start successfully using safe mode, you may need to use the Emergency Repair Disk (ERD) feature to repair your system.

Safe Mode with Networking: Starts Windows 2000 using only basic files and drivers, plus network connections.

Safe Mode with Command Prompt: Starts Windows 2000 using only basic files and drivers. After logging on, the command prompt is displayed instead of the Windows desktop, Start menu, and Taskbar.

Enable Boot Logging: Starts Windows 2000 while logging all the drivers and services that were loaded (or not loaded) by the system to a file. This file is called ntbtlog.txt and it is located in the %windir% directory. Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt add to the boot log a list of all the drivers and services that are loaded. The boot log is useful in determining the exact cause of system startup problems.

Enable VGA Mode: Starts Windows 2000 using the basic VGA driver. This mode is useful when you have installed a new driver for your video card that is causing Windows 2000 not to start properly. The basic video driver is always used when you start Windows 2000 in Safe Mode (either Safe Mode, Safe Mode with Networking, or Safe Mode with Command Prompt).

Last Known Good Configuration: Starts Windows 2000 using the register information that Windows saved at the last shutdown. Use only in cases of incorrect configuration. Last known good configuration does not solve problems caused by corrupted or missing drivers or files. Also, any changes made since the last successful startup will be lost.

Directory Service Restore Mode: Not applicable for Windows 2000 Professional. This is for the Windows 2000 Server operating system and is only used in restoring the SYSVOL directory and the Active Directory directory service on a domain controller.

Debugging Mode: Starts Windows 2000 while sending debug information through a serial cable to another computer.

If you are using, or have used, Remote Install Services to install Windows 2000 on your computer, you may see additional options related to restoring or recovering your system using Remote Install Services.

To set up recovery actions to take place when a service fails

1. Open Services.
2. Right-click the service for which you want to set recovery actions, and then click Properties.
3. On the Recovery tab, click the actions you want in First attempt, Second attempt, and Subsequent attempts.

 Notes:

• To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
• Recovery actions are available only on computers running Windows 2000.
• If you select Run a File, do not specify programs or scripts that require user input.
• If you select Reboot the Computer, you can specify how long to wait before restarting the computer by clicking Reboot Computer Information. You can also create a message to display to remote users before the computer restarts.

To start the RunAs service

1. Open Services.
2. Click RunAs, click Action, and then click Properties.
3. Under Service status, click Start.

 Notes:

• To open Services, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Services.
• If you want to use Run as or the runas command frequently, you can configure the RunAs service to start automatically when the system starts. On the General tab in the RunAs Properties dialog box, change Startup type to Automatic.

To add yourself to a group

1. Open Computer Management (Local).
2. In the console tree, click Groups.

   Where?

   • Computer Management
   • System Tools
   • Local Users and Groups
   • Groups
3. Double-click the group you want to join, and then click Add.
4. In Name, type your user name, click Add, and then click OK.

   If your computer is part of a network, type your complete user name as follows: domainname\username.

 Notes:

• Only a member of the Administrators group can add a user to the Administrators, Backup Operators, or Replicators group.
• To open Computer Management, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Computer Management

Default security settings

The default security settings for Windows 2000 can be described by summarizing the permissions granted to four default groups (Administrators, Power Users, Users, and Backup Operators) and three special groups.

Administrators: Members of the Administrators group can perform all functions supported by the operating system. The default security settings do not restrict administrative access to any registry or file system object. Administrators can grant themselves any rights that they do not have by default.

Ideally, administrative access should only be used to:

• Install the operating system and components (such as hardware drivers, system services, and so on).
• Install Service Packs and Windows Packs.
• Upgrade the operating system.
• Repair the operating system.
• Configure critical operating system parameters (such as password policy, access control, audit policy, kernel mode driver configuration, and so on).
• Take ownership of files that have become inaccessible.
• Manage the security and auditing logs.
• Back up and restore the system.

In practice, Administrator accounts often must be used to install and run programs written for previous versions of Windows.

Users: The Users group provides the most secure environment in which to run programs. On a volume formatted with NTFS, the default security settings on a newly installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system-wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 programs that have been installed or deployed by administrators. Users have full control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER).

Users cannot install programs that can be run by other Users (this prevents Trjan horse programs). They also cannot access other Users' private data or desktop settings.

To secure a Windows 2000 system, an administrator should:

• Make sure that end users are members of the Users group only.
• Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully.

Users will not be able to run most programs written for previous versions of Windows because previous versions of Windows either did not support file system and registry security (Windows 95 and Windows 98) or shipped with lax default security settings (Windows NT). If Users have problems running legacy applications on newly installed NTFS systems, then do one of the following:

1. Install new versions of the applications that are certified for Windows 2000.
2. Move end users from the Users group into the Power Users group.
3. Decrease the default security permissions for the Users group. This can be accomplished by using the compatible security template. For more information, see "Predefined security templates" in Related Topics.

Power Users:  Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000 security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a User can run in Windows NT 4.0, a Power User can run in Windows 2000.

Power Users can:

• Run legacy applications in addition to Windows 2000 certified applications.
• Install programs that do not modify operating system files or install system services.
• Customize system-wide resources including Printers, Date/Time, Power Options, and other Control Panel resources.
• Create and manage local user accounts and groups.
• Stop and start system services which are not started by default.

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFSvolume, unless those users grant them permission.

 Warning:

• Running legacy programs on Windows 2000 often requires modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy certified Windows 2000 programs in order to achieve maximal security without sacrificing program functionality. Programs that are certified for Windows 2000 can run successfully under the secure configuration provided by the Users group. For more information, see Securing Windows 2000 Installations at the Microsoft Security Advisor Web site.
• Since Power Users can install or modify programs, running as a Power User when connected to the Internet could make the system vulnerable to Trojan horse programs and other security risks. For more information, see "Why you should not run your computer as an administrator" in Related Topics.

Backup Operatores:

Members of the Backup Operators group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

 Warning:

• Backing up and restoring data files and system files requires permissions to read and write those files. The same default permissions granted to Backup Operators that allow them to back up and restore files also make it possible for them to use the group's permissions for other purposes, such as reading another user's files or installing Trojan horse programs. Group Policy settings can be used to create an environment in which Backup Operators only can run a backup program. For more information, see Securing Windows 2000 Installations at the Microsoft Security Advisor Web site.

Special Groups:

Several additional groups are automatically created by Windows 2000.

• Interactive. This group contains the user who is currently logged on to the computer. During an upgrade to Windows 2000, members of the Interactive group will also be added to the Power Users group, so that legacy applications will continue to function as they did before the upgrade.
• Network. This group contains all users who are currently accessing the system over the network.
• Terminal Server User. When Terminal Servers are installed in application serving mode, this group contains any users who are currently logged on to the system using Terminal Server. Any program that a user can run in Windows NT 4.0 will run for a Terminal Server User in Windows 2000. The default permissions assigned to the group were chosen to enable a Terminal Server User to run most legacy programs.

   Warning:

  • Running legacy programs in Windows 2000 requires permission to modify certain system settings. The same default permissions that allow a Terminal Server User to run legacy programs also make it possible for a Terminal Server User to gain additional privileges on the system, even complete administrative control. Applications that are certified for Windows 2000 can run successfully under the secure configuration provided by the Users group. For more information, see Securing Windows 2000 Installations at the Microsoft Security Advisor Web site.

   Note:

  • When Terminal Server is installed in remote administration mode, users logged on using Terminal Server will not be members of this group.

Using Shared Folders

Shared Folders shows you three lists:

• Shares: Lists all the shared files and folders on your computer.
• Sessions: Lists all the users connected to your computer.
• Open Files: Lists all the files on your computer currently opened by other users.

Using Shared Folders, you can create, view, and set permissions for shared files and folders.

1. Open Computer Management (Local)
2. In the console tree, click Shared Folders.

 Notes:

• To open Computer Management, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Computer Management.
• For information about using Shared Folders, click the Action menu in Computer Management, and then click Help.

Securing shared drives

In Windows 2000, all drives on your computer, such as drive C or D, are automatically shared using the name drive letter$, such as C$ or D$. These drives are not shown with the hand icon that indicates sharing in My Computer or Windows Explorer, and they are also hidden when users connect to your computer remotely.

However, any user can gain access to your computer over a network or the Internet if the user knows your computer name, and the user name and password of a user who is a member of the Administrators, Backup Operators, or Server Operators group. A user who gains access to your drive over the network or Internet can view all folders and files on that drive, even those that are protected using NTFS permissions, provided the NTFS permissions allow access to members of the Administrators, Backup Operators, or Server Operators group.

To keep your drives secure, you should:

• Create a difficult password for the Administrator account. Many people leave this password blank, which leaves the computer vulnerable to security breaches because any user can log on as the Administrator using a blank password. It is also a good idea to rename the Administrator account using the Local Users and Groups snap-in.

If for some reason you must leave your Administrator password blank, you can disable sharing by doing one of the following:

• Disable the Server service. Disabling this service removes the ability to share folders on your computer. No user will be able to connect to any drive or folder on your computer. However, you can still access shared folders on other computers. When you disable the Server service, under Startup, be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.
• Uninstall File and Printer Sharing for Microsoft Networks. This option appears when you view the properties of any connection in Network and Dial-up Connections. Click the Uninstall button to remove this component; clearing the File and Printer Sharing for Microsoft Networks check box will not work.

 Note:

• To stop sharing a drive temporarily, right-click it, click Sharing, and then click Do not share this folder. However, keep in mind that Windows 2000 will share the drive again once the computer is restarted.

Conditional processing symbols

Conditional processing symbols give you control over the execution of commands.

Processing Commands Conditionally

You use conditional processing symbols to issue multiple commands from the same prompt and to act based on the results of a command.

• The ampersand (&) separates multiple commands on one command line.
• The parentheses groups multiple commands.
• The semicolon or comma (; ,) separate command parameters.
• The caret (^) cancels a subsequent command symbol's special meaning so you can use a command symbol as text.
• The double ampersand (&&) causes the command following this symbol to run only if the command preceding the symbol is successful.
• The double pipe (||) causes the command following this symbol to run only if the command preceding the symbol fails.

To disable automatic address configuration

1. Open Registry Editor.

    Caution

   • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if problems are encountered after manual changes have been applied.
2. In Registry Editor, navigate to the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
   Services\Tcpip\Parameters\Interfaces\adapter_name

3. Create the following entry:

   IPAutoconfigurationEnabled: REG_DWORD

4. Assign a value of 0 to disable Automatic Private IP Addressing (APIPA) support for the selected network adapter.
5. Close Registry Editor.

 Notes:

• To open Registry Editor, click Start, click Run, type regedt32, and then click OK.
• You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure.
• If the IPAutoconfigurationEnabled entry is not present, a default value of 1 is assumed, which indicates that APIPA is used.
• If multiple adapters are installed, you can disable APIPA for all installed adapters by setting the IPAutoconfigurationEnabled entry to 0 at the following registry key:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\Tcpip\Parameters

To disable a network component

1. Open Network and Dial-up Connecitons.
2. Right-click the connection on which you want to disable a network component, and then click Properties.
3. Do one of the following:
   • If this is a local area connection, in Components checked are used by this connection, clear the check box next to the client, service, or protocol you want to disable.
   • If this is a dial-up, VPN, or incoming connection, on the Networking tab, in Components checked are used by this connection, clear the check box next to the client, service, or protocol you want to disable.

 Note:

• To open Network and Dial-up Connections, click Start, point to Settings, and then click Network and Dial-up Connections.

To enable a network component

1. Open Network and Dial-up Connections.
2. Right-click a connection, and then click Properties.
3. Do one of the following:
   • If this is a local area connection, in Components checked are used by this connection, select the check box next to the client, service, or protocol you want to enable.
   • If this is a dial-up, VPN, or incoming connection, on the Networking tab, in Components checked are used by this connection, select the check box next to the client, service, or protocol you want to enable.

 Notes:

• To open Network and Dial-up Connections, click Start, point to Settings, and then click Network and Dial-up Connections.
• You should only enable the network components that you need, for the following reasons:
  • Network performance is enhanced and network traffic is reduced when only the required protocols and clients are enabled.
  • If Windows 2000 encounters a problem with with a network or dial-up connection, it attempts to establish connectivity by using every network protocol that is installed and enabled. By only enabling the protocols that your system can use, Windows 2000 does not attempt to connect with protocols it cannot use, and returns status information to you more efficiently.
  • Excessive services can hinder performance on your local computer.

Using Device Manager

Device Manager provides you with information about how the hardware on your computer is installed and configured, and how the hardware interacts with your computer's programs. You can also use Device Manager to check the status of your hardware and update device drivers for the hardware installed on your computer.

Open Device Manager.

 Notes:

• You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.
• To open Device Manager, click Start, point to Settings, and then click Control Panel. Double-click System, click the Hardware tab, and then click Device Manager.
• For information about using Device Manager, click the Action menu in Device Manager, and then click Help.

Configuring devices

When you install a Plug and Play device, Windows 2000 automatically configures the device so it will work properly with the other devices that are installed on your computer. As part of that configuration process, Windows 2000 assigns a unique set of system  resources to the device you are installing. These resources can include one or more of the following:

• Interrupt request (IRQ) ine numbers.
• Direct memory access (DMA) channels.
• Input/output (I/O) port addresses.
• Memory address ranges.

Each resource that is assigned to your device must be unique or the device does not function properly. For Plug and Play devices, Windows 2000 automatically ensures that these resources are configured properly.

Occasionally, two devices require the same resources, resulting in a device confilict. If this occurs, you can manually change the resource settings to be sure that each setting is unique. However, sometimes two devices can be shared, such as interrupts on PCI devices, depending on the drivers and computer.

When you install a non-Plug and Play device, the resource settings for the device are not automatically configured. Depending on the type of device you are installing, you may have to manually configure these settings, which should be supplied in the instruction manual that came with your device.

Generally, you should not change resource settings manually, because when you do so, the settings become fixed, and Windows 2000 will then have less flexibility when allocating resources to other devices. If too many resources become fixed, Windows 2000 may not be able to install new Plug and Play devices.

You can configure devices using the Add/Remove Hardware wizard in Control Panel or the Device Manager.

 Important

• Changing resource settings improperly can disable your hardware and cause your computer to malfunction or be inoperable. Resource settings should only be changed if you are certain the new settings do not conflict with other hardware, or if a hardware manufacturer has provided you with specific resource settings for a device.

Using MMC snap-ins

Microsot management Console (MMC) hosts administrative tools that you can use to administer computers, services, other system components, and networks. You can add one or more of these administrative tools, called snap-ins, to the console by following the procedure below.

1. Open MMC
2. On the Console menu, click Add/Remove Snap-in.
3. In the Add/Remove Snap-in dialog box, click Add.
4. In the Add Standalone Snap-in dialog box, click the snap-in you want to add to the console and then click Add.
5. You can add additional snap-ins by repeating steps 2 through 4.

 Notes:

• To open MMC, click Start, click Run, and then type mmc.
• For information about using a snap-in, click the Action menu in MMC, and then click Help.

Back to Top