What do those dollar signs on shares do?

Most Windows administrators have used “hidden shares” from time to time.

net use * \\computer\c$” gives you a share, if you have access, to the C: drive on the named computer.

Occasionally, someone will suggest that hidden shares are a great security measure, allowing you to create shares that are inaccessible to anyone who doesn’t know the mystic magic incantation. Okay, so C$ and D$ are obvious, but ABRACADABRA$, who’s going to know that exists?

For a while, it’s been demonstrated by a number of my favourite security tools – Jesper Johansson, Mark Russinovich (or rather, the tools these security tool gurus wrote) – that these hidden shares are really hidden by the client.

Yes, hidden by the client. That means that when your program enumerates the shares on a remote server, all the shares, including the hidden ones, come back in the list of shares, and the clients choose whether to display them all or hide the ones with a dollar sign at the end.

I am reminded of the Ravenous Bugblatter Beast of Traal.

Clearly, someone at Microsoft got as sick as I do of having to face people who say “ah, but only the really clever hackers will have access to those tools” (forgetting, conveniently, that I have access to the tools, so it’s really not that special).

In Windows Vista, you can now see all the hidden shares by running the single command “net view \\computer /all“:

Doubtless someone will say what a horrible stupid and generally bad-for-security thing this is that Microsoft has done, because it now means that everyone can see all your hidden shares.

Me? I think it’s about time that people stopped hiding stuff in ways that require the client to be well behaved in order for them to stay hidden. I plan to include “net view \\computer /all” in my toolkit for scaring the unwary and the unwise into taking real security measures rather than covering everything in their security blanket.

One thought on “What do those dollar signs on shares do?

Leave a Reply

Your email address will not be published. Required fields are marked *