How to disable administrative shares on workstations thru Group Policy and avoid spending time on pesty virus infections
Large companies sometimes have problems with a virus that realy loves administrative shares on other workstations (i.e. c$ and admin$), it will try and break into theese to spread it self directly. The easy option ofcourse being kill the virus or even better harden administrative users and not use administrator rights for normal users! But untill that is an easy, non-political and not so time consuming task, why not disable the administrative shares on the workstations alltogether?
Seems like a perfect thing to do with Group Policy, unfortunately the setting is non-existing default in Group Policies, so by finding the registry key we need to change, a small custom administrative template will do the trick. This could also be used for other registry changes needed with group policy.
We might also want the option to easily enable the administrative shares later, might be used by applications, services, automated installations, etc. Heres is how to do it quick and easy.
Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server You edit your GPO’s with.
[/vb]CLASS MACHINE CATEGORY !!category1 CATEGORY !!category2 POLICY !!policyname EXPLAIN !!DefaultSharesExplain KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" VALUENAME "AutoShareWks" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY END CATEGORY [strings] category1="Network" category2="Sharing" policyname="AdministrativeShares" DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled"[vb]
Create a new GPO and right click on administrative templates, add administrative template you just created.
Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basicly this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.
Open Administrative templates – Network – Sharing
Enable or disable administrative shares.
Done. Might be possible to do this easier, but my google results havent found it 
feel free to add information.
Related posts:
- How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems So You went ahead and used virtualized Domain Controllers for Your Active Directory domain, congratulations! I am sure...
- How to place FSMO and Global Catalog roles in Active Directory During installation of Active Directory on a Windows Server 2000/2003/2008 all FSMO roles will automatically be installed on...
- How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts! Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped...
- Virtualizing Your Domain Controllers without getting fired! Please pretty please do not just hit the button and P2V/ColdClone/HotClone/Copy your Windows Server Domain Controllers, regardless if...
Posted in Active Directory, Security, Tips & Tricks | 
Tags: AD, adm, administrative shares, administrative template, group policies, How To, Microsoft, templates
Actually, this is perfectly do-able in GP Preferences–there is an option to remove all administrative or non-admin shares from target systems.
[...] to blog about some useful features in GP Preferences that often slip through the cracks. I saw a blog post today about how you could use a custom ADM file to remove administrative shares on Windows systems. [...]
Hi Darren,
Excellent information, Group Policy Preferences definately is nice when it is possible to use it.
Unfortunately it is not always possible to update old clients to work with Group Policy Preferences, however if You are looking at this post and have access to GP Preferences I would recommend taking a look at Darrens blog post about how to use that here http://sdmsoftware.com/blog/2010/06/22/controlling-shares-on-windows-systems/
For the customer I used this specific example, they have some 25.000 workstations controlled by multiple sub-organizations who all independantly decide when and how to upgrade their machines.