Do You Still Hide Your Share$?

Security
Published Mar 1, 2009 Updated Jun 22, 2021

Fighting Another Legacy of the NT Era

Hiding network shares by appending a dollar sign is a common practice among administrators. While by itself that is neither good nor bad, it is a perfect example of how customs establish themselves in the IT industry in exactly the same way they do in other subcultures. Putting it differently, another fine specimen of an IT legend.

Although I would very much like to, I cannot provide a history of how and when the dollar share custom got established. What I can say is that when I started my IT career in the late 90s, the custom was already prevalent. “Good” administrators hid their shares, whilst “bad” or careless admins did not. It has been a source of pride for many an administrator (including myself for a long time) to have an “invisible” network. The benefits? Apart from feeling good about running a tight ship, security (apparently) is guaranteed and end-users do not get confused by the myriad of shares.

Security…

Do you still think dollar shares are hidden? I myself did until recently when a colleague mentioned that I was very much mistaken, indeed. At first, I would not believe him, but I soon realized that filtering of shares is not done at the (file) server, but at the client.

What? The client?!!

If there is one golden rule in security, it is this: “Never trust the client”. Sending information to the client it is not supposed to see is a no-go.

But then, not everybody adheres to this simple principle. Or knows about it. The dollar share issue probably dates back to the LAN Manager days, when security was associated with bodyguards, not IT systems.

…by Obscurity

One way or another, the problem with dollar shares is this: the server always sends a full list of its shares to any client asking for them. It lies in the “responsibility” of the client to filter out the dollar shares. Such a methodology obviously cannot last forever: There are tools out there in the wild, wild net that disrespectfully ignore the etiquette and display all shares returned by the server. One of the more respectable of such tools is by now owned by Microsoft itself, Sysinternals ShareEnum. Another one is even built into the operating system starting with Vista: net view \\computername /all.

Moving on

Using dollar shares obviously is superfluous. It adds a layer of security that is only felt by the administrator but really does not exist.

One open question remains: How to hide unnecessary folders from end users. The answer is simple: Use DFS in conjunction with access-based enumeration (ABE).

References:

“Tales from the Crypto” on dollar shares

DFS IT Legend Security

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users

This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.

Blocking Office Macros, Managing Windows & macOS via Intune

Blocking Office Macros, Managing Windows & macOS via Intune

How to centrally manage essential security settings of self-managed devices This is a guest post by Martin Kretzschmar, customer success engineer at vast limits, the uberAgent company. One thing I especially like about my everyday working life is the flexibility it offers. I appreciate the freedom of choice in terms of location, time and device. We want to avoid getting into micro-management but, being an IT company, we also need to provide the necessary security where needed.

WLAN Security - Beware of (Unknown) Wi-Fi Hotspots

WLAN Security - Beware of (Unknown) Wi-Fi Hotspots

In its issue 1/2012 German c’t magazine published an article about security in Wi-Fi networks. The authors describe how very easy it is to gain access to other people’s accounts and passwords in a world where travelers happily connect to any wireless network they can get hold of. This is a short summary of the original article, intended to highlight the dangers.

How to Check the TPM Status & Enable the CPU's fTPM/PTT

How to Check the TPM Status & Enable the CPU's fTPM/PTT

The recent Windows 11 announcement has created a lot of confusion due to the requirement for a trusted platform module (TPM). This article explains why your machine almost certainly has a TPM, how to check the TPM status and how to enable the TPM that comes with your CPU.

Latest Posts

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.