Disabling Admin Shares

[remko.de.koning]

Our HeadOffice is currently implementing a plan to increase cyber security throughout the company.
In my opinion a good thing and this should always be on top of our to-do list.

They have created a list of items we should be working on.
Most of the items are simply best practices but one of the items caught my attention.

• Disable the default (hidden) Admin Shares c$, d$, etc.

By disabling the default admin shares they believe that automated malicious software has less change to success.
Also the comment is that the names of the hidden admin shares are well known by hackers so by renaming the default shares to something like c-drive$ it is less of a risk.

I tried to debunk this false sense of security by mentioning the with a simple command (non-admin) you can query all hidden shares of a particular machine.

net view \\servername /all

But still they want the shares to be disabled.
I also know that these shares are here for a reason. They are used by many software applications and I assume Veeam is also one of these.

So my question is: Let's say we would disable these default admin shares. What would break in Veeam Agent and HyperV backups?

Has anyone even considered doing this or is it a VERY BAD idea?
I have my doubts on this but perhaps my knowledge is outdated and can this be done without any issues ?!?!

Like to hear your thoughts.

Remko

[Mildur]

Application aware processing with veeam will stop working and will only be possible with the persistent guest Agent for AAP (VBR V11). The Veeam Installer Service needs to be installed manually before you can use persistent guest agent.

Automatic Veeam Agent installation and upgrade will not work, you need to do it manually.

Updating Veeam components on The HyperV Host itself and other managed servers like backup repo or off host proxy server will also stop working. If you update your veeam server, the admin share is necessary for this components to be automatically updated.

[nikolaj]

Hi Remko,

Yes, Mildur is right. If network shares are disabled on the proxy or on VMs, VBR won't be able to upload their components and that might cause an issue.
However, on the VBR server itself, there's no functionality that would break if you disable admin shares.
But if I'm not mistaken, those shares are only accessible to local administrators of the server. So if those accounts get compromised, there's little one could do to prevent the intrusion.

Thanks.

[remko.de.koning]

Thanks for the feedback and the confirmation of my thoughts.
Much appreciated.

Most probably it will break other applications as well. Software deployment software, antivirus, etc.
Perhaps the same goal can be reached by different means but disabling these shares (although possible) does not sound like the best approach.