Removing Administrative Shares from Windows Servers

On Windows servers, hidden administrative shares are created automatically so that administrators, programs, and services can use these shares to access and manage these resources. Administrative shares pose a security vulnerability and must be disabled on the Servers/MediaAgents hosting the shares. These shares should not be used in Commvault software and should be removed immediately if they are used in existing configurations. Administrative shares can be used to setup the following features in Commvault software:

• As a mount path in a Disk library
• As the export location for Disaster Recovery (DR) backups

Typically, a dollar ($) is used to denote the shared partition or volume. For example: \\MyServer\E$\. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as described in the following sections.

For Commvault Platform Release 2022E (11.28) and Earlier Releases

In Commvault Platform Release 2022E (11.28) and earlier releases, administrative shares are permitted. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as follows:

1. Create the share as a dedicated share using specific user credentials with read/write access to the share. For more information, see File sharing over a network in Windows on the Microsoft support site.
2. Modify the existing configuration and reconfigure the path with the dedicated share. For more information, see the following topics:
   1. Reconfiguring Mount Paths that Use Administrative Share
   2. Configuring a Local Drive or Network Share as the Export Destination for Disaster Recovery (DR) Backups
3. Disable administrative shares on the server as described Microsoft article on How to remove administrative shares on the Microsoft documentation site.
4. Restart the MediaAgent for the configuration to take effect.

****IMPORTANT: ****Do not use Administrative shares for subsequent configurations in your environment.

For Commvault Platform Release 2023 (11.30) and Subsequent Releases

Commvault Platform Release 2023 (11.30) and more recent releases do not allow administrative shares.

New MediaAgent Installations or Existing MediaAgents That DO NOT Have Administrative Shares

When you install a MediaAgent or upgrade an existing MediaAgent, you will see the following critical event in the Event Viewer:

Administrative shares are enabled on the MediaAgent [ ] which could lead to potential security exploits, please review and take necessary steps.

Remove administrative shares in Windows Server. For more information, see How to remove administrative shares in Windows Server on the Microsoft troubleshooting documentation site.

Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, you will receive the following error message:

Configuring mount path using administrative shares is not allowed.

Existing MediaAgents That Have Administrative Shares

For existing paths that point to an administrative share, administrative users will receive the following security alert once every 24 hours:

Administrative shares configured.

Perform the following steps to reconfigure the administrative shares and stop receiving the security alerts:

1. Create the share as a dedicated share using specific user credentials with read/write access to the share. For more information, see File sharing over a network in Windows on the Microsoft support site.
2. Modify the existing configuration and reconfigure the path with the dedicated share. For more information, see the following topics:
   1. Reconfiguring Mount Paths that Use Administrative Share
   2. Configuring a Local Drive or Network Share as the Export Destination for Disaster Recovery (DR) Backups
3. Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, the following error message will be displayed:

Configuring mount path using administrative shares is not allowed.