Article ID: 72274
Article Type: Best Practices
Last Modified:
On Windows servers, hidden administrative shares are created automatically so that administrators, programs, and services can use these shares to access and manage these resources. Administrative shares pose a security vulnerability and must be disabled on the Servers/MediaAgents hosting the shares. These shares should not be used in Commvault software and should be removed immediately if they are used in existing configurations. Administrative shares can be used to setup the following features in Commvault software:
Typically, a dollar ($) is used to denote the shared partition or volume. For example: \\MyServer\E$\. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as described in the following sections.
In Commvault Platform Release 2022E (11.28) and earlier releases, administrative shares are permitted. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as follows:
****IMPORTANT: ****Do not use Administrative shares for subsequent configurations in your environment.
Commvault Platform Release 2023 (11.30) and more recent releases do not allow administrative shares.
When you install a MediaAgent, you will see the following critical event in the Event Viewer:
Administrative shares on MediaAgent [ ] is disabled to prevent security exploits. Please restart the MediaAgent for the config to take effect,
****IMPORTANT: **** The MediaAgent must be restarted for the configuration to take effect.
Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, you will receive the following error message:
Configuring mount path using administrative shares is not allowed.
When you upgrade a MediaAgent, you will see the following critical event in the Event Viewer: ** Administrative shares on MediaAgent [ ] is disabled to prevent security exploits. Please restart the MediaAgent for the config to take effect.** ****IMPORTANT: **** The MediaAgent must be restarted for the configuration to take effect.
For existing paths that point to an administrative share, administrative users will receive the Security Alert: Administrative shares configured alert, once every 24 hours. Perform the following steps to reconfigure the administrative shares. This will also turnoff the alert:
When you upgrade the MediaAgent, you will see the following critical event in the Event Viewer: ** Administrative shares on MediaAgent [ ] is disabled to prevent security exploits. Please restart the MediaAgent for the config to take effect.** ****IMPORTANT:**** The MediaAgent must be restarted for the configuration to take effect.
Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, the following error message will be displayed: ** Configuring mount path using administrative shares is not allowed.**