Removing Administrative Shares from Windows Servers

Article ID: 72274

Article Type: Best Practices

Last Modified:

On Windows servers, hidden administrative shares are created automatically so that administrators, programs, and services can use these shares to access and manage these resources. Administrative shares pose a security vulnerability and must be disabled on the Servers/MediaAgents hosting the shares. These shares should not be used in Commvault software and should be removed immediately if they are used in existing configurations. Administrative shares can be used to setup the following features in Commvault software:

Typically, a dollar ($) is used to denote the shared partition or volume. For example: \\MyServer\E$\. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as described in the following sections.

For Commvault Platform Release 2022E (11.28) and Earlier Releases

In Commvault Platform Release 2022E (11.28) and earlier releases, administrative shares are permitted. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as follows:

  1. Create the share as a dedicated share using specific user credentials with read/write access to the share. For more information, see File sharing over a network in Windows on the Microsoft support site.
  2. Modify the existing configuration and reconfigure the path with the dedicated share. For more information, see the following topics:
    1. Reconfiguring Mount Paths that Use Administrative Share
    2. Configuring a Local Drive or Network Share as the Export Destination for Disaster Recovery (DR) Backups
  3. Disable administrative shares on the server as described Microsoft article on How to remove administrative shares on the Microsoft documentation site.
  4. Restart the MediaAgent for the configuration to take effect.

****IMPORTANT: ****Do not use Administrative shares for subsequent configurations in your environment.

For Commvault Platform Release 2023 (11.30) and Subsequent Releases

Commvault Platform Release 2023 (11.30) and more recent releases do not allow administrative shares.

New MediaAgent Installations

When you install a MediaAgent, you will see the following critical event in the Event Viewer:

Administrative shares on MediaAgent [ ] is disabled to prevent security exploits. Please restart the MediaAgent for the config to take effect,

****IMPORTANT: **** The MediaAgent must be restarted for the configuration to take effect.

Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, you will receive the following error message:

Configuring mount path using administrative shares is not allowed.

Existing MediaAgents That Have Administrative Shares

When you upgrade a MediaAgent, you will see the following critical event in the Event Viewer: ** Administrative shares on MediaAgent [ ] is disabled to prevent security exploits. Please restart the MediaAgent for the config to take effect.** ****IMPORTANT: **** The MediaAgent must be restarted for the configuration to take effect.

For existing paths that point to an administrative share, administrative users will receive the Security Alert: Administrative shares configured alert, once every 24 hours. Perform the following steps to reconfigure the administrative shares. This will also turnoff the alert:

  1. Create the share as a dedicated share using specific user credentials with read/write access to the share. For more information, see File sharing over a network in Windows on the Microsoft support site.
  2. Modify the existing configuration and reconfigure the path with the dedicated share. For more information, see the following topics:
    1. Reconfiguring Mount Paths that Use Administrative Share
    2. Configuring a Local Drive or Network Share as the Export Destination for Disaster Recovery (DR) Backups
  3. Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, the following error message will be displayed: **  Configuring mount path using administrative shares is not allowed.**
Existing MediaAgents That DO NOT Have Administrative Shares

When you upgrade the MediaAgent, you will see the following critical event in the Event Viewer: **    Administrative shares on MediaAgent [ ] is disabled to prevent security exploits. Please restart the MediaAgent for the config to take effect.** ****IMPORTANT:**** The MediaAgent must be restarted for the configuration to take effect.

Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, the following error message will be displayed: **  Configuring mount path using administrative shares is not allowed.**

1 Commvault Way, Tinton Falls, NJ 07724 Sitemap | Legal Notices | Trademarks | Privacy Policy
Copyright © 2022 Commvault | All Rights Reserved.