Article ID: 72274
Article Type: Best Practices
Last Modified:
On Windows servers, hidden administrative shares are created automatically so that administrators, programs, and services can use these shares to access and manage these resources. Administrative shares pose a security vulnerability and must be disabled on the Servers/MediaAgents hosting the shares. These shares should not be used in Commvault software and should be removed immediately if they are used in existing configurations. Administrative shares can be used to setup the following features in Commvault software:
Typically, a dollar ($) is used to denote the shared partition or volume. For example: \\MyServer\E$\. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as described in the following sections.
In Commvault Platform Release 2022E (11.28) and earlier releases, administrative shares are permitted. If your existing setup is configured to use an administrative share, remove the share, and reconfigure the path as follows:
****IMPORTANT: ****Do not use Administrative shares for subsequent configurations in your environment.
Commvault Platform Release 2023 (11.30) and more recent releases do not allow administrative shares.
When you install a MediaAgent or upgrade an existing MediaAgent, you will see the following critical event in the Event Viewer:
Administrative shares are enabled on the MediaAgent [ ] which could lead to potential security exploits, please review and take necessary steps.
Remove administrative shares in Windows Server. For more information, see How to remove administrative shares in Windows Server on the Microsoft troubleshooting documentation site.
Subsequently, when you try to configure a mount path in a disk library, or an export location for disaster recovery (DR) backups using an administrative share, you will receive the following error message:
Configuring mount path using administrative shares is not allowed.
For existing paths that point to an administrative share, administrative users will receive the following security alert once every 24 hours:
Administrative shares configured.
Perform the following steps to reconfigure the administrative shares and stop receiving the security alerts:
Configuring mount path using administrative shares is not allowed.