Several workstation has C:\Users folder being shared
Posted by No-Return-2260@reddit | sysadmin | View on Reddit | 24 comments
During my recent testing of scanning workstations for open shared folders in our network, I noticed that some workstations in our bank are showing the C:\Users folder, but without any files inside. My colleague mentioned that this might be a default setting in Microsoft Windows.
Is there any way we can determine why some workstations are sharing the Users folder in C:\Users?
Any recommendations on how to remove C:\Users from all workstations would be highly appreciated. By the way, we successfully ran a script in BigFix to remove C:\Users from selected computers. However, we’d like to understand why it’s being shared before rolling it out to all workstations.
SmallBusinessITGuru@reddit
Likely related to network discovery/home user settings that may also exist in the Pro/Enterprise version of Windows.
Check Public Sharing setting?
Broad_Canary4796@reddit
One easy answer could just be something dumb someone did years ago, might have been troubleshooting something and did the easy fix instead of the correct one. Do you know how long these machines have been in circulation and do you know if it does it on brand new machines joined to the domain? You said some workstations so maybe they have something in common like in the same OU or have a specific software installed or maybe they are old and just have the remnants of one of those 2 things that didn’t get removed somehow.
If it doesn’t do it on new machines with all of your software installed I wouldn’t worry. If you notice it after joining to the domain or after any particular software is installed then you probably found the answer (or at least can narrow it down).
No-Return-2260@reddit (OP)
Personally, I have also encountered the C:\Users folder being shared, even though I had no intention of sharing it with everyone. My laptop was freshly deployed from a golden image before being delivered to my office. In contrast, some older computers, which have been in use for over a year, do not have their network folder shares accessible, while others are sharing the C:\Users folder.
Are you suggesting that there could be specific software with the capability to share the C:\Users folder with everyone?
Also, is there any specific Event ID we can check to detect if someone is sharing their folder with "Everyone," which we could log in our SIEM?
Broad_Canary4796@reddit
It’s entirely possible, especially if you have software that requires admin credentials to install (aka most). Why they would do that is another question all together. Also what kind of file and sharing permissions are on the folder?
Is it possible it’s the image that has the folder shared for some reason? If older computers don’t have it, but then someone updated the image you use and shared that folder for some reason it will be copied to every computer you deploy using that image.
I’m not sure about event logs for when permissions change. I forget which sysinternals program it is but you can run a program while you install something and see everything it does, all the files created/deleted, registry changes, folder changes. I’m heading to bed or I would look but it’s one of them. Very useful for tracking down what happens when you make changes to something in order to figure out how to push a setting across to multiple computers without doing it manually.
That’s what I would do if you wanted to narrow it down to anything that is being manually installed if it’s not the image itself.
No-Return-2260@reddit (OP)
This is the example of the users folder was being shared in the network.
No-Return-2260@reddit (OP)
this is the content inside the users folder
miharixIT@reddit
I think some could made this (probably GPO +script) for another script to somehow central manage what users see on their desktops. Or also maybe also copy some other files on their desktops (and forgot to hide from everyone)
Stonewalled9999@reddit
crappy copier vendor likely did the "scan to PC" so it can land in users Docs folder.
You will not want to remove C:\Users you'd want to unshare it.
Ihadanapostrophe@reddit
I think it might be this.
The C:\Users folder is shared when any sub folders from C:\Users\\ is shared
It was expected behavior in Vista and 7. It doesn't mention later OS versions, but it doesn't explicitly state that the behavior has changed either.
This post led me to the top link.
The main suggestion is to go to "File" > "Properties" > "Sharing" > "Advanced Sharing" and uncheck the Share button.
BlackV@reddit
it is Not a default settings in windows to share
c:\userswhat do you mean
do you actually mean
cause those are 2 wildly different things
No-Return-2260@reddit (OP)
This is what we observed when checking each IP with the Users folder being shared on the network. We want to understand if this is a default setting in Windows or if there’s a specific cause for it being shared.
We are in the process of rolling out the removal of the Users folder from being shared across the network, and any insights into the reason for this sharing would be helpful.
ConfectionCommon3518@reddit
Generally drag the person in to a meeting and ask them as it's the easiest answer, there's got to be a reason be it sharing pr0n or some application deployed didn't work and the support team were as useless as a chocolate teapot so things had to be done.
BlackV@reddit
thanks for the clarification, no deffo not a default setting
so something like
or
to get the removal done ?
No-Return-2260@reddit (OP)
thank for the clarification too. but we have script to remove c:\users across bank network thru bigfix and we will coordinate your command if its applicable to run in powershell.
we just want to know or Is there any way we can determine why some workstations are sharing the Users folder in C:\Users (aside from the users being intended to share to everyone).
Personally, I have also encountered the C:\Users folder being shared, even though I had no intention of sharing it with everyone. My laptop was freshly deployed from a golden image before being delivered to my office. In contrast, some older computers, which have been in use for over a year, do not have their network folder shares accessible, while others are sharing the C:\Users folder.
New-Pop1502@reddit
You might have Windows audit logs stored locally on the computer if they have been previously enabled. You're looking for the "Audit File Share" log or "Audit Detailed File Share".
BlackV@reddit
you keep saying that it does not get less scary when you mean
that aside
unless you have audit logs enabled, I highly doubt it, and unless you send your logs off to a SIEM system (you are a bank so it is possible), I'd doubt it too cause you have no idea when these shares were created, could have been last week, could have been last year
that does not clarify anything, you follow up with
how do you know its not something your deployment is doing (and intermittently failing to undo)?
to me sounds like someone creating the share for ease of access (helpdesk member/admin/etc) then not turning it off
so have you ever seen this outside of your bank system ? I can say I ever have (er.. without someone turning it on that is)
disclosure5@reddit
Look at what apps are installed. A certain fundraising app shares C:\Users to all users by default when installed for example.
No-Return-2260@reddit (OP)
All installed applications are provided by the bank, and users are not permitted to install third-party applications. computers are based on the golden image
disclosure5@reddit
And what apps are in the golden image?
To be clear, what you're running into is not a Windows setting, something is doing it when installed.
No-Return-2260@reddit (OP)
microsoft office, vmware, inhouse application, antivirus, winrar, chrome
disclosure5@reddit
I guess it's time to grab a machine without that in house application and see if it has that problem.
IdiosyncraticBond@reddit
And then install one package at a time to find the culprit
Megafiend@reddit
I assume a user has done something stupid, and it's not been undone.
as others have said, you should be clearer: when you say "remove C:\Users" do you mean remove the share?
Removing C:\Users is a good way to cause a bunch of incidents.
Nicholas_____@reddit
Windows file sharing will automatically create the share when you share a file or folder in your user directory.