COMMAND

    Incorrect Permissions for CD-Rom Administrative Shares

SYSTEMS AFFECTED

    Windows 2000

PROBLEM

    Shelton Kwan  found following.   His policy  is to  rename  CD-Rom
    drives from the default assigned  by Windows 2000 to H:\,  because
    there's less confusion when adding extra drives.

    The  problem  is  this.   If  you  rename  the drive from say, the
    default of D:\ to H:\, the next reboot (or a restart of the Server
    service) will create  a H$ administrative  share.  Like  a regular
    admin share, you cannot see the permissions of this share.  But by
    a process  of simple  testing (enabling  guest, having  an outside
    machine connect  to \\x.x.x.x\h$  ) it  looks like  "Everyone" has
    either read only or full access to the drive.

    From this  point on,  even if  you rename  the drive  back to  the
    default of E:\, Windows 2000 will still create an admin share  for
    this drive, and  not restricting it  to Administrators and  Backup
    Operators.  Most  people do not  rename their drives,  so they did
    not see the problem.

SOLUTION

    http://support.microsoft.com/support/kb/articles/Q172/5/20.ASP
    describes the AllocateCDRoms  registry key, which  prevents CDRoms
    from  being  made  available  to  anyone  other than the currently
    logged on user at the console.