Skip to main content
Question

MediaAgent - Windows Administrative Shares

  • 6 March 2024
  • 6 replies
  • 1578 views

Forum|alt.badge.img+4

Hi all,

After installing the MediaAgent Package on some Windows Servers (These just require the component and do not not act as a Data Mover or host a DR Share) I get the once a day 64:1142 Critical Code Event logged:  Administrative share are enabled on the MediaAgent XXX which could lead to potential security exploits, please review and take necessary steps.

Having reviewed https://kb.commvault.com/article/72274 this article only really seems concerned with disk libraries and DR Shares that use an Admin share in its path.

 

I have 2 servers that this is being logged in event viewer for, yet they only have the default C$, Admin$ and IPC$.  Should Commvault be flagging the C$ as something that should be removed?  Indeed if I apply a reg key (AutoShareServer = 0) the alert is suppressed, but this also removes the Admin$ Share.  

 

Are these alerts in the Event Viewer supposed to be triggered for these default Shares by design or is it being over zealous and picking up these in error?  The Critical Warnings seem to indicate a misconfiguration, but as they are not being use for Mount Paths or DR Shares I wouldn’t think this is the case.  

 

For context this is related to a 11.32 Install.

Any input on this would be appreciated.

 

Thanks,

G

6 replies

Chris Hollis
Vaulter
Forum|alt.badge.img+15

@G.lee 

This is expected behaviour and is part of our ransomware protection feature as far as i’m aware:

https://documentation.commvault.com/2024/essential/enabling_ransomware_protection_on_mediaagent.html

https://documentation.commvault.com/2024/expert/ransomware_protection_for_disk_libraries_on_windows_mediaagent_02.html

“Administrative shares pose a security vulnerability on disk library mount paths and must be disabled on the MediaAgents hosting the shares.”
 

The software isn’t checking to see how the shares are configured, it’s just alerting you that the administrative shares are enabled on the server that has the media agent package, therefore we recommend you disable it otherwise it could be used to exploit your environment. 

If the server isn’t being used as an actual media agent, then feel free to disable the ransomware option on it. 

Here are the MSFT steps to disable the feature if you wanted: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares


HTH

Regards,

Chris
​​​​​​​


 


Forum|alt.badge.img+1

Hello Chris,

Removing ransomware protection from the media agent didn’t solve it.

Is there any other way to stop the critical event on those media agent servers?

Thanks,

Bassam 


Forum|alt.badge.img+3
  • Byte
  • 5 replies
  • June 28, 2024

Chris, Bassam

This mirrors a problem that we are seeing. We have a number of Exchange servers which have the media agent installed for no other reason than that we are using application-aware VM snapshots - no disk libraries or anything else that the admin shares may pose a risk to.

The owner of the Exchange server is aware of the potential risks that the admin shares pose and has evaluated the risk as negligible and so is not prepared to disable them. As they are not hosting any disk libraries, I am unable to articulate to him why the presence of the admin shares pose any risks on the Commvault side in order to persuade him otherwise.

We therefore now have to put up with all these critical 64:1142 errors being generated since updating to 11.32.

It seems most unsatisfactory.

Regards

Neil

 


Forum|alt.badge.img+1

Hello,

I contacted the support and they confirmed that we can’t get rid of critical events triggered from those media agent servers.

It is by design. Not sure if they can it!

My customer watches the critical events on daily basis and it is kind of not happy about it.

I even tried to modify the Alert Rule from “Critical” to “Information” but it didn’t work.

Regards, 


Forum|alt.badge.img+10
  • Byte
  • 77 replies
  • November 18, 2024

Hello ​@Bassam2014  

was wondering if you figured anything else out with the alerts.  We recently upgraded to 11.32.79 and now are experiencing the Critical Alert as well.

Many Thanks in advance.

 

BC


Forum|alt.badge.img+3
  • Byte
  • 5 replies
  • November 18, 2024

From our perspective, this all seems a bit of a mess. We recently built some new media agents from scratch and disabled the admin shares as part of the build to avoid the events. The problem with this is that the mechanism for pushing the Commvault software from the commserve to the client relies on the admin shares being present or else the install fails. So we had to re-enable the admin shares to deploy the software and then disable them afterwards to stop the events!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings