Device sharing allows folders or administrative shares (like C$, IPC$, ADMIN$) to be accessed remotely over a network. While useful for system administration, in enterprise environments it may:
Expose sensitive resources to unauthorized access if not properly controlled.
Increase the attack surface for malware or lateral movement.
Conflict with security and compliance requirements if left unrestricted.
The Saner CVEM platform helps administrators detect, analyze, and control device shares across managed systems.
1. Detecting Device Share Status
Saner CVEM continuously scans endpoints and generates Posture Anomalies when device sharing is enabled.
Steps to Detect:
Navigate to the Posture Anomaly (PA) Dashboard.
Locate the anomaly PA-2022-1075 – Device Share is enabled.
This triggers when administrative or default shares are active.
Review the Summary Section:
OS family with the most anomalies (e.g., Windows).
Group with the most anomalies (e.g., New Custom Group).
Operating System version with the highest anomalies (e.g., Microsoft Windows 11).
Check Posture Anomaly by Device:
Lists hostnames and number of anomalies detected.
Example:
node-1(Windows family) – 3 anomalies.
Review Posture Anomaly by Incidence:
Displays active network shares.
Example:
ADMIN$– 1 deviceC$– 1 deviceIPC$– 1 device
Use Group, Family, OS dashboards for a clear visualization of affected devices.
2. Investigating the Risk
Once anomalies are detected:
Check if the shares are intentionally enabled (for IT/admin use) or left open unnecessarily.
Assess whether the shares are restricted by permissions or broadly exposed.
Cross-check against compliance/security guidelines to decide if remediation is required.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article