- This topic has 7 replies, 3 voices, and was last updated 9 years, 8 months ago by
.
-
Posts
-
-
our helpdesk team have local admin permision on workstations, but our manager want to restrict them to access users local drives. it is possible to restrict local admin to access admin shares c$ d$ etc. i disabled admin shares by a domain policy but it is possible to share local drives with remote computer management!
how can i restrict local admin user to access admin share remotely?
or how can I log admin share access, is there a tool for that?
thanks,
-
It is difficult to restrict users with administrator privileges. Whatever you do to prevent admins from accessing user files, they can always find ways to remove this restriction. The other question is if all help desk personnel requires admin rights.
Anyway, what you can try is to delete all shares with Group Policy Preferences: Computer > Preferences > Windows Settings > Network Shares. Right click Network Shares then navigate to New > Network Share. Chose “Delete” as Action.
This will remove all shares on the computer including those created by admins.
-
-
ok, deleting admin shares creates problem. our desktop/laptop users have standart user rights on their computers. and they cannot change their ip settings or install/uninstall program etc. it is easy to control client computers and keep them safe and clean that way. our helpdesk team help them for that kind of tasks and that’s why they have local admin rights on client computers. it is ok except one situation, our manager doesn’t want our helpdesk team to access client computers local drives from admin shares. so what can I do? give users admin/power user/customized rights or change helpdesk local admin rights to what?
thanks
-
-
i think microsoft gives as a good dilemma. ok i will test deleting admin share and see the effects. regards
Question
Is there an “official” stance on removing built-in admin shares (C$, ADMIN$, etc.) in Windows? I’m not sure this would make things more secure or not. Larry Osterman wrote a nice article on its origins but doesn’t give any advice.
Answer
The official stance is from the KB that states how to do it:
Generally, Microsoft recommends that you do not modify these special shared resources.
Even better, here are many things that will break if you do this:
Overview of problems that may occur when administrative shares are missing
http://support.microsoft.com/default.aspx?scid=kb;EN-US;842715
That’s not a complete list; it wasn’t updated for Vista/2008 and later. It’s so bad though that there’s no point, frankly. Removing these shares does not increase security, as only administrators can use those shares and you cannot prevent administrators from putting them back or creating equivalent custom shares.
This is one of those “don’t do it just because you can” customizations. -
If your company has reached the point in size that you don’t want to give your Help Desk employees full Admin on end user computers, it may be time to start looking into some kind of Privilege Management software. There are several vendors that make software that let you delegate out pieces of Admin rights rather than making someone a full Administrator on the box. This also has the added bonus of letting you delegate out certain Administrative tasks to end users for Self Service.
-
Es, if I understand your problem correctly, you want to restrict access of local admins to all kinds of shares. This can always cause problems no matter how you do it. Some third party tools like backup programs rely on admin shares You could test it with one or two machines for a while to see if it works in your environment.
The other option is to create a special security group for the help desk personnel and then only assign the necessary rights to this group.
The privilege management tools Kyle mentioned can also help. It is good way to find out how serious your boss is about this. If he doesn’t want to invest some money, it is probably not as important as it first seemed. 😉
-
- You must be logged in to reply to this topic.
