Viewing 7 reply threads
  • Author
    Posts
    • #14354
      es mert
      Participant
      Member Points: 0
      Rank:

      our helpdesk team have local admin permision on workstations, but our manager want to restrict them to access users local drives. it is possible to restrict local admin to access admin shares c$ d$ etc. i disabled admin shares by a domain policy but it is possible to share local drives with remote computer management!

      how can i restrict local admin user to access admin share remotely?

      or how can I log admin share access, is there a tool for that?

      thanks,

    • #14387
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      It is difficult to restrict users with administrator privileges. Whatever you do to prevent admins from accessing user files, they can always find ways to remove this restriction. The other question is if all help desk personnel requires admin rights.

      Anyway, what you can try is to delete all shares with Group Policy Preferences: Computer > Preferences > Windows Settings > Network Shares. Right click Network Shares then navigate to New > Network Share. Chose “Delete” as Action.

      Delete Shares

      This will remove all shares on the computer including those created by admins.

      Attachments:
      You must be logged in to view attached files.
    • #14394
      Kyle Beckman
      Moderator
      Member Points: 352
      Rank: 2

      Just be aware that deleting the Admin shares can have adverse effects on your network.  A number of products (like System Center) use those shares to copy files to the local system for administrative purposes.

    • #14711
      es mert
      Participant
      Member Points: 0
      Rank:

      ok, deleting admin shares creates problem. our desktop/laptop users have standart user rights on their computers. and they cannot change their ip settings or install/uninstall program etc. it is easy to control client computers and keep them safe and clean that way. our helpdesk team help them for that kind of tasks and that’s why they have local admin rights on client computers. it is ok except one situation, our manager doesn’t want our helpdesk team to access client computers local drives from admin shares. so what can I do? give users admin/power user/customized rights or change helpdesk local admin rights to  what?

      thanks

    • #14712
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      Es, why can’t you delete admin shares? You can do this through Group Policy Preferences, so it is fine that your users have standard rights.

    • #14716
      es mert
      Participant
      Member Points: 0
      Rank:

      i think microsoft gives as a good dilemma. ok i will test deleting admin share and see the effects. regards

      http://blogs.technet.com/b/askds/archive/2012/01/06/friday-mail-sack-best-post-this-year-edition.aspx#share

      Question
      Is there an “official” stance on removing built-in admin shares (C$, ADMIN$, etc.) in Windows? I’m not sure this would make things more secure or not. Larry Osterman wrote a nice article on its origins but doesn’t give any advice.
      Answer
      The official stance is from the KB that states how to do it:
      Generally, Microsoft recommends that you do not modify these special shared resources.
      Even better, here are many things that will break if you do this:
      Overview of problems that may occur when administrative shares are missing
      http://support.microsoft.com/default.aspx?scid=kb;EN-US;842715
      That’s not a complete list; it wasn’t updated for Vista/2008 and later. It’s so bad though that there’s no point, frankly. Removing these shares does not increase security, as only administrators can use those shares and you cannot prevent administrators from putting them back or creating equivalent custom shares.
      This is one of those “don’t do it just because you can” customizations.

      • This reply was modified 8 years, 4 months ago by es mert.
      • This reply was modified 8 years, 4 months ago by es mert.
    • #14719
      Kyle Beckman
      Moderator
      Member Points: 352
      Rank: 2

      If your company has reached the point in size that you don’t want to give your Help Desk employees full Admin on end user computers, it may be time to start looking into some kind of Privilege Management software.  There are several vendors that make software that let you delegate out pieces of Admin rights rather than making someone a full Administrator on the box.  This also has the added bonus of letting you delegate out certain Administrative tasks to end users for Self Service.

    • #14721
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      Es, if I understand your problem correctly, you want to restrict access of local admins to all kinds of shares. This can always cause problems no matter how you do it. Some third party tools like backup programs rely on admin shares You could test it with one or two machines for a while to see if it works in your environment.

      The other option is to create a special security group for the help desk personnel and then only assign the necessary rights to this group.

      The privilege management tools Kyle mentioned can also help. It is good way to find out how serious your boss is about this. If he doesn’t want to invest some money, it is probably not as important as it first seemed. 😉

Viewing 7 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account