Tagged: group policy, security
- This topic has 7 replies, 3 voices, and was last updated 9 years, 8 months ago by Michael Pietroforte.
Thu, Jun 27 2013 at 1:11 am #14354
our helpdesk team have local admin permision on workstations, but our manager want to restrict them to access users local drives. it is possible to restrict local admin to access admin shares c$ d$ etc. i disabled admin shares by a domain policy but it is possible to share local drives with remote computer management!
how can i restrict local admin user to access admin share remotely?
or how can I log admin share access, is there a tool for that?
Fri, Jun 28 2013 at 4:46 am #14387
It is difficult to restrict users with administrator privileges. Whatever you do to prevent admins from accessing user files, they can always find ways to remove this restriction. The other question is if all help desk personnel requires admin rights.
Anyway, what you can try is to delete all shares with Group Policy Preferences: Computer > Preferences > Windows Settings > Network Shares. Right click Network Shares then navigate to New > Network Share. Chose “Delete” as Action.
This will remove all shares on the computer including those created by admins.
Attachments:You must be logged in to view attached files.
Fri, Jun 28 2013 at 8:24 am #14394Kyle BeckmanModeratorMember Points: 392Rank: 2
Just be aware that deleting the Admin shares can have adverse effects on your network. A number of products (like System Center) use those shares to copy files to the local system for administrative purposes.
Mon, Jul 15 2013 at 11:04 pm #14711
ok, deleting admin shares creates problem. our desktop/laptop users have standart user rights on their computers. and they cannot change their ip settings or install/uninstall program etc. it is easy to control client computers and keep them safe and clean that way. our helpdesk team help them for that kind of tasks and that’s why they have local admin rights on client computers. it is ok except one situation, our manager doesn’t want our helpdesk team to access client computers local drives from admin shares. so what can I do? give users admin/power user/customized rights or change helpdesk local admin rights to what?
Tue, Jul 16 2013 at 1:07 am #14712
Es, why can’t you delete admin shares? You can do this through Group Policy Preferences, so it is fine that your users have standard rights.
Tue, Jul 16 2013 at 4:40 am #14716
i think microsoft gives as a good dilemma. ok i will test deleting admin share and see the effects. regards
Is there an “official” stance on removing built-in admin shares (C$, ADMIN$, etc.) in Windows? I’m not sure this would make things more secure or not. Larry Osterman wrote a nice article on its origins but doesn’t give any advice.
The official stance is from the KB that states how to do it:
Generally, Microsoft recommends that you do not modify these special shared resources.
Even better, here are many things that will break if you do this:
Overview of problems that may occur when administrative shares are missing
That’s not a complete list; it wasn’t updated for Vista/2008 and later. It’s so bad though that there’s no point, frankly. Removing these shares does not increase security, as only administrators can use those shares and you cannot prevent administrators from putting them back or creating equivalent custom shares.
This is one of those “don’t do it just because you can” customizations.
Tue, Jul 16 2013 at 6:20 am #14719Kyle BeckmanModeratorMember Points: 392Rank: 2
If your company has reached the point in size that you don’t want to give your Help Desk employees full Admin on end user computers, it may be time to start looking into some kind of Privilege Management software. There are several vendors that make software that let you delegate out pieces of Admin rights rather than making someone a full Administrator on the box. This also has the added bonus of letting you delegate out certain Administrative tasks to end users for Self Service.
Tue, Jul 16 2013 at 7:17 am #14721
Es, if I understand your problem correctly, you want to restrict access of local admins to all kinds of shares. This can always cause problems no matter how you do it. Some third party tools like backup programs rely on admin shares You could test it with one or two machines for a while to see if it works in your environment.
The other option is to create a special security group for the help desk personnel and then only assign the necessary rights to this group.
The privilege management tools Kyle mentioned can also help. It is good way to find out how serious your boss is about this. If he doesn’t want to invest some money, it is probably not as important as it first seemed. 😉
- You must be logged in to reply to this topic.