Re: Local Administrators and Admin Shares - C$

[Wesley Hayato Tomatsu <tomatsu () OXY EDU>]

The way we've worked around this is to add NT AUTHORITY\INTERACTIVE to the
local admin group, and then use the "Allow log on locally" to control who
gets to log in.

The main downside to this is that you can no longer have a non admin log in
to the station since NT AUTHORITY\INTERACTIVE will apply to any interactive
session.

Wesley H Tomatsu '01
Director of Infrastructure & Information Security
Information Technology Services
Occidental College
Work: 323.259.1428
Fax: 323.341.4895

On Fri, Feb 26, 2016 at 1:25 PM, John LaPrad <jrl () svsu edu> wrote:

> Hello all, I apologize if this is an old / resolved / basic question. I
> did search the archives and didn't find a good answer.
>
>
> Does you institution let some, or all of, their users be local
> administrators?
>
> If you do, how do you secure the admin shares like C$ from abuse? My
> understanding is that anyone with local admin rights can connect to any
> other computer via this share, and this ability can not be controlled with
> GPOs.
>
> I've seen mention of deleting the admin shares, but this sometimes seems
> to create other problems.
>
> I've also seen the windows 'server' service disabled as a way to secure
> the desktop. Seems like a good thing to do in any case when the users don't
> need to share out resources. Anyone doing this? Any repercussions?
>
>
> Thank you for your time, I appreciate all feedback.
>
>
> John LaPrad
>
> Saginaw Valley State University