Educause Security Discussion mailing list archives
Re: Local Administrators and Admin Shares - C$
From: Wesley Hayato Tomatsu <tomatsu () OXY EDU>
Date: Fri, 26 Feb 2016 14:57:19 -0800
The way we've worked around this is to add NT AUTHORITY\INTERACTIVE to the local admin group, and then use the "Allow log on locally" to control who gets to log in. The main downside to this is that you can no longer have a non admin log in to the station since NT AUTHORITY\INTERACTIVE will apply to any interactive session. Wesley H Tomatsu '01 Director of Infrastructure & Information Security Information Technology Services Occidental College Work: 323.259.1428 Fax: 323.341.4895 On Fri, Feb 26, 2016 at 1:25 PM, John LaPrad <jrl () svsu edu> wrote:
Hello all, I apologize if this is an old / resolved / basic question. I did search the archives and didn't find a good answer. Does you institution let some, or all of, their users be local administrators? If you do, how do you secure the admin shares like C$ from abuse? My understanding is that anyone with local admin rights can connect to any other computer via this share, and this ability can not be controlled with GPOs. I've seen mention of deleting the admin shares, but this sometimes seems to create other problems. I've also seen the windows 'server' service disabled as a way to secure the desktop. Seems like a good thing to do in any case when the users don't need to share out resources. Anyone doing this? Any repercussions? Thank you for your time, I appreciate all feedback. John LaPrad Saginaw Valley State University
Current thread:
- Local Administrators and Admin Shares - C$ John LaPrad (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Rich Graves (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Ronald King (Mar 01)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)