Re: Local Administrators and Admin Shares - C$

[Ronald King <ronald.king () MORGAN EDU>]

In a previous institution, we restricted who had administrator rights.  In
cases where a user needed an admin account, such as supporting lab systems,
a request was sent from the user with their department head's signature.
The request included their name, primary account and list of computers
needing access. We created a separate admin account, used powershell to add
the account to the local Administrators group, and set AD to only allow the
account to login to the listed PCs.  When I left we had completed
automating the account creation based on criteria from their primary
account.  We also set the admin account to expire after a year and required
a renewal form to maintain access.

*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Fri, Feb 26, 2016 at 6:01 PM, Wesley Hayato Tomatsu <tomatsu () oxy edu>
wrote:

> Forgot to mention, you can also use the "Deny access to the computer from
> the network" policy to prevent access to C$.
>
> Both of these polices are in Computer\Policies\Windows Settings\Security
> Settings\Local Policies\User Rights Assignments
>
> Wesley H Tomatsu '01
> Director of Infrastructure & Information Security
> Information Technology Services
> Occidental College
> Work: 323.259.1428
> Fax: 323.341.4895
>
> On Fri, Feb 26, 2016 at 2:57 PM, Wesley Hayato Tomatsu <tomatsu () oxy edu>
> wrote:
>
> > The way we've worked around this is to add NT AUTHORITY\INTERACTIVE to
> > the local admin group, and then use the "Allow log on locally" to control
> > who gets to log in.
> >
> > The main downside to this is that you can no longer have a non admin log
> > in to the station since NT AUTHORITY\INTERACTIVE will apply to any
> > interactive session.
> >
> > Wesley H Tomatsu '01
> > Director of Infrastructure & Information Security
> > Information Technology Services
> > Occidental College
> > Work: 323.259.1428
> > Fax: 323.341.4895
> >
> > On Fri, Feb 26, 2016 at 1:25 PM, John LaPrad <jrl () svsu edu> wrote:
> >
> > > Hello all, I apologize if this is an old / resolved / basic question. I
> > > did search the archives and didn't find a good answer.
> > >
> > >
> > > Does you institution let some, or all of, their users be local
> > > administrators?
> > >
> > > If you do, how do you secure the admin shares like C$ from abuse? My
> > > understanding is that anyone with local admin rights can connect to any
> > > other computer via this share, and this ability can not be controlled with
> > > GPOs.
> > >
> > > I've seen mention of deleting the admin shares, but this sometimes seems
> > > to create other problems.
> > >
> > > I've also seen the windows 'server' service disabled as a way to secure
> > > the desktop. Seems like a good thing to do in any case when the users don't
> > > need to share out resources. Anyone doing this? Any repercussions?
> > >
> > >
> > > Thank you for your time, I appreciate all feedback.
> > >
> > >
> > > John LaPrad
> > >
> > > Saginaw Valley State University