Educause Security Discussion mailing list archives
Re: Local Administrators and Admin Shares - C$
From: Ronald King <ronald.king () MORGAN EDU>
Date: Tue, 1 Mar 2016 15:31:29 -0500
In a previous institution, we restricted who had administrator rights. In cases where a user needed an admin account, such as supporting lab systems, a request was sent from the user with their department head's signature. The request included their name, primary account and list of computers needing access. We created a separate admin account, used powershell to add the account to the local Administrators group, and set AD to only allow the account to login to the listed PCs. When I left we had completed automating the account creation based on criteria from their primary account. We also set the admin account to expire after a year and required a renewal form to maintain access. *Ronald A. King, CISSP* Chief Information Security Officer Morgan State University Office: (443) 885-3372 1700 E. Cold Spring Ln. Email: ronald.king () morgan edu Baltimore, MD 21251 URL: http://www.morgan.edu *Growing the future ... Leading the world* <http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf> On Fri, Feb 26, 2016 at 6:01 PM, Wesley Hayato Tomatsu <tomatsu () oxy edu> wrote:
Forgot to mention, you can also use the "Deny access to the computer from the network" policy to prevent access to C$. Both of these polices are in Computer\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments Wesley H Tomatsu '01 Director of Infrastructure & Information Security Information Technology Services Occidental College Work: 323.259.1428 Fax: 323.341.4895 On Fri, Feb 26, 2016 at 2:57 PM, Wesley Hayato Tomatsu <tomatsu () oxy edu> wrote:The way we've worked around this is to add NT AUTHORITY\INTERACTIVE to the local admin group, and then use the "Allow log on locally" to control who gets to log in. The main downside to this is that you can no longer have a non admin log in to the station since NT AUTHORITY\INTERACTIVE will apply to any interactive session. Wesley H Tomatsu '01 Director of Infrastructure & Information Security Information Technology Services Occidental College Work: 323.259.1428 Fax: 323.341.4895 On Fri, Feb 26, 2016 at 1:25 PM, John LaPrad <jrl () svsu edu> wrote:Hello all, I apologize if this is an old / resolved / basic question. I did search the archives and didn't find a good answer. Does you institution let some, or all of, their users be local administrators? If you do, how do you secure the admin shares like C$ from abuse? My understanding is that anyone with local admin rights can connect to any other computer via this share, and this ability can not be controlled with GPOs. I've seen mention of deleting the admin shares, but this sometimes seems to create other problems. I've also seen the windows 'server' service disabled as a way to secure the desktop. Seems like a good thing to do in any case when the users don't need to share out resources. Anyone doing this? Any repercussions? Thank you for your time, I appreciate all feedback. John LaPrad Saginaw Valley State University
Current thread:
- Local Administrators and Admin Shares - C$ John LaPrad (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Rich Graves (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Ronald King (Mar 01)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)