Q&A: How to Modify Permissions on Administrative Shares
Question by reader Kendra:
I stumbled upon your blog/profile while I was looking for options to lockdown my administrative shares. Maybe you can help me. I’m a Network Administrator for an aerospace / engineering firm where users need administrative access to their PCs. The engineers work on very high-level OS and hardware development and need complete control of their systems. As you can imagine this poses a huge security problems for me at the network level. Currently my users are granted local administrator rights via an AD group (Local Admins) which is added to the local Administrators group on their local PCs. This makes it convenient for my engineers to login to any PC in the company and have local admin rights to do whatever they need to do. This also gives all of my users access to each other’s administrative shares across the network. For example, anyone in this AD group can run \\computername\c$ and access any PC on my domain. I do NOT want to disable administrative shares as I am using them to automatically deploy desktop configuration settings (email, mapped network drives, printers, etc). Do you know of a way that I can give my engineers local admin rights without giving them rights to each other’s administrative shares? Any help would be greatly appreciated.
My answer:
The only way I can think of your requirements can be met is by changing the permissions on the administrative shares of your PCs. If those permissions were changed from granting full access to any local administrator to granting full access to Domain Admins or some other domain group, then your users would not be able to access their colleagues’ PCs via admin shares like C$, Admin$, and so on.
Remains one problem: how to modify the permissions of administrative shares? I have touched the subject in the recent article How to Modify Default Share Permissions and Other Tweaks where I described how to modify the permissions set by default on new file shares. That article contains a list of registry values storing security descriptors. Some of these values’ names look promising (SrvsvcShareAdminConnect and maybe also SrvsvcShareAdminInfo), so I conducted an experiment. As described in my other article mentioned earlier I replaced each of the security descriptors with an SD granting full access to a file share to everyone. Then I restarted the server service and tried to connect with a non-admin user to C$. Unfortunately it did not work, access was never granted, not even after having replaced all 13 SDs with my own SD.
Bottom line – I do not know how to change permissions on administrative shares and neither does Google, if I am not mistaken. My approach looked promising, initially, but seems to have been a dead end.
Coming back to your problem, you have two options left: either you disable roaming by giving each engineer administrative rights on one machine only or you disable the administrative shares. Both of those options are far from perfect, though. If your users are only half as clever as users elsewhere they do what they want anyway – because, being local administrators, they can.
3 Comments
Consider adding the INTERACTIVE account to the local ADMINISTRATORS group. INTERACTIVE means whoever is logged on. This will give any logged on user admin rights only to the local PC. Remove user accounts and groups from local admins, except local ADMINISTRATOR and DOMAIN ADMINS.
A logged on user would only have access to admin shares on other PCs if his account is in the remote PC’s admin group.
This may be the easiest solution to your problem.
Good idea!
Dragging this one up from the dead, I know, but why not just deny DOMAIN\ access to those machines from the network via the “Deny access to this computer from the network” User Right?
As long as the aforementioned custom group only contains users whom you wish to deny access to the admin shares.