Solved

Prompting for login when trying to connect to C$

Posted on 2003-10-28
8
240 Views
Last Modified: 2013-12-04
How do you make it so that when a domain admin tries to connect to C$ on a pc, it prompts for a login and password, that they cannot login to?
0
Comment
Question by:RowdyOne078
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 10

Expert Comment

by:KingHollis
Comment Utility
I don't think this is possible in a domain environment as it defeats the purpose of the single sign-on feature of Kerberos. What is the net effect of what you are trying to achieve? Are you trying to monitor who accesses the default share? Or, are you trying to restrict them?

You could remove the default shares altogether:
Load this into your registry (save between the lines as a .reg file and "run" it)

-------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks"=dword:00000000
"AutoShareServer"=dword:00000000
---------------------------------------------------------------
Then, recreate the shares however you want e.g. CEE$ then set the desired share permissions.

Again, without knowing what your expected net result is to be, this is an awkward workaround.
0
 

Author Comment

by:RowdyOne078
Comment Utility
Someone has done this on my network... Im trying to figure out what they did...  I go to \\ComputerName\C$ and it prompts me.  Im the Domain Admin so I cant figure out how they locked me out.
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 500 total points
Comment Utility
They have removed you from the local admin group on the workstation. Not you, but the domain admins group of your domain.

Walk to the workstation, logon as local administrator, and add the domain admins gropu again, and remove the user, doing this to you.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:RowdyOne078
Comment Utility
How can I make it so that users CANNOT ever remove domain admins from the administrator group
?

Thanks!
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 10

Expert Comment

by:KingHollis
Comment Utility
Good call trywaredk!
In a domain environment, you would be able to use Restricted Groups configuration in Group Policies, but Local Policies don't have that as a configuration option. Sometime ago, I wrote an ADSI script in VB that allowed me to remotely reset the Administrator's password on all local machines. You could do that and ensure that no one had the local Admin's password and make sure no one has administrative rights on the local workstations.
0
 
LVL 8

Expert Comment

by:mhambridge
Comment Utility
>>>>>>How can I make it so that users CANNOT ever remove domain admins from the administrator group?

As KingHollis has touched on above make sure the local user is not a member of the local administrators group and make sure you are the only one who knows the local administrators password to all local machines. If they are not in the local administrators group they can not remove you and if they don't know the password they can't access it either. Create one which can be set on all local pc's in your network and that way you will be able to control who does what and when.

I hope this helps
0
 

Author Comment

by:RowdyOne078
Comment Utility
Thanks Guys
0
 
LVL 12

Expert Comment

by:trywaredk
Comment Utility
:o) Glad I could help you - thank you for the points

About removing domain admins from the local administrators group, it has already been answered, but remember the following:

1. Anybody being member of the local administrators group on a specific workstation, can remove anybody else (including the domain admins) from the local admin group, and he/she does'nt even have to walk to the workstation, but can do it remote from his/hers own workstation.

2. If the local administrators password is equal on all your workstations, anybody breaking the password on one of the workstations, has broken all of them. Maybe consider making different password for local adminstrator on your workstations.

You can read more about this issue in my thread here:
http://www.experts-exchange.com/Security/Win_Security/Q_20576959.html

AND ALLWAYS REMEMBER: You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.



0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now