Defualt Admin Shares...

I know you can change the reg. values for defualt admin shares to disable C$ D$ ADMIN$ IPC$ ETC.  I also know that it will effect things such as SMS.  I figure that it will also kill patchmangement systems such as Shavliks, HFNETCHKPRO.  However it seems as if every security guide recommends this and all external auditors recommend this as well.  I need to know what others think.  Disable, or leave enabled, and why?  The answer here will come in the form of the why.  Thank you.
LVL 4
chrisandersoonAsked:
Who is Participating?
 
masterbakerConnect With a Mentor Commented:
It depends on what problem you are trying to address.  If your Administrator accounts have "tough" passwords and you have strict policies against running password cracking tools (maybe even using monitoring software to catch people doing this) then leaving the default admin shares is fine and you have no reason to endure the pain of removing them.

You can very easily go off the deep end with regards to security.  An auditor should point out areas of concern or specific problems, but they should not be dictating how to address them.  That's your job.  If you can come up with other ways to address their concerns then that should do just fine.  If that means selecting tough passwords and rotating them on a regular basis, fine.  Whatever meets both of your needs!

I do believe auditors have their place.  I just think don't believe it is their place to tell you what to do.  They sound more like consultants than auditors.

Jeff
0
 
nihlcatConnect With a Mentor Commented:
There's a slew reasons NOT to do this.  Here's a few of them from Microsoft for the Admin$ share:
http://support.microsoft.com/?kbid=842715

I had to lock down some of our DCs and ended up making our SYSVOL folder a hidden share...then Active Directory collapsed like a house of cards.
0
 
GargantubrainConnect With a Mentor Commented:
The administrative shares are by default restricted to Administrator-only access. That is the first place you should be looking if you are trying to tighten security. Given the impact of spyware in recent months, it is increasingly dangerous to allow users (not even the administrators!) to be in any administrative groups. Your admins should use an administrative account only when doing administrative tasks, and use a normal user-level account for other activities.

I think you would be much more satisfied with the results of a well-designed security policy and structure than what you can accomplish by just disabling a few admin shares. If you read the Microsoft KB article that nihlcat mentioned, and understand all of the ramifications of disabling each share, and you incorporate some of those changes as part of your total security policy, then great. Not everyone uses SMS, SQL, etc, so some of the bad effects of disabling some of the shares may not even apply to your situation.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
chrisandersoonAuthor Commented:
Thanks for the responses.  Like I said I will give the points after I get a couple of replies.  

I think both of your answers are correct so you will be getting points.

But to keep this question open and see what others think will be a big help.  

The problem I am facing is that we have things implemented such as SQL, and Shavlik etc.  I also see that tightening up security elsewhere is probably just as important if not more important.  

I have a good grasp on the default admin share things, and personally I don't see the benefit from disabling it.  Especially since I use them.  However, we had the external auditors come in and recommend removing it. And therefore I am left in a situation that I have to defend my answers.  And this is where the pro's and con's come in.   I am just trying to outway the pro's and con's.  

I don't know if ya'll have time, but would appreciate it if you could list what you feel are the pro's and con's.  

Thanks.
0
 
nihlcatCommented:
WELL SPOKEN Jeff.  I have traveled down that road alreay this year.  I work for a company that employs external security auditors and as I have alluded, their recommendations destroyed our AD.  Luckily enough backups were in place.  What came out about a month later is that they applied their security settings to a test environment that was much less sophisticated than our production environment.  

Translation:  They had no idea what their recommendations would do to us.

That's really the trick, these hardening recommendations are just not site-centric to everyone.  That's not really possible given all the different types of network configurations.
0
 
masterbakerCommented:
Thanks nihlcat.  I used to work at a fairly good sized business (~1000 employees) and had to participate in yearly external audits a few times.  The worst audits were when the techies would come out and make all sorts of suggestions to our managers and cause us trouble.  I do believe there was value in having a fresh set of eyes view our environment, but I don't believe they know the environment well enough at that point to make key decisisons.  

Just as you said, no one solution will work for every company.

Jeff
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.