Solved

Defualt Admin Shares...

Posted on 2004-10-19
6
348 Views
Last Modified: 2013-12-04
I know you can change the reg. values for defualt admin shares to disable C$ D$ ADMIN$ IPC$ ETC.  I also know that it will effect things such as SMS.  I figure that it will also kill patchmangement systems such as Shavliks, HFNETCHKPRO.  However it seems as if every security guide recommends this and all external auditors recommend this as well.  I need to know what others think.  Disable, or leave enabled, and why?  The answer here will come in the form of the why.  Thank you.
0
Comment
Question by:chrisandersoon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Assisted Solution

by:nihlcat
nihlcat earned 170 total points
ID: 12348167
There's a slew reasons NOT to do this.  Here's a few of them from Microsoft for the Admin$ share:
http://support.microsoft.com/?kbid=842715

I had to lock down some of our DCs and ended up making our SYSVOL folder a hidden share...then Active Directory collapsed like a house of cards.
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 165 total points
ID: 12348770
The administrative shares are by default restricted to Administrator-only access. That is the first place you should be looking if you are trying to tighten security. Given the impact of spyware in recent months, it is increasingly dangerous to allow users (not even the administrators!) to be in any administrative groups. Your admins should use an administrative account only when doing administrative tasks, and use a normal user-level account for other activities.

I think you would be much more satisfied with the results of a well-designed security policy and structure than what you can accomplish by just disabling a few admin shares. If you read the Microsoft KB article that nihlcat mentioned, and understand all of the ramifications of disabling each share, and you incorporate some of those changes as part of your total security policy, then great. Not everyone uses SMS, SQL, etc, so some of the bad effects of disabling some of the shares may not even apply to your situation.
0
 
LVL 4

Author Comment

by:chrisandersoon
ID: 12352754
Thanks for the responses.  Like I said I will give the points after I get a couple of replies.  

I think both of your answers are correct so you will be getting points.

But to keep this question open and see what others think will be a big help.  

The problem I am facing is that we have things implemented such as SQL, and Shavlik etc.  I also see that tightening up security elsewhere is probably just as important if not more important.  

I have a good grasp on the default admin share things, and personally I don't see the benefit from disabling it.  Especially since I use them.  However, we had the external auditors come in and recommend removing it. And therefore I am left in a situation that I have to defend my answers.  And this is where the pro's and con's come in.   I am just trying to outway the pro's and con's.  

I don't know if ya'll have time, but would appreciate it if you could list what you feel are the pro's and con's.  

Thanks.
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 13

Accepted Solution

by:
masterbaker earned 165 total points
ID: 12353003
It depends on what problem you are trying to address.  If your Administrator accounts have "tough" passwords and you have strict policies against running password cracking tools (maybe even using monitoring software to catch people doing this) then leaving the default admin shares is fine and you have no reason to endure the pain of removing them.

You can very easily go off the deep end with regards to security.  An auditor should point out areas of concern or specific problems, but they should not be dictating how to address them.  That's your job.  If you can come up with other ways to address their concerns then that should do just fine.  If that means selecting tough passwords and rotating them on a regular basis, fine.  Whatever meets both of your needs!

I do believe auditors have their place.  I just think don't believe it is their place to tell you what to do.  They sound more like consultants than auditors.

Jeff
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12353290
WELL SPOKEN Jeff.  I have traveled down that road alreay this year.  I work for a company that employs external security auditors and as I have alluded, their recommendations destroyed our AD.  Luckily enough backups were in place.  What came out about a month later is that they applied their security settings to a test environment that was much less sophisticated than our production environment.  

Translation:  They had no idea what their recommendations would do to us.

That's really the trick, these hardening recommendations are just not site-centric to everyone.  That's not really possible given all the different types of network configurations.
0
 
LVL 13

Expert Comment

by:masterbaker
ID: 12361101
Thanks nihlcat.  I used to work at a fairly good sized business (~1000 employees) and had to participate in yearly external audits a few times.  The worst audits were when the techies would come out and make all sorts of suggestions to our managers and cause us trouble.  I do believe there was value in having a fresh set of eyes view our environment, but I don't believe they know the environment well enough at that point to make key decisisons.  

Just as you said, no one solution will work for every company.

Jeff
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question