Solved

Defualt Admin Shares...

Posted on 2004-10-19
6
339 Views
Last Modified: 2013-12-04
I know you can change the reg. values for defualt admin shares to disable C$ D$ ADMIN$ IPC$ ETC.  I also know that it will effect things such as SMS.  I figure that it will also kill patchmangement systems such as Shavliks, HFNETCHKPRO.  However it seems as if every security guide recommends this and all external auditors recommend this as well.  I need to know what others think.  Disable, or leave enabled, and why?  The answer here will come in the form of the why.  Thank you.
0
Comment
Question by:chrisandersoon
6 Comments
 
LVL 6

Assisted Solution

by:nihlcat
nihlcat earned 170 total points
ID: 12348167
There's a slew reasons NOT to do this.  Here's a few of them from Microsoft for the Admin$ share:
http://support.microsoft.com/?kbid=842715

I had to lock down some of our DCs and ended up making our SYSVOL folder a hidden share...then Active Directory collapsed like a house of cards.
0
 
LVL 3

Assisted Solution

by:Gargantubrain
Gargantubrain earned 165 total points
ID: 12348770
The administrative shares are by default restricted to Administrator-only access. That is the first place you should be looking if you are trying to tighten security. Given the impact of spyware in recent months, it is increasingly dangerous to allow users (not even the administrators!) to be in any administrative groups. Your admins should use an administrative account only when doing administrative tasks, and use a normal user-level account for other activities.

I think you would be much more satisfied with the results of a well-designed security policy and structure than what you can accomplish by just disabling a few admin shares. If you read the Microsoft KB article that nihlcat mentioned, and understand all of the ramifications of disabling each share, and you incorporate some of those changes as part of your total security policy, then great. Not everyone uses SMS, SQL, etc, so some of the bad effects of disabling some of the shares may not even apply to your situation.
0
 
LVL 4

Author Comment

by:chrisandersoon
ID: 12352754
Thanks for the responses.  Like I said I will give the points after I get a couple of replies.  

I think both of your answers are correct so you will be getting points.

But to keep this question open and see what others think will be a big help.  

The problem I am facing is that we have things implemented such as SQL, and Shavlik etc.  I also see that tightening up security elsewhere is probably just as important if not more important.  

I have a good grasp on the default admin share things, and personally I don't see the benefit from disabling it.  Especially since I use them.  However, we had the external auditors come in and recommend removing it. And therefore I am left in a situation that I have to defend my answers.  And this is where the pro's and con's come in.   I am just trying to outway the pro's and con's.  

I don't know if ya'll have time, but would appreciate it if you could list what you feel are the pro's and con's.  

Thanks.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Accepted Solution

by:
masterbaker earned 165 total points
ID: 12353003
It depends on what problem you are trying to address.  If your Administrator accounts have "tough" passwords and you have strict policies against running password cracking tools (maybe even using monitoring software to catch people doing this) then leaving the default admin shares is fine and you have no reason to endure the pain of removing them.

You can very easily go off the deep end with regards to security.  An auditor should point out areas of concern or specific problems, but they should not be dictating how to address them.  That's your job.  If you can come up with other ways to address their concerns then that should do just fine.  If that means selecting tough passwords and rotating them on a regular basis, fine.  Whatever meets both of your needs!

I do believe auditors have their place.  I just think don't believe it is their place to tell you what to do.  They sound more like consultants than auditors.

Jeff
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12353290
WELL SPOKEN Jeff.  I have traveled down that road alreay this year.  I work for a company that employs external security auditors and as I have alluded, their recommendations destroyed our AD.  Luckily enough backups were in place.  What came out about a month later is that they applied their security settings to a test environment that was much less sophisticated than our production environment.  

Translation:  They had no idea what their recommendations would do to us.

That's really the trick, these hardening recommendations are just not site-centric to everyone.  That's not really possible given all the different types of network configurations.
0
 
LVL 13

Expert Comment

by:masterbaker
ID: 12361101
Thanks nihlcat.  I used to work at a fairly good sized business (~1000 employees) and had to participate in yearly external audits a few times.  The worst audits were when the techies would come out and make all sorts of suggestions to our managers and cause us trouble.  I do believe there was value in having a fresh set of eyes view our environment, but I don't believe they know the environment well enough at that point to make key decisisons.  

Just as you said, no one solution will work for every company.

Jeff
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now