Domain Users have access to some Server ADMIN Shares (C$)

Running a Windows Server 2003 environment.
For some strange reason, some servers allow ADMIN Share access to the Domain Users group.

I've confirmed the NTFS permissions and Local Administrator groups match the secure servers.
Looked through the Local Security Policy a bit, but couldn't find anything that stood out.

Local Policies\User Rights Assignment - Access this computer from the network & Deny access to this computer from the network are both setup exactly the same as the secure servers.

Any suggestions on where this setting is coming from?  My goal is to lock down the ADMIN share on the open servers.

Who is Participating?
ChiefITConnect With a Mentor Commented:

I am sorry for not replying sooner.

Not to insult your intelligence, but are you sure these users are not authenticating using domain admin username and password?

I was certain ShareEnum looked at admin shares if you log on to that PC as domain administrator. Nevertheless, that was a part of discovery and I think we can move on.

Instead of share enumeration, go to the server in question and  use the share snaping by going to: Start>>Select "Run">>type in "mmc">>go to the "console" menu>>Select "add/remove snapin".  This is a good place to organize your administrative tasks. Add the Shares Snapin to the console and any other snapins you wish to use. Save the console to the desktop. Then go into the console. By default it is a icon called "Console1". If you have network share, they should be seen in the share snapin. You may be able to control access there, I am not currently setting at one of my server. So, this is all off memory. I will be at one of my servers on 8/15. Then I will be more productive.

The following are recommendations Wikipedia had for securing shares. Waring, some recomendations are used to disable the shares from all, including administrators.

Preventing Access
However, disabling the Administrative shares doesn't mitigate any real significant security risks, but only keeps nuisance administrators from casually browsing the shared contents. This is because anyone who has membership in the local Administrators group can either (a) re-enable the administrative shares or (b) create new shares (hidden using the "$" suffix or not). Merely disabling the administrative shares doesn't make it any harder for a technically astute user to gain access to the disk contents.

Better ways to prevent remote browsing of the disk contents is to:

disable File and Printer Sharing (or unbind the NetBT protocol)
Stop and/or Disable the Workstation service
set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp
remove membership in the Administrators group for those users/groups you wish to block
encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the files

May I draw your attention to a program called "ShareEnum" found on the microsoft sysinternals website. Let me give you the link.

This program will go over the share permissions. I believe that includes administrative shares.

You looked at the NTFS permissions, but have you looked at who is in the administrative groups under active directory.

ShareEnum will quicken the process of discovery.
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

cmandervilleAuthor Commented:
Unfortunately, ShareEnum didn't include the ADMIN share.
Also I confirmed the Adminitrators group in AD didn't include the Domain User group or anybody who shouldn't be there.

Any other suggestions?
cmandervilleAuthor Commented:
I'm sure of the authentication method because I'm testing with both a Domain User and Domain Admin account.  The Domain Admin account works for all servers.  The Domain User account only works for those few unsecured servers.  My goal is to get all servers denying Domain Users.  This is for Admin share access only (\\<server name>\c$ (or d$, e$, etc)

Checking both the Local groups (such as Administrators) and the NTFS permissions have yeilded no results, as the secure and unsecure match perfectly.  That's why I thought this could be on the Group Policy level, but unable to find any significant differences in there.

Tried the Shared Folders view in MMC and am able to view both secure and unsecured servers from here.  All show ADMIN shares.  Of course there's no way to view Security infomation on ADMIN shares through here.

Man, Wikipedia has everything.  However, I'm not looking to cut off access from the Domain Admins.

I really apprciate your help.
In windows NT and 2000, a member of the Server Operator's Group has access to these files. Maybe 2003 is the same way.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.