[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Domain Users have access to some Server ADMIN Shares (C$)

Posted on 2007-08-10
8
Medium Priority
?
697 Views
Last Modified: 2013-11-05
Running a Windows Server 2003 environment.
For some strange reason, some servers allow ADMIN Share access to the Domain Users group.

I've confirmed the NTFS permissions and Local Administrator groups match the secure servers.
Looked through the Local Security Policy a bit, but couldn't find anything that stood out.

Local Policies\User Rights Assignment - Access this computer from the network & Deny access to this computer from the network are both setup exactly the same as the secure servers.

Any suggestions on where this setting is coming from?  My goal is to lock down the ADMIN share on the open servers.

Thanks.
0
Comment
Question by:cmanderville
  • 4
  • 2
6 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19672850
May I draw your attention to a program called "ShareEnum" found on the microsoft sysinternals website. Let me give you the link.

http://www.microsoft.com/technet/sysinternals/Networking/ShareEnum.mspx

This program will go over the share permissions. I believe that includes administrative shares.

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19672866
You looked at the NTFS permissions, but have you looked at who is in the administrative groups under active directory.

ShareEnum will quicken the process of discovery.
0
 

Author Comment

by:cmanderville
ID: 19683265
Unfortunately, ShareEnum didn't include the ADMIN share.
Also I confirmed the Adminitrators group in AD didn't include the Domain User group or anybody who shouldn't be there.

Any other suggestions?
Thanks!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 39

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 19686170
CM

I am sorry for not replying sooner.

Not to insult your intelligence, but are you sure these users are not authenticating using domain admin username and password?

I was certain ShareEnum looked at admin shares if you log on to that PC as domain administrator. Nevertheless, that was a part of discovery and I think we can move on.

Instead of share enumeration, go to the server in question and  use the share snaping by going to: Start>>Select "Run">>type in "mmc">>go to the "console" menu>>Select "add/remove snapin".  This is a good place to organize your administrative tasks. Add the Shares Snapin to the console and any other snapins you wish to use. Save the console to the desktop. Then go into the console. By default it is a icon called "Console1". If you have network share, they should be seen in the share snapin. You may be able to control access there, I am not currently setting at one of my server. So, this is all off memory. I will be at one of my servers on 8/15. Then I will be more productive.

The following are recommendations Wikipedia had for securing shares. Waring, some recomendations are used to disable the shares from all, including administrators.

Preventing Access
However, disabling the Administrative shares doesn't mitigate any real significant security risks, but only keeps nuisance administrators from casually browsing the shared contents. This is because anyone who has membership in the local Administrators group can either (a) re-enable the administrative shares or (b) create new shares (hidden using the "$" suffix or not). Merely disabling the administrative shares doesn't make it any harder for a technically astute user to gain access to the disk contents.

Better ways to prevent remote browsing of the disk contents is to:

disable File and Printer Sharing (or unbind the NetBT protocol)
Stop and/or Disable the Workstation service
set IPSec block rules that prevent inbound connections on 445/tcp and 445/udp
remove membership in the Administrators group for those users/groups you wish to block
encrypt the files that must remain confidential using a file-based encryption technology (such as EFS or RMS) that requires access to per-user decryption keys to gain access to plaintext contents of the files

0
 

Author Comment

by:cmanderville
ID: 19686580
I'm sure of the authentication method because I'm testing with both a Domain User and Domain Admin account.  The Domain Admin account works for all servers.  The Domain User account only works for those few unsecured servers.  My goal is to get all servers denying Domain Users.  This is for Admin share access only (\\<server name>\c$ (or d$, e$, etc)

Checking both the Local groups (such as Administrators) and the NTFS permissions have yeilded no results, as the secure and unsecure match perfectly.  That's why I thought this could be on the Group Policy level, but unable to find any significant differences in there.

Tried the Shared Folders view in MMC and am able to view both secure and unsecured servers from here.  All show ADMIN shares.  Of course there's no way to view Security infomation on ADMIN shares through here.

Man, Wikipedia has everything.  However, I'm not looking to cut off access from the Domain Admins.

I really apprciate your help.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19767558
In windows NT and 2000, a member of the Server Operator's Group has access to these files. Maybe 2003 is the same way.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question