• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Securing C $ Share

Currently I have a Windows 2003 site that has setup every PC with the domain users group as local administrators.  This gives all users access to the C$ and could cause problems.

Group policy cannot be implemented because a central "group" controls all policies, but local changes can be implemented.

I don't want to stop sharing it, which would be bad, so I accessed the C drive and clicked on security.  I removed the everyone group, administrators group, and the users group.  Added the correct domain admins and it works like a charm...except the local users can no longer double click on their C drive and access their files.  

Is there any way around this situation?
0
dgore1
Asked:
dgore1
  • 6
  • 5
  • 2
1 Solution
 
RubenvdLindenCommented:
On a normal share, you would be able to right-click, select Properties, click the Sharing tab and click the Permissions button to set specific share permissions. This way, you can e.g. only give administrators access to the share, without restricting the local users to access files.

I would recommend to disable the administrative shares in the registry and manually create shares on the root directory to allow admins to access the disk.

To disable the administrative shares, start regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters.
Create two new REG_DWORD values: "AutoShareServer" and "AutoShareWks" and set both value to "0".
Finally, restart your computer to enable this new setting and manually create new shares.

I hope this helps!
0
 
KCTSCommented:
Where did you remove the groups - remove them from the SHARE not the NTFS permissions.
0
 
RubenvdLindenCommented:
KCTS,

That's not an option. If you click the Permissions button on the Sharing tab of an administrative share, Windows will present a messagebox that you cannot change the permissions of an administrative share.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
KCTSCommented:
Sorry - You are quite right  - I wasn't thinking
0
 
dgore1Author Commented:
So, there is no way to allow access to the C drive once you remove the Users or Everyone groups? The only way other than a registry hack and group policy I could see was to add the local users to the Users group on the local machine....they can still access their C drive but no one else could...that sound like a plan?
0
 
RubenvdLindenCommented:
Yes; if you remove the domain users from the local administrators group and add them to either the local user or local power user groups then you should be fine.
The administrative share only allows access to members of the local administrator group.
0
 
dgore1Author Commented:
Well therein lies the problem...I can't remove them from the local administrators group...that's a company policy...so when I access the the C drive I removed everything except owner creator, system, local administrator....I then added the domain admins....but when I logon to the machine as a domain user and try to install software or access the C drive, I get an error....if I put back the users group, power users group or everyone, they can access the C drive and all is well except they can get back to the admin share of any remote machine by using the \\computername\c$...so, is there a way to allow the users to see their own C drive and not access the c$ of any remote machine...
0
 
RubenvdLindenCommented:
If you can't remove them from the local administrators group, then you have no other option then to remove the administrative share and creating a custom share for the domain admins, as posted in my first reply.
Members of the local administrator group will always have full access to administrative shares.
0
 
dgore1Author Commented:
Yup...I got that...but if I leave them in the local administratos group and remove the others, it blocks access to the admin share except for the people that need it...they just can't access the C drive....maybe what we do is create a share on the c drive that the domain users can access, but not the c$ share...

Gonna try that and see if it works.
0
 
RubenvdLindenCommented:
That was my first suggestion (create a custom share for domain admins); if you then remove the administrative shares, the domain admins have access and your normal users have not.

I hope this works for you.
0
 
dgore1Author Commented:
I saw that one, but trying to remove is easier...we have to do this on 1500 workstations...probably through a script...maybe a script would make the custom share easier...
0
 
RubenvdLindenCommented:
You're right about that ...
This is a WMI script to create a new share on a specified computer: http://www.microsoft.com/technet/scriptcenter/resources/qanda/jan05/hey0107.mspx

You can either modify it to perform the action remotely for all computers in your network, or simply replace
strComputer = "atl-ws-01"
with
strComputer = "."
and run the script on each computer.


You can set the permissions with a tool called RMTSHARE.EXE, which can be downloaded here: http://tech.cuip.net/logins/programs/nt4/expanded-copy-to-winntsys32/

A nice VBS script to use this tool can be found here: http://groups.google.co.uk/group/microsoft.public.windowsxp.security_admin/browse_frm/thread/4b7c9f16e86893f6/5de02451dfdd11b6#5de02451dfdd11b6
0
 
dgore1Author Commented:
Well I found another solution that works in all situations...but I like all your suggestions cause if this one fails, then I fall back to your ideas!!

Here's what I did:

Removed the domain users from the local administrators group(this is going to be a hard sell since it's our development group that's pushing this one).  Added domain users to the power users group.  Accessed the C drive, removed the everyone group and local administrators from the share...leaving only the local administrator, domain admins, and domain users....also removed all domain groups from the users group.

Now the local people can add printers, see the hard drive, add applications etc with no problems(as of yet)..but if they try to access the C$ they get a logon that will not let them past unless you are a domain admin!!

This will be pushed out via a script upon logon to do the group moves and removals..

Thanks for all the ideas!!
dale
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now