• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 530
  • Last Modified:

Administrative Shares and Management tools

Hello, I'm trying to write a 'How to' and I'm not sure which 'way' is the best way for a larger company. So I need some advice from you IT gurus out there.

A company with about 2,000 workstations would like to block administrative shares from being used by remote users but can't disable the shares completely since they use products that rely on them (SMS, virus scanners, etc.&).  

Our file security product can do this, but I'm having trouble deciding what would be the best way to configure it.

So, here are what I think the options are:

Option 1: block all remote file accesses except for user accounts used by the management services like SMS.
Pro: easy to understand and covers all the files regardless of the workstation drive configuration.
Con: Someone could access the protected shares using an allowed service user account.
Con: All the service user accounts would have to be excluded, which means they would have to know them all.  It could be a mess, unless they use a AD group, but then you have to monitor the group membership.

Option 2: block all remote access except allow access to folders that management services need to work.
Pro:  easy to understand and doesn't have a hole.
Con: It could be difficult to define what is needed since I have no idea what folders management services need.
Con: This will require a somewhat standard workstation configuration, but that's probably ok.

Option 3: only block remote access to protect folders like C:\Users\*
Pro: It should be the safest choice
Con: Doesn't really work in the real world since people put data all over their hard drive.
Con: Also would require a somewhat standard configuration.

Option 4: block all remote access based on time of day
Pro: this is a nice choice since most management services do their work in the middle of the night when no one is in the office.
Pro: easy to set up
Con: Doesn't work at all if the management services need to work while users are in the office.

That's all the options I can think of, and I believe that the best option will be#1 or #4.

Any advice?
  • 3
  • 3
1 Solution
My 2 cents....

Depending on the company of course, I always opt to disable the hidden admin shares whenever possible.    

On the Domain I would create a group called Company-Services and drop that domain group into the local Admin Group on the workstation.  The AD group membership will control service account access to the workstation.   I always try to opt for a central point of management, especially for that number of machines.    

iunknown21Author Commented:
Thanks Mike,

I'm assuming that the goal is prevent IT administrators from gaining access to sensitive data via these shares.  If that is true, the administrator could just add his account to the Company-Services group and gain access.  

Do you audit group membership changes to catch this?
Ah, now I think I understand the issue....    The Admin himself is suspect of poking around in files where he should be...      That one is tricky.  

Depending on the size of the company, you might want to look at a segregation of duties where the auditor and the admin are 2 different departments where any changes to the account rights or groups are included in a report that is audited for proper authorization to make that change....   The company must also have the will to enforce this type of segregation since it is an onerous task and no one likes to do it.  

There are products that would report changes to the AD that a 2nd department could follow up on.  

However this would have to be included along with a separation of the account creation, service/app installation, general admin roles for it to be effective.  

Consider, it would probably be the admin that would setup the Service accounts in the 1st place or would need the password to install the services there would be no need to add an account to the service group since he/she would already have the service password for access.      

Next up, you must use NTFS permissions to lock down certain sensitive data.   Remove the admin from being able to access these groups whenever possible, include auditing to check for file access by accounts that shouldn't be in there (i.e. other service accounts, accounts for data backup for example).   Consider, if your data backup service account is poking around random files outside the backup window, then you know something is up.  

It is usually understood that there must be a certain amount of trust setup between the company and the department that controls access to the information.    But when that trust comes into doubt, an experienced tech would know how to do this without getting caught.      Right off the top of my head I can think of 3 different ways to look at documents without leaving a trace.....all of which could be done by someone with admin rights to the servers.  

I hope something within all that rambling would be valuable to you.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

iunknown21Author Commented:
Thanks again Mike,

I think I've confused things a bit.  We (my company) sells a file auditing and security product that operates outside the Windows security model.  

We can block file access by all sorts of methods to anyone, even Administrators, but the problem I'm having is trying to figure what would be the 'best' way to stop remote accesses made by people but allow them by these management tools.

Right now, the client has configured the product to block ALL remote access for everyone, including SMS, which isn't good.

Do you know if the 'Logon as a service privilege' can allow an interactive logon account?  

If it can't, I could punt on all the configuration guessing and just modify the product to check for the privilege and block remote access if it's not set.   But I'm pretty sure that Windows doesn't have such a restriction.
Depends on the account.   By default, the answer is yes.  

See here:

You may need to use that in combination with the Deny local logon....

If the service account has admin rights, it might be possible to circumvent that though...  

iunknown21Author Commented:
I was hoping for generate advice which method would be most 'attractive' solution to an administrator.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now