Administrative Shares and Management tools
Posted on 2010-01-05
Hello, I'm trying to write a 'How to' and I'm not sure which 'way' is the best way for a larger company. So I need some advice from you IT gurus out there.
A company with about 2,000 workstations would like to block administrative shares from being used by remote users but can't disable the shares completely since they use products that rely on them (SMS, virus scanners, etc.&).
Our file security product can do this, but I'm having trouble deciding what would be the best way to configure it.
So, here are what I think the options are:
Option 1: block all remote file accesses except for user accounts used by the management services like SMS.
Pro: easy to understand and covers all the files regardless of the workstation drive configuration.
Con: Someone could access the protected shares using an allowed service user account.
Con: All the service user accounts would have to be excluded, which means they would have to know them all. It could be a mess, unless they use a AD group, but then you have to monitor the group membership.
Option 2: block all remote access except allow access to folders that management services need to work.
Pro: easy to understand and doesn't have a hole.
Con: It could be difficult to define what is needed since I have no idea what folders management services need.
Con: This will require a somewhat standard workstation configuration, but that's probably ok.
Option 3: only block remote access to protect folders like C:\Users\*
Pro: It should be the safest choice
Con: Doesn't really work in the real world since people put data all over their hard drive.
Con: Also would require a somewhat standard configuration.
Option 4: block all remote access based on time of day
Pro: this is a nice choice since most management services do their work in the middle of the night when no one is in the office.
Pro: easy to set up
Con: Doesn't work at all if the management services need to work while users are in the office.
That's all the options I can think of, and I believe that the best option will be#1 or #4.