Administrative Shares and Management tools

Posted on 2010-01-05
Last Modified: 2013-12-04
Hello, I'm trying to write a 'How to' and I'm not sure which 'way' is the best way for a larger company. So I need some advice from you IT gurus out there.

A company with about 2,000 workstations would like to block administrative shares from being used by remote users but can't disable the shares completely since they use products that rely on them (SMS, virus scanners, etc.&).  

Our file security product can do this, but I'm having trouble deciding what would be the best way to configure it.

So, here are what I think the options are:

Option 1: block all remote file accesses except for user accounts used by the management services like SMS.
Pro: easy to understand and covers all the files regardless of the workstation drive configuration.
Con: Someone could access the protected shares using an allowed service user account.
Con: All the service user accounts would have to be excluded, which means they would have to know them all.  It could be a mess, unless they use a AD group, but then you have to monitor the group membership.

Option 2: block all remote access except allow access to folders that management services need to work.
Pro:  easy to understand and doesn't have a hole.
Con: It could be difficult to define what is needed since I have no idea what folders management services need.
Con: This will require a somewhat standard workstation configuration, but that's probably ok.

Option 3: only block remote access to protect folders like C:\Users\*
Pro: It should be the safest choice
Con: Doesn't really work in the real world since people put data all over their hard drive.
Con: Also would require a somewhat standard configuration.

Option 4: block all remote access based on time of day
Pro: this is a nice choice since most management services do their work in the middle of the night when no one is in the office.
Pro: easy to set up
Con: Doesn't work at all if the management services need to work while users are in the office.

That's all the options I can think of, and I believe that the best option will be#1 or #4.

Any advice?
Question by:iunknown21
    LVL 33

    Expert Comment

    My 2 cents....

    Depending on the company of course, I always opt to disable the hidden admin shares whenever possible.    

    On the Domain I would create a group called Company-Services and drop that domain group into the local Admin Group on the workstation.  The AD group membership will control service account access to the workstation.   I always try to opt for a central point of management, especially for that number of machines.    

    LVL 1

    Author Comment

    Thanks Mike,

    I'm assuming that the goal is prevent IT administrators from gaining access to sensitive data via these shares.  If that is true, the administrator could just add his account to the Company-Services group and gain access.  

    Do you audit group membership changes to catch this?
    LVL 33

    Expert Comment

    Ah, now I think I understand the issue....    The Admin himself is suspect of poking around in files where he should be...      That one is tricky.  

    Depending on the size of the company, you might want to look at a segregation of duties where the auditor and the admin are 2 different departments where any changes to the account rights or groups are included in a report that is audited for proper authorization to make that change....   The company must also have the will to enforce this type of segregation since it is an onerous task and no one likes to do it.  

    There are products that would report changes to the AD that a 2nd department could follow up on.  

    However this would have to be included along with a separation of the account creation, service/app installation, general admin roles for it to be effective.  

    Consider, it would probably be the admin that would setup the Service accounts in the 1st place or would need the password to install the services there would be no need to add an account to the service group since he/she would already have the service password for access.      

    Next up, you must use NTFS permissions to lock down certain sensitive data.   Remove the admin from being able to access these groups whenever possible, include auditing to check for file access by accounts that shouldn't be in there (i.e. other service accounts, accounts for data backup for example).   Consider, if your data backup service account is poking around random files outside the backup window, then you know something is up.  

    It is usually understood that there must be a certain amount of trust setup between the company and the department that controls access to the information.    But when that trust comes into doubt, an experienced tech would know how to do this without getting caught.      Right off the top of my head I can think of 3 different ways to look at documents without leaving a trace.....all of which could be done by someone with admin rights to the servers.  

    I hope something within all that rambling would be valuable to you.
    LVL 1

    Author Comment

    Thanks again Mike,

    I think I've confused things a bit.  We (my company) sells a file auditing and security product that operates outside the Windows security model.  

    We can block file access by all sorts of methods to anyone, even Administrators, but the problem I'm having is trying to figure what would be the 'best' way to stop remote accesses made by people but allow them by these management tools.

    Right now, the client has configured the product to block ALL remote access for everyone, including SMS, which isn't good.

    Do you know if the 'Logon as a service privilege' can allow an interactive logon account?  

    If it can't, I could punt on all the configuration guessing and just modify the product to check for the privilege and block remote access if it's not set.   But I'm pretty sure that Windows doesn't have such a restriction.
    LVL 33

    Accepted Solution

    Depends on the account.   By default, the answer is yes.  

    See here:

    You may need to use that in combination with the Deny local logon....

    If the service account has admin rights, it might be possible to circumvent that though...  

    LVL 1

    Author Closing Comment

    I was hoping for generate advice which method would be most 'attractive' solution to an administrator.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
    How can you create a game plan that lets you focus on special projects instead of running from cubicle to cubicle every day and feeling like you’ve accomplished nothing? Try these strategies for prioritizing your tasks, offloading what you can, and …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now