Domain controller security

Dear Experts, am I right when think that if my PC is in domain environment, everyone inside my domain can join my PC and access my drives (for example: D drive,..) ?

If so, how can we avoid it by using Group Policy in Domain controller? or other process?
LVL 5
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MASEE Solution Guide - Technical Dept HeadCommented:
-->Dear Experts, am I right when think that if my PC is in domain environment, everyone inside my domain can join my PC and access my drives (for example: D drive,..) ?
Only admin and one who knows your password can access your drives.
2
arnoldCommented:
Mas addressed one interpretation.
In a domain environment, a system joined to a domain is not really "your PC"
Domain admins authorize users and their access to domain resources.

Commonly, users such as yourself in a domain environment are limited/restricted users prevent from installing or modifying the system in any way while allowing you to personalize sone aspects such as your background desktop display, a Windows theme, etc.

A domain consists of two tiers
There is the default domain policy that includes general computer and user settings that applies to all systems and users in the domain with the exception of domain controllers which are in their own OU, and have the default domain control policy while disabling inheritance from domain applied gpos this is to avoid an errand GPO from adversely weakening, exposing the DCs in error/mistake.

Commonly, non admin users can join up to five systems to the domain, joining the system does not entitle, extend the users right, but the user to join a computer to the domain must have administrative right on the system before hand.
2
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you've done something utterly foolish like making all users Domain Admins or putting the domain users in the local users Administrators group, then yes, you're correct.

By default, if you're following default and basic security best practices, no, they can't
1
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Tom CieslikIT EngineerCommented:
Local drives are accesoble only by Domain Admins or local computer admins by typing \\computername\C$, or \\computername\D$
If you talking about regular users,they can't do it.

If you want prevent domain admins to access your local drives you need to disable administrative share on your computer.

To remove administrative shares and prevent them from being automatically created in Windows, follow these steps:
Click Start, and then click
Run.
In the Open box, type
regedit, and then click OK.
Locate, and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer

If you don't see AutoShareServer just create it. (DWORD (32-bit) Value)

Note The registry subkey AutoShareServer must be set as type REG_DWORD. When this value is set to 0 (zero), Windows does not automatically create administrative shares. Be aware that this does not apply to the IPC$ share or shares that you create manually.
On the Edit menu, click
Modify. In the Value data box, type
0, and then click OK.

Replace steps with this key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
If you don't have AutoShareWks, just create it. (DWORD (32-bit) Value)

Exit Registry Editor.
Restart Computer
1
Natty GregIn Theory (IT)Commented:
That would be a poorly configured domain, right out the box without you messing wit the server the answer is no, people can access drives that you share and only if you give everyone permission, in that case, just change the permission on the drive, problem solved. On the other hand admin does not know your password unless they gave it to you and you've never changed it.

What admin can do is changed your password and have access to your computer since its setup via group policy to grant access to system admin.

With privacy laws any admin accessing your computer is suppose to give you notice either with a pop up on your desktop or walk over to your desk and say so.

Now with that said if you work with the secret service or nsa, they do not want their business exposed so be watched all the time, but you would signed to that in their policy prior to working with them.
1
Olgierd UngehojerSenior Network AdministratorCommented:
I think that you mean that if some other user will come or rdp to machine will have access to d: drive. Yes with standard configuration because all windows users have access to root point of the drive. Share control and security control of your data you can do by group policy.
1
DP230Network AdministratorAuthor Commented:
@Olgierd: Yes exactly what I mean.

"Share control and security control of your data you can do by group policy" - Can you please give us some reference links?
0
arnoldCommented:
You are not providing enough context. Permissions on shares are set by admins. You should provide an example what you mean as there are too many possible interpretations.

GPO/GPP can map shared resources. to users based on the OU in which the users are, based on security group membership, based on the computers/systems into which they are logged in.
The security settings and the share settings an Admin sets on a share and then whether the user specific share/folder is accessible only to the admins and the user, or group of users, etc.
If you login into system A, with drive D is a mapped drive to a share, depending on the settings set on the share each user would have their own D:\ drive reference without actually accessing or having access to the files you create when you login into any system and have drive D: mapped.
If however, the system has a single local drive that is partitioned to have a drive C: and a drive D: then the users who login into this system will see the common drive C: and drive D: and depending on the security settings configured on drive D: i.e .what is its purpose, the user may have access to all directories on drive D: or they may have a right to create their own folder within drive D: but access to other folders created by other users will be offlimits to them.

if you can post the output of running the following commands in a command window
 icacls d:
icacls d:\yourfolder
this will output the security settings on the drive and the specific folder
adding a /T and the end of either icacls will return the entire list of folders, subfolders and files and their security settings (NTFS permissions)...
0
MASEE Solution Guide - Technical Dept HeadCommented:
Agree with arnold.
It will be helpful if you give an example or situation you faced where others accessed drives.
0
Olgierd UngehojerSenior Network AdministratorCommented:
First thing depend on scenario what group of users you have and how you group your computers in active directory organization units ( OU ). You can do changes by group policy by users and computers. RDP you can manage by adding users to RDP users group and then only they will be able to use RDP. As well you can enable RDP to computers only is some organization unit. Data on d: drive on computers the only way to keep them secure it would be some folders encryption per users because if you boot computer from some system on usb drive like linux or even windows you will not apply group policy and all data from this drive will be visible. Imported data I would keep on server and share over the network from server and you will have full control.
0
DP230Network AdministratorAuthor Commented:
For example: PC A,
- Local Admin: A\user1
- Has C and D drives; C drive is File system, D Drive has important data

After joined domain xyz.com, PC A have another profile xyz.com \ user1, this user still have access to C and D drives

One day, user 2 comes to this PC, log on as xyz.com \ user2, he can access C and D drive as well. He deletes all Data on D drives on PC A (of user 1)


We can avoid it by set the permission on D Drives so that only xyz.com \ user1 and A \ user1 can access; but is it possible to do it via GPO to all of the PCs; we don't want to come each PC and configure that permission on users' D drives. Can you help? Is it clear?
0
arnoldCommented:
GPO is meant to maintain uniformity and centrally manage systems.
GPO can be used to set Registry Key settings, services, not file system level

Commonly, one would never store important data on a PC as it would require a PC to be setup with backup ...

Commonly, important data is stored on a server and different individuals are granted access to this information while the server have backups setup to minimize data loss.

I've not , but the following may help you with the approach you seem to be seeking to implement.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/dd86a470-1b22-4f13-90bd-dc92dd7c9163/setting-permissions-on-local-folder-via-ad-group-policy?forum=winserverGP
The reference is for a windows 2003, but it can be used as an example to see whether the options referenced are available in GPMC for the systems you are dealing with, test first.....
0
masnrockCommented:
Your original question was answered by others, so i wont repeat what has already been said.

Why would you have users store important data on their PCs? That's why file servers with appropriate permissions exist. Central repository that you can manage and keep backed up. Take advantage of folder redirection to force users to store things in the server.

If the D drive is a network drive intended to be a private area for a user, it points back to previous answers: no other regular users will have access to that data unless you poorly implement permissions.
0
DP230Network AdministratorAuthor Commented:
No, the D drives store personal data. We are anticipating the risks...
0
masnrockCommented:
Is D drive a local or network drive? Basically, everyone here is checking to make sure it isn't local.
0
DP230Network AdministratorAuthor Commented:
it is local drive, don't you read my example?
0
arnoldCommented:
People refer to "my drive" as they see it.
An ad user who has their refirected folder shared mapped, refer to it as "My drive"

Local drives on a system are accessible by all users.
Admins are who defines the use of system's resources.
Once a system is joined to a domain, control over said system is subordinated to the domain and the organization unit into which the system is placed.....

You are asking about do ain controller, but refer to a PC, workstation if you are using a DC as your workstation, access to a DC is much more stringent
Commonly, access to a DC so only few users, commonly only administrative users will be authorized to access the DCs.

Personal files on a work computer/system......
0
masnrockCommented:
I read it, just wanted to be sure. So you're putting yourself in a position where you have to manage the permissions of every machine. You would literally have to force a standardized directory structure in order to make things work as you might like. And there is also the usual hardware failure risk. Imagine having to manage backups for each machine.

That said, it actually is more of a justification for moving all of said things to central storage.
0
Tom CieslikIT EngineerCommented:
You can't restrict local resources for other users if computer is in domain, but you can restrict users in your domain for logon only to specific computers. If you do then people will be able to login only to computers you choice.

I think this is best solution you can implement.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.