G
G
Go2015-07-16 09:28:49
System administration
Go, 2015-07-16 09:28:49

Is there an alternative to disabling admin shares (C$ and others)?

A question. There is one government agency. All employee workstations are in a domain (DC on Windows Server 2003 with standard group policies). Recently, senior management became concerned that domain administrators have unlimited access to their workstations (fear for their files) and ordered that admin balls be disabled.
Is this the only correct solution or can other means be used to prevent local admins from accessing the hard drives of these PCs over the network (but at least they could administer these workstations locally)?
What problems can arise when disabling the ball, so that you can justify this to the manual?

Answer the question

In order to leave comments, you need to log in

12 answer(s)
1
1qaz2wsx3edc, 2015-07-16
@goricvet

I will not criticize anyone, but most of the answers are, to put it mildly, strange in my opinion. It is quite presumptuous to advise something to disable / firewall without having full available information about the organization's IT landscape. Most of all, the answer of Sergey Kovalev is close to me. I will supplement the discussion with my thoughts - in my opinion, several problems can be identified in this case.
1) The problem of the location of sensitive data.
That is, storing data on laptops / desktop computers, to which many employees theoretically have physical access, is a risk in itself. My advice is to move the data to some central storage, organize backups, consider setting up encryption. (The only question is how much this data is valuable). I also recommend that you take care of the adoption of the regulation, according to which users do not store work data on client PCs at all (all again on servers).
2) Distribution of tasks within the IT department, setting up role management.
If each system administrator (up to a beginner) is given a domain administrator, then sooner or later you can run into trouble. I think this is a greatly underestimated risk, especially in small (up to 500 people) enterprises (where there is really no information security service). I think that you should spend some reasonable time and configure access through groups (for example, file server administrators, mail system administrators, group policy administrators, Scope-A computer administrators, Scope-B computer administrators. It is also necessary to audit objects and permissions on them in the AD itself and fine-tune also through groups.Once invested (depending on the infrastructure, I assume from 3 days to several weeks) you will protect yourself from a lot of hemorrhoids in the future.
3) I would put item #1 actually. Apparently (judging by the phrase "management was worried that domain administrators have unlimited access to their workstations (they are afraid for their files) and ordered to disable admin balls." there is a complete misunderstanding by the business of the role of the IT service in the functioning of this business itself. I I would try to establish some kind of dialogue and convey your vision of IT issues in the enterprise to the hired manager / owner of the business.

A
Artem @Jump, 2015-07-16
Tag

senior management is concerned that domain administrators have unrestricted access to their workstations

Options -
  • Take away rights from admins, or remove admins altogether.
  • Hire trusted admins.
  • Hire an admin for admins who will administer their activities.

S
Sergey Kovalev, 2015-07-16
@Sergey-S-Kovalev

Oh my God. My eyes bleed from the answers.
The domain administrator cannot be removed. Someone needs to administer the domain.
Disable administrative balls - create problems for yourself with software installation and administration.
Create a technical support group, place all techies in the group, distribute the group on computers with a GPO, so that everyone in it would receive local administrator rights when they log on to a PC for its maintenance.
Cut off someone specific from PC resources - in local policies, through GPO, specify users or groups that do not have the right to connect to a PC over the network.
Control of groups on computers can be done through Restriction Policy. All this will solve the problem with technical support specialists and limit their access.
Account Management: Delegate Account Admin rights to an organizational unit in AD DS.
A domain administrator can be limited only by enterprise administrators :) in a multi-domain infrastructure
In general, such an attitude of management suggests that they are already guilty of something, but they have not yet decided what and when this moment will come. Run fools.

M
mace-ftl, 2015-07-16
@mace-ftl

1) Just put a firewall - this is the easiest option
2) Put a PC behind a nat (behind a small router)
3) put a program that will show who came through the ball
But as an IB-shnik I can say that this is all just for show - if the PC is in a domain the administrator MUST have access to all PCs.
If the admin can automatically install r-admin or any other program on all PCs via GPO, what difference does it make to the firewall or are the balls disabled there? )

A
athacker, 2015-07-16
@athacker

Disable the "Server" service on workstations. Workstations should not share anything, if the mind. Accordingly, they do not need the "Server" service.
When the admin needs it, he can remotely start this service and do what he needs :-)
In general, storing some user files on workstations is no less evil. A screw sneezes on a workstation - and that's it, "come, godfather, admire." Then these same bosses will run around the ceiling and yell that the admin urgently needs to save their precious files at any cost.
Thus, the file should be stored only and exclusively on file servers. Where it is located on the RAID controllers, and is backed up regularly. And on workstations - only the system and working software, nothing more. With the expectation that if the user's computer fails, it is removed entirely, and the user is given a new one, and let him continue working.

A
Anton, 2015-07-16
@Largo1

the loyalty of admins is bought by a salary above the average

O
other_letter, 2015-07-16
@other_letter

I rarely run into issues like this. There is no specific answer, of course. I propose to play a game - to score in the search something like "an official stole the data", then "the manager leaked the database", and then "the system administrator leaked the data / database". And meditate on the issuance of a search engine.
I have never in my life encountered a real drain from the system administrator. Cops copying the base - this is please. Officials too. A manager leaving for another office is practically the rule here. But a sysadmin? No, I didn't.
Most likely they are not worried about chipboard, of course. Anyway.
Little blood? Well, suggest this: through "security" and "access" close access to drive D, for example. And say that everything that the admins do not see on this disk. As a sub-option, use flash drives (without dancing with a tambourine, they are not added to the balls), but this increases the likelihood of smelting data in other ways.

O
Oleg Soroka, 2015-07-16
@oleg40a

Primitive - let them encrypt.

X
xmoonlight, 2015-07-16
@xmoonlight

"Transparent" backup, anti-virus check, remote installation of software, updates.

D
DastiX, 2015-07-16
@DastiX

For me, if an employee has the "domain administrator" role, then there is no point in removing something. If he wants, he will find it without balloons.
And if on business, then in GPO to rummage only for the set group, and GPO editing only for the elite.

M
Max, 2015-07-16
@MaxDukov

Are the management concerned about the balls themselves or about the fact that they will be entered?
turn on access logging, ask the administrators for clarification on the facts of connecting to the computers of the manual.

S
Sergey, 2015-07-16
@Yestestvenno

It makes no sense to pervert with group policies, accesses, etc., etc., if the administrator wants to know everything and what files are located and where they climb and what they write .....
the only right decision that will suit absolutely everyone:
1) Hit the head of the one who told boss about it!
2) buy US and not integrate into AD, but give separate access to each boss to his folder,
and entrust all this to one administrator who will have unlimited access to everything and everything
.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question