Administrative shares accessed by local administrators

V

Vincent Schmid

Hello,

We have some Windows XP clients connected as members of a Windows 2003
domain controler.

All the XP clients have the same local administrator password. For this
reason, any user logged as local admin could have access to all other
machines administrative shares.

We would like that only the *domain* administrators can access the admin
shares, not the *local* administrator from another machine.

How can we achieve this while keeping the same local admin passwords on
all machines ?

Regards,
Vincent
 
G

Guest

You cannot. This is one of the biggest security weaknesses of domain
networking. In fact, since any domain-user can logon at any computer, it
foillows that if they can access their own Admin Shares, they can also access
all the others.

It's worse if a Domain Admin logs on, then the server's OS is exposed to any
malware on the computer being repaired, as well as the other workstations.
Yet, why/when might an Admin log on? Mostly because there is something wrong
with the computer. Which might just be malware-related.

The only solution is to remove the Admin Shares, which involves a registry
patch. (removing them in Explorer only results in their return at next
reboot)

Removing the Admin Shares will make some of the remote-management tools
inoperable, but IMHO this is preferable to a gaping security hole. The only
proviso is that you cannot remove them on an Exchange server without causing
problems.

It's time this was fixed!! (actually, should have been fixed in NT4, the
vulnerability has been known-about for at least a decade.)
 
V

Vincent Schmid

Ian, thank you for this clarification!

It's worse if a Domain Admin logs on, then the server's OS is exposed ...
Click to expand...

So can we prevent a domain admin account to log on on a client computer ?

The only solution is to remove the Admin Shares, ...
Click to expand...

OK, but in this case it would be easyer for us to set different local
admin password for each client computer, because we use administrative
shares to manage the clients. Would it be safe to do it that way ?
(assuming that the domain admin account would not be used by malware or
by normal users, of course)


Vincent
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unable to access default shares on domain 1
Problem mapping network shares in domain 3
Network Neighborhood computer asking for username/password 3
Not enough server storage is available to process this command? 3
Cannot connect to shares on Windows XP computer 2
Workgroup shares 1
Administrative Shares 3
Add Domain Global Group To Local Group 2

Top