administrative shares

[Auddog]

I was checking over our network when I started to discover a potential
problem that I have. I have a new laptop that has not been added into our
domain. I'm logging into the laptop as the administrator and I'm connecting
to my network via the wireless connection. I have been able to connect to
several (but not all) of our desktops administrative shares (C$) without
having to enter any credentials. Does anyone know how to fix this problem?
Any help that you may be able to provide is greatly appreciated.

A

 

[John Brown]

I was checking over our network when I started to discover a potential

problem that I have. I have a new laptop that has not been added into our
domain. I'm logging into the laptop as the administrator and I'm
connecting to my network via the wireless connection. I have been able to
connect to several (but not all) of our desktops administrative shares (C$)
without having to enter any credentials. Does anyone know how to fix this
problem? Any help that you may be able to provide is greatly appreciated.

On the machines where you're able to access C$, do you have a local
administrators account with the same name and password as the one you're
using on your laptop?

 

[Auddog]

On the machines where you're able to access C$, do you have a local
administrators account with the same name and password as the one you're
using on your laptop?

Yes, I do - the administrator password for the machine is the same on all
machines.

A

 

[John Brown]

Yes, I do - the administrator password for the machine is the same on all
machines.

That's the "problem" right there and a potential security hole if someone
else also knows the password. The short story is this. Since you're logged
onto your laptop as a local (non-domain user), if you now try to connect to
another machine on your LAN, that machine will authenticate you using
whatever credentials you have on the first machine (your laptop in this
case). It does so by looking for a local account with the same name and
password you're currently using on the first machine. So in your case it
finds such an account and logs you on. Then, since you're also a member of
the admin's group on that machine, you therefore have full admin rights to
everything including all admin shares (C$ in your case). Nobody else should
be able to access C$ however unless they're also an administrator on that
machine (which can be the case whether they're logged onto their home
machine either locally or as a domain user). So there's no real security
problem here if nobody else knows the password. However, since it's the same
on all machines, you run the danger that someone will eventually find out.
If so then they can access every machine remotely as an administrator and
reek havoc - caution strongly advised.

 

[Steven L Umbach]

John already gave some good advice. I just want to add if there is a need to
not allow non domain computers to access domain computers [other then domain
controllers] you can use ipsec require policy. Ipsec by default in an AD
domain uses Kerberos authentication between computers to set up a security
association. Non domain computers can not use Kerberos. Ipsec however takes
planning and testing so do not implement without first reading up on
Microsoft documentation on how to deploy it and never assign ipsec
require/request default ipsec policy in Domain Security Policy.

Steve