Block the sys admin ?

  • Thread starter Thread starter Riaan
  • Start date Start date
R

Riaan

Good Day





When a computer is connected to a domain, it is possible for the domain
administrator to access the c:\ drive (and more) of that client simply by
mapping to that client.



Is there any way to block this







Regards,





Riaan
 
Riaan said:
Good Day

When a computer is connected to a domain, it is possible for the domain
administrator to access the c:\ drive (and more) of that client simply by
mapping to that client.

Is there any way to block this

Regards,

Riaan
Click to expand...

Yes, the domain administrator can access drive C:. You can
prevent him from accessing files and folders on drive C: by
modifying the NTFS permissions and seizing ownership.
However, he can seize ownership back again (which leaves
a visible trace).

You have to encrypt your files if you don't what the administrator
to see them. This in turn raises the risk of you having to ask
him for assistance when you can no longer decript your
files . . .
 
The main concern here is with the "Adminstrative Shares" - each local disk
has a share C$, D$ etc. automaticaly associated with it. These are a major
security risk (apart from letting syops snoop) as any Admin-level user can
write to your disk via them, and that user need not of course be human, it
could equally-well be a Trojan or rootkit.

It's particularly important to remove these automatic shares from servers,
otherwise they pose a risk of the server being attacked by an
infected/compromised workstation whenever a sysop logs-on to the infected
computer.

To remove them you need to make a registry change.

http://www.winguides.com/registry/display.php/4/
 
Riaan said:
When a computer is connected to a domain, it is possible for the
domain administrator to access the c:\ drive (and more) of that
client simply by mapping to that client.

Is there any way to block this
Click to expand...

In short...
"No."

As long as that computer is in the domain and on the network - the system
administrator can find a way to undo anything you do to prevent access to
anything on that machine OTHER than encryption and password protected files.
 
Ian said:
The main concern here is with the "Adminstrative Shares" - each local disk
has a share C$, D$ etc. automaticaly associated with it. These are a major
security risk (apart from letting syops snoop) as any Admin-level user can
write to your disk via them, and that user need not of course be human, it
could equally-well be a Trojan or rootkit.

It's particularly important to remove these automatic shares from servers,
otherwise they pose a risk of the server being attacked by an
infected/compromised workstation whenever a sysop logs-on to the infected
computer.

To remove them you need to make a registry change.

http://www.winguides.com/registry/display.php/4/
Click to expand...

Removing these shares is no obstacle to the average
system administrator - he can restore them by editing
the registry remotely or by running psexec.exe + regedit.exe
in Command Line mode.
 
Ian said:
The main concern here is with the "Adminstrative Shares" - each local
disk has a share C$, D$ etc. automaticaly associated with it. These
are a major security risk (apart from letting syops snoop) as any
Admin-level user can write to your disk via them, and that user need
not of course be human, it could equally-well be a Trojan or rootkit.

It's particularly important to remove these automatic shares from
servers, otherwise they pose a risk of the server being attacked by an
infected/compromised workstation whenever a sysop logs-on to the
infected computer.

To remove them you need to make a registry change.

http://www.winguides.com/registry/display.php/4/
Click to expand...

In addition to the comments made by Pegasus, can I just add that following
your advice, especially on servers, may well break software and tools that
rely on those shares, and absolutely should be approached with caution and
much testing.

--
--
Rob Moir, MS MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".
 
When a computer is connected to a domain, it is possible for the domain
administrator to access the c:\ drive (and more) of that client simply by
mapping to that client.

Is there any way to block this
Click to expand...

If you don't trust the Administrator of the domain, then you need a new
admin. If the problem is that you are doing things you don't want the
Admin to know about, then you should stop.

If you can't trust your network admins then you've got bigger problems
than just accessing the local computers.

There is nothing you can do that will limit access to a local DOMAIN
MEMBER that can't be changed by an Admin if they can access/login to the
computer.
 
Riaan said:
Good Day





When a computer is connected to a domain, it is possible for the domain
administrator to access the c:\ drive (and more) of that client simply by
mapping to that client.
Click to expand...


Certainly. That's one of the great benefits to using the domain model
for a network: centralized control of the company's property.

Is there any way to block this
Click to expand...


Yes. Consult your employer's IT department for assistance.




--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Is life so dear or peace so sweet as to be purchased at the price of
chains and slavery? .... I know not what course others may take, but as
for me, give me liberty, or give me death! -Patrick Henry
 
Back
Top