Pro's and Con's of Administrative Shares

[Brenda]

WHat exactly is the pro's and con's of having
administrative shares on a windows xp workstation.

I am a IT Director and have a few people are computer
savy and have removed their network admin shares. I need
a real reason as to why they need to have these admin
shares available.

I am told they do this so that no av can attach their
pc's. but I believe it's so that I as a manager can not
access their pc's.

Can anyone suggest some reasons?

Thanks in advance.

 

[Chuck]

WHat exactly is the pro's and con's of having
administrative shares on a windows xp workstation.

I am a IT Director and have a few people are computer
savy and have removed their network admin shares. I need
a real reason as to why they need to have these admin
shares available.

I am told they do this so that no av can attach their
pc's. but I believe it's so that I as a manager can not
access their pc's.

Can anyone suggest some reasons?

Thanks in advance.

Brenda,

Are you talking about "hidden" shares ("C$" etc)?

Those are the default administrative shares, that don't get displayed up by the
browser service. They are still accessible to those with administrative
authority, including you.

Why do you have all these computer users with administrative authority on their
computers?

Don't worry about these users right now - you should be able to access the
hidden shares. But, if you leave them as admin users, and they disable your
administrative access in the ACL, then you'll have problems.

And, if your AV protection depends upon network admin shares, and you let the
users remove those shares, you could have even worse problems. AV protection,
including automated scanning, is an essential network protection. Let one of
those computers get infected, and spread its infection thru the LAN. THEN
you'll have problems.

You need a good Corporate Security Policy.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Guest]

Are you talking about "hidden" shares ("C$" etc)?

Yes, exactly.

Those are the default administrative shares, that don't

get displayed up by the browser service. They are still
accessible to those with administrative >authority,
including you.

I realize that, you have to put the \\computername\c$ to
get to the drive. Unfortunately, these person's are
somewhat computer savey and have gone in and disabled
those shares. They were set up as administrators on their
pc's long before I was there. And unfortunately, to
attempt to change that could cause some heads to roll. I'm
not ready nor am I prepared for that one yet. GRIN!

Why do you have all these computer users with

administrative authority on their computers?

See above

Don't worry about these users right now - you should be

able to access the hidden shares. But, if you leave them
as admin users, and they disable your administrative
access in the ACL, then you'll have problems.

Unfortunately, I am worried about these users as two of
them are in the actual IT Dept under me. I want to put a
policy in place so that all computers company wide are
active with the administrative shares but need some amo
first before going ahead. Like to cover my tracks and give
them a reason why it's required. And by the way, they do
use Norton Corporate. Right now they claim to update their
own dat files from Norton, but I don't want them to do
that. So thats some amo.

And, if your AV protection depends upon network admin

shares, and you let the users remove those shares, you
could have even worse problems. AV protection,

including automated scanning, is an essential network

protection. Let one of those computers get infected, and
spread its infection thru the LAN. THEN you'll have
problems.


Thanks

 

[Chuck]

Yes, exactly.


get displayed up by the browser service. They are still
accessible to those with administrative >authority,
including you.

I realize that, you have to put the \\computername\c$ to
get to the drive. Unfortunately, these person's are
somewhat computer savey and have gone in and disabled
those shares. They were set up as administrators on their
pc's long before I was there. And unfortunately, to
attempt to change that could cause some heads to roll. I'm
not ready nor am I prepared for that one yet. GRIN!

Gack. Legacy staff.

administrative authority on their computers?

See above

able to access the hidden shares. But, if you leave them
as admin users, and they disable your administrative
access in the ACL, then you'll have problems.

Unfortunately, I am worried about these users as two of
them are in the actual IT Dept under me. I want to put a
policy in place so that all computers company wide are
active with the administrative shares but need some amo
first before going ahead. Like to cover my tracks and give
them a reason why it's required. And by the way, they do
use Norton Corporate. Right now they claim to update their
own dat files from Norton, but I don't want them to do
that. So thats some amo.

A very brief extract from our CSP, distilled, and heavily depersonalised:
1) Regular scheduled execution of automated network security software is
essential, to guarantee the future integrity of the corporate LAN.
2) The default administrative share is essential, to provide reliable access to
all workstations, to automated network security software.
3) Customised, or manual, security precautions by knowledgeable staff is not a
reliable, or acceptable, substitute for automated security software.
4) No employee may not interfere with administrative access, or with any
component of network security software, on their workstations.

shares, and you let the users remove those shares, you
could have even worse problems. AV protection,
protection. Let one of those computers get infected, and
spread its infection thru the LAN. THEN you'll have
problems.


Thanks

Good luck.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.