|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Administrative shares accessed by local administratorsHello,
We have some Windows XP clients connected as members of a Windows 2003 domain controler. All the XP clients have the same local administrator password. For this reason, any user logged as local admin could have access to all other machines administrative shares. We would like that only the *domain* administrators can access the admin shares, not the *local* administrator from another machine. How can we achieve this while keeping the same local admin passwords on all machines ? Regards, Vincent You cannot. This is one of the biggest security weaknesses of domain
networking. In fact, since any domain-user can logon at any computer, it foillows that if they can access their own Admin Shares, they can also access all the others. It's worse if a Domain Admin logs on, then the server's OS is exposed to any malware on the computer being repaired, as well as the other workstations. Yet, why/when might an Admin log on? Mostly because there is something wrong with the computer. Which might just be malware-related. The only solution is to remove the Admin Shares, which involves a registry patch. (removing them in Explorer only results in their return at next reboot) Removing the Admin Shares will make some of the remote-management tools inoperable, but IMHO this is preferable to a gaping security hole. The only proviso is that you cannot remove them on an Exchange server without causing problems. It's time this was fixed!! (actually, should have been fixed in NT4, the vulnerability has been known-about for at least a decade.) Ian, thank you for this clarification!
> It's worse if a Domain Admin logs on, then the server's OS is exposed ... So can we prevent a domain admin account to log on on a client computer ?> The only solution is to remove the Admin Shares, ... OK, but in this case it would be easyer for us to set different local admin password for each client computer, because we use administrative shares to manage the clients. Would it be safe to do it that way ? (assuming that the domain admin account would not be used by malware or by normal users, of course) Vincent 
Other interesting topics
Cannot join domain by Windows XP Tablet Edition
Problem with Limited or No Connectivity on Wireless Lan Network Home networking with a wired and wireless network XP LAN WIRELESS BRIDGE IIS accessing network drive at startup Linksys Router compatibility with Windows CE How do I "un-network" a PC? will the default gateway be changed by virus or heckers? hp psc on a network Sharing a connection |
|||||||||||||||||||||||
