regulator2004
Beta member
- Messages
- 1
Hi
I work in a developer environment (under win2000) and have a security problem that I am having trouble resolving.
The cause of the security hole is by default, the C Drive is shared on all Windows Operating systems as C$ for administrative purposes. This is so that network administrators can access a standard share on the connected machines. To be able to access this share you need to have administrative privileges on the machine that you are connecting to. This share is known as an administrative share. This is among a few that include:
* The Root Drive of all local drives
* ADMIN$ - the system root (Windows) directory
* IPC$ - Remote machine management share
* wwwroot$ - If IIS is installed
To be able to connect to all of these shares directly, you require local admin privileges on the machine that you are trying to connect to.
The issue identified, therefore arrises when the user has local administrative privileges to the workstation. This level of access is a requirement for developers in the environment. The method employed to grant developers local admin access has been an Active Directory group in the Local Administrators group of the machine. Since all developers are a member of that AD Group, they are also local admins of all of the developer workstations. Therefore, all of the developers can access the C Drive of another developer machine simply by using run as or explorer “\\machine name\c$” without entering a password.
To date, the only method that I have found of disabling this means that file sharing (and possibly print sharing) will be disabled. I am not sure of the exact extend to that these are effected yet. In addition, the developers are local administrators of the machine and can start this themselves.
Any ideas ???
I work in a developer environment (under win2000) and have a security problem that I am having trouble resolving.
The cause of the security hole is by default, the C Drive is shared on all Windows Operating systems as C$ for administrative purposes. This is so that network administrators can access a standard share on the connected machines. To be able to access this share you need to have administrative privileges on the machine that you are connecting to. This share is known as an administrative share. This is among a few that include:
* The Root Drive of all local drives
* ADMIN$ - the system root (Windows) directory
* IPC$ - Remote machine management share
* wwwroot$ - If IIS is installed
To be able to connect to all of these shares directly, you require local admin privileges on the machine that you are trying to connect to.
The issue identified, therefore arrises when the user has local administrative privileges to the workstation. This level of access is a requirement for developers in the environment. The method employed to grant developers local admin access has been an Active Directory group in the Local Administrators group of the machine. Since all developers are a member of that AD Group, they are also local admins of all of the developer workstations. Therefore, all of the developers can access the C Drive of another developer machine simply by using run as or explorer “\\machine name\c$” without entering a password.
To date, the only method that I have found of disabling this means that file sharing (and possibly print sharing) will be disabled. I am not sure of the exact extend to that these are effected yet. In addition, the developers are local administrators of the machine and can start this themselves.
Any ideas ???
