I believe Steve is right. I don't think you can change the permissions. You can only disable them or leave them enabled. It's been a rough week. [:'(]

---

Jason N. Gaylord
JasonGaylord.com

Check out this link, it might answer your question:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q100517&sd=mskb&#appliesto

You can disable these shares, but only for the current session.

You cannot change the permissions on these shares anytime. The following message is displayed if you attempt to do so:

There we go.  I hate it when the definitive answer is not what I wanted to hear.  [:P]

Quoted from the article:


I suppose I have 2 options.  I can delete these shares using the login scripts, preventing the I.S. Team from accessing them unless we implement manually created CDrive shares (which can be seen) with restricted permissions.  Or, I can add a permission to Deny the Local Administrator:  http://support.microsoft.com/default.aspx?scid=kb;en-us;281140&sd=tech

I don't like those options.  Actually I have a 3rd option which I might implement - use our personal firewall software (installed on all dekstops/laptops) to block access between all machines within the dhcp scope.

Now my next question - still on the subject of permissions.  Can you change the permissions for Remote Procedural Calls?  To be honest I don't quite understand how RPC distinguishes different users unless it's along the same lines as the admin shares.

Hi again,

In Windows NT, it is used by many critical applications and should be left to start automatically–this is the default configuration. RPC is a substantial security concern, and it is difficult, if not impossible, to restrict the service in any way and still guarantee full functionality of the system being secured.

The RPC services built into Windows NT highlight the importance of network-level security. Because RPC is a security weakness on the host that is difficult to restrict, undesired traffic destined for RPC should be filtered before it reaches the host.

So, there are ways around it, although i bet its not what you wanted to hear.

[quote user="RickW"]You'll have to explain to me the consequences of restricting the admin shares to just Domain Administrators if you don't recommend it.  I've read articles that actually recommended deleting these shares after each reboot via the login scripts (since they always remap themselves).  Plus I've seen SP2 Firewall block admin share requests by default.

The problem I'm facing is that several recent virus outbreaks spread using the admin shares.  There is no reason that Desktop1 should access Desktop2 via an admin share, so to prevent these types of outbreaks I only want the Domain Admins to access them (which still allows the IS Team and domain Administrator).

edit:
If SYSTEM is still assigned to an admin share, what kind of permissions are inherited by the logged in user?
[/quote]On the off-chance you are using the McAfee Active VirusScan suite, you can indeed remove all access to Admin shares using VS Enterprise 8.0i, or just set them to Read-Only, which is what I do.  I also have a fleet of other arbitrary behavior rules activated, some of which I made myself.  For a look at the configuration options:  www.omnicast.net/~tmcfadden/vse8/index.html  We manage our fleet using ePolicy Orchestrator but I also pre-customize our installer along the lines shown there, so that if ePO goes down, the individual installations will pick up the ball using my desired configuration.

It does work.  There are no negative effects, other than my having to switch that off temporarily either via ePolicy Orchestrator or by connecting remotely to the system with VirusScan Console to disable the block (which ePO will re-enable on me within five minutes), if I wish to do some remote work.

We also have arbitrary port-blocking rules to the extent possible.  Not quite an all-out desktop firewall, but blocking unnecessary port ranges per machine (with exceptions for valid programs) is both a tripwire and a damage-containment measure.

Bigger picture:  find out where those worms are coming in, and block them there.  IM programs?  Email?  Rogue software?  Don't be reactionary, go find the source of the problem and slam the door on it.  :)

[quote user="mechBgon"]

Bigger picture:  find out where those worms are coming in, and block them there.  IM programs?  Email?  Rogue software?  Don't be reactionary, go find the source of the problem and slam the door on it.  :)

[/quote]

Over two-thirds of our employees are mobile (laptops).  They do their work on other client's networks.  The worms are infecting a machine that isn't 100% locked down (all machines are suppose to run a personal firewall that becomes very restrictive outside our network, but occasionally you get one that didn't have it installed).  The user then brings the laptop back into the network - and the virus goes to town.

We eventually decided to go ahead and install our personal firewall software even on the desktops inside the network, because the IDS signatures do not get disabled while inside the network.  It's protected us from quite a few outbreaks.  The last virus we got didn't trigger a single IDS signature so that's what tipped me off it was propogating via RPC and admin shares.  I setup a quick rule in the personal firewall to log ALL traffic, to confirm it - and I could see it sending packets to port 445 on random IPs.

Now you have me curious [:)]  Can you give some specific worms that were successful?  Who's your antivirus vendor and how frequently do the lappies get updates?  The machines have strong local-admin passwords and are kept patched up, right?

You might try Microsoft Baseline Security Analyzer on your laptops too.  The original WinXP-created Administrator account is not normally visible, but still can be exploited.  MBSA will tell you if its password is weak or blank (duh).  Changing the original Administrator account's name and giving it a hellaciously-strong password might help you prevent infections via the Admin shares. 

At the risk of telling you something you already can do in your sleep, right-click My Computer > Manage > Users & Groups > Users, find Administrator, right-click, rename, right-click, set password.  If you're logged on as a Domain Admin, you can do this to any computer that's on your LAN (again, sorry if I'm telling you 50 things you already know).

MBSA, maybe you use this already:

http://www.microsoft.com/downloads/details.aspx?FamilyID=b13ebd6b-e258-4625-b0a3-64a4879f7798&displaylang=en

Having read lots of worm descriptions, I also would use scanning within compressed files (real-time and scheduled scans)  and maxed-out heuristics.  In McAfee's case, this helps increase detection of unidentified worms.

EDIT:  If the machines are all Win2000 then I guess my thing about the hidden Admin account doesn't apply, ooops!  [:$]