The default admin shares - such as c$, d$, admin$, ipc$ - are accessible to all Administrators.  But I would like to restrict the permissions to just Domain Administrators (no local admin group access).

Is this possible?  Hopefully via an AD Group Policy?

I'd keep System and Domain Administrators. If you remove Administrators without keeping System you WILL run into issues.

---

Jason N. Gaylord
JasonGaylord.com

And this just in from Steve Schofield [OWSteve] (via MSN IM):

"I wouldn't do that. I'm not sure about IPC$. If you do remove Administrators be sure to keep Domain Administrators and System with Full Permissions on c$ and d$. Leave admin$ alone. Yes, you can create a GPO. The policy should be under Machine Configuration. DO NOT TOUCH THE DEFAULT DOMAIN POLICY OR DEFAULT DOMAIN CONTROLLERS. I'd also recommend that you backup your default GPOs."

---

Jason N. Gaylord
JasonGaylord.com

You'll have to explain to me the consequences of restricting the admin shares to just Domain Administrators if you don't recommend it.  I've read articles that actually recommended deleting these shares after each reboot via the login scripts (since they always remap themselves).  Plus I've seen SP2 Firewall block admin share requests by default.

The problem I'm facing is that several recent virus outbreaks spread using the admin shares.  There is no reason that Desktop1 should access Desktop2 via an admin share, so to prevent these types of outbreaks I only want the Domain Admins to access them (which still allows the IS Team and domain Administrator).

edit:
If SYSTEM is still assigned to an admin share, what kind of permissions are inherited by the logged in user?

System needs full permissions otherwise you won't have a system. [;)]

---

Jason N. Gaylord
JasonGaylord.com

I'm talking about changing the permissions of the shares, not the drive's ntfs.

[quote user="Jason.N.Gaylord"]I'd keep System and Domain Administrators. If you remove Administrators without keeping System you WILL run into issues.[/quote]Could you explain what business the SYSTEM account of a machine has with the admin shares of another machines? It should only be accessing its own local resources, right?

---

The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral

Greate question. I don't have the MS answer, but I do remember removing the System account from the C$ share and having services start to fail.

---

Jason N. Gaylord
JasonGaylord.com

[quote user="Jason.N.Gaylord"]

Greate question. I don't have the MS answer, but I do remember removing the System account from the C$ share and having services start to fail.

[/quote]

Sounds like you removed System from the ntfs permissions of the drive itself.  I have tried changing share permissions to C$ but I get an error that they cannot be changed.

[quote user="RickW"]Sounds like you removed System from the ntfs permissions of the drive itself.  I have tried changing share permissions to C$ but I get an error that they cannot be changed.[/quote]

Nope. It was definately the share. I had to use safe mode and could you believe it, the thing worked. [;)]

By the way, are you attempting to use a GPO?

---

Jason N. Gaylord
JasonGaylord.com

Yes a Group Policy would be nice.  :)

[quote user="RickW"]Sounds like you removed System from the ntfs permissions of the drive itself.  I have tried changing share permissions to C$ but I get an error that they cannot be changed.[/quote]For fear of becoming a "me too" post, that is my experience as well - either disable it or leave it; you cannot alter it.

---

The melody of logic will always play out the truth. ~ Narumi Ayumu, Spiral

Hi Rick,

Sorry I mis-understood the question.  No, I'm not aware of using GPO's to get rid of these admin shares but it might be available in Windows 2003 GPO's.  Windows 2003 provides much more granular approach in locking down shares VIA group policy.

There is a couple of ways of doing turn off the shares. Either stopping the workstation and server service will disable these shares by default and on any personal internet server that doesn't have a firewall (never should do that but) turning these services off will block ports 139, 138, 137, 445 I believe.  Anyway microsoft networking is turned off.  OR  http://support.microsoft.com/default.aspx?scid=kb;en-us;245117 is an article discussing turning off via the registry.  To be honest I never administrator share permissions as much as I do everything via NTFS permissions and GPO's.  Probably the only thing I've ever seen useful in share permissions and related to security is granting authenticated users Change permission (I think, the one less than Full Control).  I'm sure there are some security people who would beg to differ about locking down with share and folder permissions together.  Just remember a system also has to be supported so finding the balance between the two is the trick.  Any questions let me know.

[quote user="owsteve"]

There is a couple of ways of doing turn off the shares.

[/quote]

Actually I don't want to turn them off altogether, I just want to change the permissions on them so only members of the Domain Admins group (or more specifically, Domain\Administrators) can access them.  Right now I can access anyone's admin share without a domain account, if I know their username/password or the local administrator account's username/password.

I'm not sure off hand if you can *customize* the permissions on the default shares.  I know this is possible on shares that are created besides these but I don't believe permissions can be altered.  I always get the error, these are created for administrative purposes and can't be altered.  I'll let you know if I find anything though!

 

Thanks again

Steve