• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
Sign in to follow this  
Followers 0
diatech

Securing Network Access

2 posts in this topic

Hello;

I work on an IT helpdesk. Some of my co owrkers (who know a little bit more than me) think its funny to schedule tasks remotely (we are all domain admins) that run vbs scripts (we are able to access any computer in the network via \\computername\c$\).

How can I disable this, so that they either need a password, or limit it to my own credentials only?

Thank you,

Dustin Formisano

0

Share this post


Link to post
Share on other sites

There's no way short of removing their admin privileges. You could restrict rights on machines via policy to disallow the ability to log in remotely or remove the ability to create tasks, but domain admins can simply add them back.

An admin is an admin, and you either trust your admins or you don't. Also, given pass-the-hash attacks that are out there, I'm inclined to mention that what they are doing is very poor from a security stance too if they're actually logging in to any machine, anywhere, to start the sequence with a domain admin account. Domain admin accounts should only be used to runas tools that connect to machines remotely, and should (if possible) never be used to actually log in to any machines ever if possible until all NTLM/NTLMv2 has been disabled from the network (and only Kerberos is active for auth), or IPsec is in place (and no machines on the IPsec network are compromised.....).at a minimum. A more proactive security stance creates an audited security account that ISN'T an admin anywhere and uses only enough rights to do the job (if admin rights are actually needed, then they're given on that machine temporarily via some process, and then removed when completed). Given disabling NTLM/NTLMv2 can (and usually does) break lots of legacy things and everyday Windows tasks (like, say, printing), the defaults set by Microsoft on machines and in default group policy settings don't disable NTLM entirely for many reasons. The least of your problems, security-wise, is that they are creating unwanted scheduled tasks.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.