Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Securing Network Access


  • Please log in to reply
1 reply to this topic

#1
diatech

diatech
  • Member
  • 1 posts
  • Joined 30-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
Hello;

I work on an IT helpdesk. Some of my co owrkers (who know a little bit more than me) think its funny to schedule tasks remotely (we are all domain admins) that run vbs scripts (we are able to access any computer in the network via \\computername\c$\).

How can I disable this, so that they either need a password, or limit it to my own credentials only?

Thank you,
Dustin Formisano


How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
There's no way short of removing their admin privileges. You could restrict rights on machines via policy to disallow the ability to log in remotely or remove the ability to create tasks, but domain admins can simply add them back.

An admin is an admin, and you either trust your admins or you don't. Also, given pass-the-hash attacks that are out there, I'm inclined to mention that what they are doing is very poor from a security stance too if they're actually logging in to any machine, anywhere, to start the sequence with a domain admin account. Domain admin accounts should only be used to runas tools that connect to machines remotely, and should (if possible) never be used to actually log in to any machines ever if possible until all NTLM/NTLMv2 has been disabled from the network (and only Kerberos is active for auth), or IPsec is in place (and no machines on the IPsec network are compromised.....).at a minimum. A more proactive security stance creates an audited security account that ISN'T an admin anywhere and uses only enough rights to do the job (if admin rights are actually needed, then they're given on that machine temporarily via some process, and then removed when completed). Given disabling NTLM/NTLMv2 can (and usually does) break lots of legacy things and everyday Windows tasks (like, say, printing), the defaults set by Microsoft on machines and in default group policy settings don't disable NTLM entirely for many reasons. The least of your problems, security-wise, is that they are creating unwanted scheduled tasks.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users