diatech Posted May 30, 2013 Share Posted May 30, 2013 Hello;I work on an IT helpdesk. Some of my co owrkers (who know a little bit more than me) think its funny to schedule tasks remotely (we are all domain admins) that run vbs scripts (we are able to access any computer in the network via \\computername\c$\).How can I disable this, so that they either need a password, or limit it to my own credentials only?Thank you,Dustin Formisano Link to comment Share on other sites More sharing options...
cluberti Posted May 31, 2013 Share Posted May 31, 2013 There's no way short of removing their admin privileges. You could restrict rights on machines via policy to disallow the ability to log in remotely or remove the ability to create tasks, but domain admins can simply add them back.An admin is an admin, and you either trust your admins or you don't. Also, given pass-the-hash attacks that are out there, I'm inclined to mention that what they are doing is very poor from a security stance too if they're actually logging in to any machine, anywhere, to start the sequence with a domain admin account. Domain admin accounts should only be used to runas tools that connect to machines remotely, and should (if possible) never be used to actually log in to any machines ever if possible until all NTLM/NTLMv2 has been disabled from the network (and only Kerberos is active for auth), or IPsec is in place (and no machines on the IPsec network are compromised.....).at a minimum. A more proactive security stance creates an audited security account that ISN'T an admin anywhere and uses only enough rights to do the job (if admin rights are actually needed, then they're given on that machine temporarily via some process, and then removed when completed). Given disabling NTLM/NTLMv2 can (and usually does) break lots of legacy things and everyday Windows tasks (like, say, printing), the defaults set by Microsoft on machines and in default group policy settings don't disable NTLM entirely for many reasons. The least of your problems, security-wise, is that they are creating unwanted scheduled tasks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now