Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 

Sign in to follow this  

Securing Network Access

Recommended Posts

diatech    0


I work on an IT helpdesk. Some of my co owrkers (who know a little bit more than me) think its funny to schedule tasks remotely (we are all domain admins) that run vbs scripts (we are able to access any computer in the network via \\computername\c$\).

How can I disable this, so that they either need a password, or limit it to my own credentials only?

Thank you,

Dustin Formisano

Share this post

Link to post
Share on other sites

cluberti    5

There's no way short of removing their admin privileges. You could restrict rights on machines via policy to disallow the ability to log in remotely or remove the ability to create tasks, but domain admins can simply add them back.

An admin is an admin, and you either trust your admins or you don't. Also, given pass-the-hash attacks that are out there, I'm inclined to mention that what they are doing is very poor from a security stance too if they're actually logging in to any machine, anywhere, to start the sequence with a domain admin account. Domain admin accounts should only be used to runas tools that connect to machines remotely, and should (if possible) never be used to actually log in to any machines ever if possible until all NTLM/NTLMv2 has been disabled from the network (and only Kerberos is active for auth), or IPsec is in place (and no machines on the IPsec network are compromised.....).at a minimum. A more proactive security stance creates an audited security account that ISN'T an admin anywhere and uses only enough rights to do the job (if admin rights are actually needed, then they're given on that machine temporarily via some process, and then removed when completed). Given disabling NTLM/NTLMv2 can (and usually does) break lots of legacy things and everyday Windows tasks (like, say, printing), the defaults set by Microsoft on machines and in default group policy settings don't disable NTLM entirely for many reasons. The least of your problems, security-wise, is that they are creating unwanted scheduled tasks.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.