Re: Local Administrators and Admin Shares - C$

[Rich Graves <rgraves () CARLETON EDU>]

1) don't run server, remote desktop, or remote powershell services. medium hard at a .edu.
2) don't let users be admins. can be made easy by emulating sudo, like with an elevated schtask to get the LAPS 
password on demand or a local .\admin account, but change is hard.
3) restrict access in the firewall -- on the PC, not just the network. medium hard, because GPO only easily lets you 
assert total control, but you probably want to allow user-driven exceptions for faculty.
4) EASY: if you can't manage the firewall, set ipsec policies specifically blocking inbound smb, rdp, etc.
5) EASY: if you can't do any of  the above, at least add a group including all users to the "Deny access from network" 
GPO. https://twitter.com/swiftonsecurity/status/655174103964471296