Educause Security Discussion mailing list archives
Re: Local Administrators and Admin Shares - C$
From: Rich Graves <rgraves () CARLETON EDU>
Date: Fri, 26 Feb 2016 17:53:08 -0500
1) don't run server, remote desktop, or remote powershell services. medium hard at a .edu. 2) don't let users be admins. can be made easy by emulating sudo, like with an elevated schtask to get the LAPS password on demand or a local .\admin account, but change is hard. 3) restrict access in the firewall -- on the PC, not just the network. medium hard, because GPO only easily lets you assert total control, but you probably want to allow user-driven exceptions for faculty. 4) EASY: if you can't manage the firewall, set ipsec policies specifically blocking inbound smb, rdp, etc. 5) EASY: if you can't do any of the above, at least add a group including all users to the "Deny access from network" GPO. https://twitter.com/swiftonsecurity/status/655174103964471296
Current thread:
- Local Administrators and Admin Shares - C$ John LaPrad (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Rich Graves (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)
- Re: Local Administrators and Admin Shares - C$ Ronald King (Mar 01)
- Re: Local Administrators and Admin Shares - C$ Wesley Hayato Tomatsu (Feb 26)