On Wed, 21 Oct 2009 08:34:42 -0700 (PDT), Gattone
<> wrote:
>Hello!
>I have to harden some Win2k3 servers joined to a domain.
>I've found several hardening gudes and I'm applying a series of
>security measures.
>Someone suggests to disable administrative shares, but I am hesitating
>because I am afraid that this could create problems to some
>applications, the system itself and the domain.
>Most of all I am afraid of disabling these shares on the domain
>controller.
>Actually I would like to prevent users (even administrators) to get
>access to the disks without logging directly on a certain machine; but
>I have found a Microsoft article (http://support.microsoft.com/kb/
>842715/en-us) that shows some problems due to missing administrative
>shares. Moreover I've found that some backup software and some
>antivirus use these shares.
>So, the question is: in an hardening strategy, should I consider the
>disabling of administrative shares as a best practice?
>If yes, should I disable these shares both on the member servers and
>on the domain controller?
>Any answer to these question will be appreciated!
Personally, having hardened servers to the DISA Gold disk for a while
now, they don't remove or disable the admin shares. Not even on the
DCs. I don't remember seeing it as a "highly recommended" action
either, although I wouldn't put it past DISA to "highly recommend"
something that breaks the way the server works (smile)
As you stated, You may find some backup software will use the admin
shares to backup the data across the domain, and it does make life a
little easier for the admin. And, IIRC, only those in the Admin group
can access the admin shares across the network. You can have a
"company policy" that states you shouldn't USE the share, but...
I have stood up approx 150-200 servers with a DISA Gold (Platinum
setting, actually) hardening requirement, and have not disabled the
admin shares on any of them to this point.
Mike
Similar Threads
Linear Mode
