RG019 – Preventing access to admin shares for local admins

By Max Ranzau

 

Using Workspace Manager, you might have the situation that you need to permit users to  browse UNC paths on the network. This may be the case if you have users with elevated priveledges, such as users who are local administrators and are allowed to install software using the Partially Managed Workstation feature of Workspace Manager.

This article describes how you can have your cake and eat it too, by disallowing the users (even if they are local admins) from reaching administrative shares. This is an interesting alternative as of to completely removing the admin shares by policies or similar.

Here’s the skinny on how to do it. Detailed explanation will follow.

  • Enable File and Folder security
  • Add a Folder rule which blocks \\*\?$* (kinda looks like a swear word, doesn’t it? :)
  • Also add a Folder rule which blocks \\*\Admin$ to disallow access to the administrative share
  • Ensure that HKCU\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\ REG_DWORD NoRun = 0

To go a bit deeper into the issue, the problem in this case is that we do not want to allow these local admins to start browsing other users computers via the administrative shares, like \\computername\c$ for example. We still however want to preserve the users ability to browse regular shares such as \\fileserver\someshare. One could consider implementing policies to disallow access to administrative shares, but this is the RESguru blog, so let’s have a look at how we can implement a cool and rather elegant solution to this which will allow us a very granular

One of the security subsystems in Workspace Manager, File and Folder security can actually help you accomplish this. Where the other systems, such as AppGuard and Read-Only Blanketing are whitelisting allowed ressources, File and Folder Security works the other way around, by blacklisting the specified ressources.

ff-security-modeIn order to disallow access to other computers adminshares, first enable File and folder Security by launching the Workspace Manager console and navigating to Security Management | Files and Folders. Set New security mode to Enabled.

Second, use the Add button to create a Folder rule. Configure it so it looks like the example below: (click image to enlarge)

ff-security-share-rule

Last thing to do, is to ensure that the Run.. item is enabled on the start menu. This is important as this also turns on the ability to browse the environment within UNC paths. The registry key above can be implemented using the registry file below, which can be imported into PowerLaunch|User Registry.

Clich here to download the .reg file: Icon, Regfile (oops link broken – sorry about that)

Alternatively, if you want to be really quick about it, below is a download link for a Workspace Manager buildingblock, which will implement the necessary security rules and the NoRun reghack.

Rightclick and save this buildingblocklegobrick_red (same here, will fix things asap)

Important update: If you have Office 2007 in the environment (as most do these days), there is a chance that creating a document in Word will trip the File and Folder security rule which you created above. The reason is that WinWord will create a temporary file, using the resolved UNC path to your users homedirectoy (that’s what is visible in the log anyway. In short, Word will try to create a \\server\share\username\~$blahdiblahtempnamefile. This will trip the \\*\?$* filter. In order to resolve this, add a global authorized file rule. (global is a good idea, as perhaps excel or powerpoint may be up to the same tricks). You should authorize * to modify \\*\~$*

This should match the tempfiles beginning with ~$ which should take care of the problem.

No Comments

No comments yet.

RSS feed for comments on this post.

Leave a comment

Comments are welcome as always. Just do the math below. * Time limit is exhausted. Please reload the CAPTCHA.