For security purposes, we want to prevent our users from accessing the C drive on their computers and on the terminal servers. These users are not local admins on either their workstations or the servers.
We have implemented the following Group Policy settings:
- Remove Run Menu from Start Menu
- Hide these specified drives in My Computer – Restrict C drive only
-Prevent access to drives from My Computer – Restrict C drive only
This does prevent the users from accessing the C drive from Windows Explorer.
However, if they enter \127.0.0.1\c$ or \localhost\c$ they can access the C drive from any of these ways:
Internet Explorer / Edge
Chrome
A link in Microsoft Word
How can I prevent this? I repeat – they are not admins in any form, and yet they can access the C drive via the administrative share. (I am also not the only person reporting this problem).
I would be happy to block access to any UNC paths (as long as I can still map drives for them), or to prevent or misdirect 127.0.0.1/localhost. But nothing I have tried works, and I really need to prevent this.
Any ideas? It's most important for me to find a way to block this on Windows 10 Enterprise, but it seems to be an issue in various Workstation and Server operating systems.
Thanks,
David
Best Answer
This was my initial answer:
And it's very wrong, but it deserves to stay as an illustration of a long-held belief not being tested often enough. I believe this is a change in behaviour from earlier versions of Windows, but I'm not sure when the change would have happened.
I've tested with Windows 10 Pro and Enterprise just in case they have different default settings, and Users can browse the local administrative shares and your options for controlling this seem rather limited I'm afraid. You can turn off Administrative shares as mdpc suggests (see https://support.microsoft.com/en-gb/help/954422/how-to-remove-administrative-shares-in-windows-server-2008) for a Microsoft source for this) but it may interfere with how various admin tools work on these computers (e.g. might prevent auto-deploying agents from deploying/updating) so I really would recommend against it.
Hiding the drive in the way you describe via GPO is nothing to do with permissions to the drive or share, by the way. This simply triggers a flag in Windows to hide certain drive letters. It's not reliable or robust and I've seen lots of admins in education, for example, go crazy trying to look this down against anything students can do but it is futile.
However... While users can access their local administrative share, they cannot access shares on other PCs, and their access via the share still only grants them the same access they would 'normally' have. Therefore, users cannot 'hack' the system this way; they cannot change things they don't already have the permissions to change.
You can and should lock down the root of the c:\ drive however. Here's some instructions for doing that:
Give the GPO time to replicate and apply (
gpupdate /force
can help here if you're in a hurry) and you should now find that users can't create files in the root of the c drive. They should only really have permission to their own folder inside \users at this point.