Windows: disable remote access of local drive, even by domain admin

privacySecurityuncwindowswindows 7

We have a network of Windows 7 PCs that are managed as part of a domain. What we want is for the domain admin to be unable to view the PC's local drive (C:) unless he is physically at the PC. In other words, no remote desktop and no ability to use UNC. In other words, the domain admin should not be allowed to put \\user_pc\c$ in Windows Explorer and see all the files on that computer, unless he is physically present at the PC itself.

Edit: to clarify some of the questions/comments that have come up. Yes, I am an admin—but a complete Windows novice. And yes, for the sake of this and my similar questions, it is fair to assume that I am working for someone who is paranoid.

I understand the arguments about this being a "social problem versus a technical problem", and "you should be able to trust your admins", etc. But this is the situation in which I find myself. I'm basically new to Windows system administration, but am tasked with creating an environment that is secure by the company owner's definition—and this definition is clearly very different from what most people expect.

In short, I understand that this is an unusual request. But I'm hoping there is enough expertise in the ServerFault community to point me in the right direction.

Best Answer

This post, from the Technet forums, by Yan Li explains it easy enough:

Only the Administrators group have access to the administrative shares, please go to the Administrators group and remove the desired users and groups that you do not what to have access to the administrative shares.

For multiple client PCs, you could on one of the machines and disable them as stated below, export the registry key and then in a GPO import it.

Disable the default shares:

Windows open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways.

One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.

The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:

Share:

C$ D$ E$

Path and function:

Root of each partition, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders.

Still, it isn't good practice to do this. You are preventing access to things that should be accessible for a domain admin. It's akin to changing the locks on your apartment so your landlord can't get in.

Related Topic