Share via

Protecting remote \\machine\C$ with UAC

Steve Cook 1 Reputation point
2020-12-04T18:26:57.197+00:00

I am trying to implement UAC prompts for domain authenticated admins for both local and remote access.

We have DUO Security to protect UAC prompts on target machines with MFA. Works a treat for each UAC prompt.

I have enabled the below which prompts for username/password regardless who is logged in (admin or user).

ConsentPromptBehaviorAdmin

The only issue I have come access is that there is no UAC when connecting remotely through to \machine01\c$ or \machine01\admin$. The closest I have gotten is reversing this How to disable UAC remote restrictions
However, the critical note says that

A user who has a domain user account logs on remotely to a Windows Vista computer. And, the domain user is a member of the Administrators group. In this case, the domain user will run with a full administrator access token on the remote computer, and UAC won't be in effect.

The reason I am looking into this, is to increase security on my estate without hobbling the service my staff provide, the impact of COVID has meant that our support staff have shrunk but our responsibility has increased. I'm almost there but I need to prevent lateral movement if a support staffs account is compromised. A small risk but a significant one.
DUO UAC MFA means 1 extra step for them to provide the support needed. LAPS was suggested but it increases the time spent for a task significantly.

I would settle for the admin shares being blocked across the network by targetting the denial of access for those specific admins IF that was all it does.

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2020-12-05T00:09:51.44+00:00

    Hi,

    There are many option to control who can access on the server remotely.
    You can use GPO to specify only allowed users and groups to access on share folder hosted on this server : Computer settings \Windows settings \security settings \loca policy \ user rights\ allow user to access through network

    You can also use registry key to disable the administrative share by creatin new regitry key : 

    HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
#create new registry with the following settings:
Name: AutoShareServer
Type: REG_DWORD 
Value: 0

    Once done you have to reboot the server and the \machine\c$ will be disabled.

    Please don't forget to mark this reply as answer if it help you to fix your issue

  2. Steve Cook 1 Reputation point
    2020-12-07T07:55:28.877+00:00

    Back at work, will test and see if this is what I am after.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.