Security issue

We have a network of good size and everybody is a local admin on thier PC's.
Problem is if you do a \\ computer name\c$ anybody can access others PC'S.
What would be a good security workaround to stop this.

Turn off the Administrative shares

Click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lanmanserver\paramet=
ers

In the right pane locate the values AutoShareServer and AutoShareWks. =
If it exists, double click each of these values and set it to 0. If =
either of the values doesn't exist, right click in a blank area of the =
right pane, select New, DWord value and name the value AutoShareWks or =
AutoShareServer as appropriate. Leave the new value at 0.

Note: Only user with an Administrator level account can access the $ =
shares.

Additionally, to ease this process, you can copy and paste the following =
into a Notepad file. Save the file with an REG extension. Then just =
copy it to a floppy, take it to each machine that needs the patch and =
double click the REG file. Answer Yes to the import prompt.

------- Copy below this line -----------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lanmanserver\parame=
ters]
"AutoShareWks"=3Ddword:00000000
"AutoShareServer "=3Ddword:00000000

------- Copy above this line including the blank line =
----------------------------

Make sure that the HKEY_LOCAL_MACHINE line does not wrap......

--=20
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
=20
"brian07" wrote in message =
...
We have a network of good size and everybody is a local admin on =
thier PC's.
Problem is if you do a \\ computer name\c$ anybody can access others =
PC'S.
What would be a good security workaround to stop this.

Have you tried NTFS permissions ? If a group named GroupX has permission to
access the folder, then everybody in GroupX will have access to the folder.
If you want only certain people to have access, then remove NTFS permission
for GroupX, and give NTFS permission to a new group populated with only
those people who should have access.

P.S.
Apostrophe is only properly used with ownership (e.g. Mike's car) and when
combining a verb with is or not (e.g. it's or hasn't ). When s is used to
form a plural, it is never used with an apostrophe (e.g. bird's is not the
plural for bird). The plural of PC is PCs (with no apostrophe). "But
thousands of other people do it" is irrelevant.

"brian07" wrote in message
...
We have a network of good size and everybody is a local admin on thier
PC's.
Problem is if you do a \\ computer name\c$ anybody can access others PC'S.
What would be a good security workaround to stop this.

"JW" wrote in message
...
P.S.
Apostrophe is only properly used with ownership (e.g. Mike's car) and when
combining a verb with is or not (e.g. it's or hasn't ).

'Twas the night before Christmas . . .
Apostrophe is properly used with elision, when eliding
intial or final letters.

What you can and should consider, resolve this by
not having everyone using a admin account.

Given that you want them admins on their machines
then you need to look at how it is that they are made
admins.

Each person being local admin on their own machine
does not in and of itself grant any one of them any
access on any other machine (admin or even just user).

In other words, it is not _that_ they are local admins
which is your problem but it is _how_ they have been
made admin that is your issue.

Is this a domain ?
Then look for and remove such as Domain Users from
the Administrators group, or, do not make all accounts
Domain Admins members, etc.. Instead, make each user
account a member of Administrators on the one machine
that is their machine.

If this is not a domain, then do not define accounts
with the same name on machines where there should
be no access, or if this is done, do not make that account
a member of Administrators group on the other machine.

If you want in either case just control all remote access
by use of the user right to log on over the network on each
machine.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"brian07" wrote in message
...
We have a network of good size and everybody is a local admin on thier
PC's.
Problem is if you do a \\ computer name\c$ anybody can access others PC'S.
What would be a good security workaround to stop this.