Windows: disable remote access of local drive, even by domain admin
Posted
by
Matt
on Server Fault
See other posts from Server Fault
or by Matt
Published on 2013-04-19T15:15:46Z
Indexed on
2013/11/07
22:00 UTC
Read the original article
Hit count: 251
We have a network of Windows 7 PCs that are managed as part of a domain. What we want is for the domain admin to be unable to view the PC's local drive (C:) unless he is physically at the PC. In other words, no remote desktop and no ability to use UNC. In other words, the domain admin should not be allowed to put \\user_pc\c$
in Windows Explorer and see all the files on that computer, unless he is physically present at the PC itself.
Edit: to clarify some of the questions/comments that have come up. Yes, I am an admin---but a complete Windows novice. And yes, for the sake of this and my similar questions, it is fair to assume that I am working for someone who is paranoid.
I understand the arguments about this being a "social problem versus a technical problem", and "you should be able to trust your admins", etc. But this is the situation in which I find myself. I'm basically new to Windows system administration, but am tasked with creating an environment that is secure by the company owner's definition---and this definition is clearly very different from what most people expect.
In short, I understand that this is an unusual request. But I'm hoping there is enough expertise in the ServerFault community to point me in the right direction.
© Server Fault or respective owner