Hi everyone, We have found that even our non-priviliged standard users can access the c$ share when accessing via localhost eg: \\127.0.0.1\c$ When accessing a remote PC the users are blocked correctly. Are standard users supposed to be able to access the c$ share in this way? I have checked the Local Administrators group for our computers and there are no memberships which would include our normal domain users. We would like to prevent access to the C drive by our standard users; to this end the C drive is hidden and blocked in GPO. This localhost workaround prevents us from effectively locking down local workstations. Thanks in advance, Ben

This is administrative share, that is accessible remotely by administrators only. However C: of local share is accessible by default by user, that has local access permission. Do not overwrite default settings.

This is administrative share, that is accessible remotely by administrators only. However C: of local share is accessible by default by user, that has local access permission. Do not overwrite default settings.

Hi Milos, Thanks for the reponse. Does this mean that there is no way of preventing access to the C drive for local standard users apart from disabling the c$ share altogether? We have looked at disabling c$ and creating our own administrative share for PCs but it seems that we cannot create a security-restricted share via GPO. If we created the share via GPO it would be open to all users on the network with NTFS access (ie. all domain users). Can you think of another way to do this?

Hi Milos, Thanks for the reponse. Does this mean that there is no way of preventing access to the C drive for local standard users apart from disabling the c$ share altogether? We have looked at disabling c$ and creating our own administrative share for PCs but it seems that we cannot create a security-restricted share via GPO. If we created the share via GPO it would be open to all users on the network with NTFS access (ie. all domain users). Can you think of another way to do this?

Hi, To hide the C partition, so the domain users will not access to the C drive. You may have a try to setup the permissions on the security option of C drive to prevent the local standard users accessing to it. If you want to prevent some user account from accessing to C drive, you may setup the permission on the security option whether it is domain user or local one. Here is an article can be referred to. Using Group Policy Objects to hide specified drives http://support.microsoft.com/kb/231289Ivan-Liu TechNet Community Support

Hi, To hide the C partition, so the domain users will not access to the C drive. You may have a try to setup the permissions on the security option of C drive to prevent the local standard users accessing to it. If you want to prevent some user account from accessing to C drive, you may setup the permission on the security option whether it is domain user or local one. Here is an article can be referred to. Using Group Policy Objects to hide specified drives http://support.microsoft.com/kb/231289Ivan-Liu TechNet Community Support

1. From the practical point of view it suffice to DENY creation of folder from root only. 2. There is another possibility how to guard effectively content of drives, namely the AUDITING and written RULES that are CONFIRMED by security manager (or any higher manager) 3. Pair these measures with lockdown group policy that allows for specific applications Change this to enabled and specify applications Regards Milos

1. From the practical point of view it suffice to DENY creation of folder from root only. 2. There is another possibility how to guard effectively content of drives, namely the AUDITING and written RULES that are CONFIRMED by security manager (or any higher manager) 3. Pair these measures with lockdown group policy that allows for specific applications Change this to enabled and specify applications Regards Milos

Okay, thanks to both of you for your help. It sounds like this is a limitation of Windows and there is no true way to prevent access to the local C drive. Unfortunately in our environment creating an application whitelist is not feasable, and the administrative overhead of audit tracking for every PC would be too much. The C drive is already hidden via GPO but we don't want to rely on security by obscurity. Perhaps we can experiment with alterations to the NTFS permissions on local C drives but that may cause more problems than it solves. Nevertheless thanks for the suggestions. Regards, Ben

Okay, thanks to both of you for your help. It sounds like this is a limitation of Windows and there is no true way to prevent access to the local C drive. Unfortunately in our environment creating an application whitelist is not feasable, and the administrative overhead of audit tracking for every PC would be too much. The C drive is already hidden via GPO but we don't want to rely on security by obscurity. Perhaps we can experiment with alterations to the NTFS permissions on local C drives but that may cause more problems than it solves. Nevertheless thanks for the suggestions. Regards, Ben