none
Prevent Access to PCs through the Network RRS feed

  • Question

  • We have an organization which allows our field service technicians full control over our users' PC so they can do repairs. This permission is granted by membership in a domain security group placed in the PC's local administrators group. 

    We are concerned about field service technicians attempting to gain access to a user's hard drive using the UNC path \\<pcname>\c$ and stealing data.  Is there a way to allow the technician to have full control over the PC when they are logging in locally while preventing them from accessing the PC via the network?

    What would you advise?

    Thanks

    Friday, July 15, 2016 9:18 PM

Answers

All replies

  • You really need to be able to trust you IT admins or the support organisation you have supporting that role. If that is a concern then I would suggest discussing it with them.

    Local Administrator Password Solution (LAPS) may offer someway to control the admin account and passwords, and not giving the organisation access to that but then them getting the access of you when required may do what you require.

    Sunday, July 17, 2016 9:52 PM
  • Hi 10890lrl,

    In addition, I suggest that we could check the link below about how to deny access to this computer from the network.

    https://technet.microsoft.com/en-us/library/dn221954(v=ws.11).aspx

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, July 18, 2016 9:33 AM
    Moderator
  • Thanks. Unfortunately we often have to hire temporary contractors to fill vacancies. These temporary workers aren't vetted with background checks. This situation creates a security vulnerability.

    I would like to prevent a temporary field service technician from having access to sensitive data on a manager's laptop via the network.

    Thanks

    Monday, July 18, 2016 3:51 PM
  • This is a good article. Does your organization make use of this setting?

    Do you see any downside to enabling the SeDenyNetworkLogonRight for a selected security group?

    Thanks

    Monday, July 18, 2016 3:57 PM
  • Hi 10890lrl,

    Thank you for the update on the issue. Due to the work constraints, we don’t have the GP setting. We could try use the LAPS to manage the local account password of domain joined computers or you could prevent the hire temporary contractors access to this computer from the network by GP.

    For the sensitive data on a manager's laptop, I suggest that we could try use access control to restrict

    https://technet.microsoft.com/en-us/library/jj852279(v=ws.11).aspx

    Hope it will be helpful to you


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, July 20, 2016 8:50 AM
    Moderator