IPC$ Authenication to Windows NT Servers
It is dangerous to work logged on as administrator constantly. Yeah, yeah, I
know. I have argued long and loud against any attempt to restrict my admin
access. But lets get real. Its dangerous. Accidents happen. Besides if I am
careless and leave my workstation unprotected and I am signed on with admin
privileges : in my case, I have admin rights on 20+ resource domains. I work in
a couple constantly, and in the others less frequently. Talk about Pandora's
box. To protect against such an incident, I log onto my PC and to the domain as
a normal user. I read my mail and web surf using my normal user account. When I
need to run User Manager or Server Manager or move files requiring admin access,
I open a command-shell and gain admin access to that box and only that box using
ipc$ admin authenication. For example, I need to add a user to the account
domain. To gain admin access to the account domain, I type:
net use \\myaccdomPDC\IPC$ /user:myaccdom\myadminaccount
When I finish the admin task of the moment, I type:
net use \\myaccdomPDC\IPC$ /d
which removed my admin access rights. With this mechanism I promote my access
to admin, get the job done, then remove the admin-level access rights. When I am
working at the admin level, I can pay the appropriate level of attention. Its
difficult to do that if one works all day with that level of access. Its a bit
of a hassle, but with significant safety builtin.
I have scripts to gain access or remove access to the servers I normally work
on. If I have already accessed a particular server as a user, there may be a
user-level IPC$ connection which will cause a credentials collision. Eliminiate
the user-level connect by net use \\machine\ipc$ /d . Occasionally I have
to logoff as a user and log back in as an admin (probably couple times a week).
In any case, I drastically reduce the chance of accidently doing damage by doing
all my work as an admin account. This method makes me think about the level of
access. I also can remove the IPC$ connection when I am through and not be so
concerned if I leave the workstation temporarily unsecured. After all, my logon
only has normal user access at that time.
This is a good way to avoid performing routine non-admin tasks such as web
surfing, browsing email with too many privileges.