IPC$ Authenication to Windows NT Servers

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

It is dangerous to work logged on as administrator constantly. Yeah, yeah, I know. I have argued long and loud against any attempt to restrict my admin access. But lets get real. Its dangerous. Accidents happen. Besides if I am careless and leave my workstation unprotected and I am signed on with admin privileges : in my case, I have admin rights on 20+ resource domains. I work in a couple constantly, and in the others less frequently. Talk about Pandora's box. To protect against such an incident, I log onto my PC and to the domain as a normal user. I read my mail and web surf using my normal user account. When I need to run User Manager or Server Manager or move files requiring admin access, I open a command-shell and gain admin access to that box and only that box using ipc$ admin authenication. For example, I need to add a user to the account domain. To gain admin access to the account domain, I type:

net use \\myaccdomPDC\IPC$ /user:myaccdom\myadminaccount myadminpw

When I finish the admin task of the moment, I type:

net use \\myaccdomPDC\IPC$ /d

which removed my admin access rights. With this mechanism I promote my access to admin, get the job done, then remove the admin-level access rights. When I am working at the admin level, I can pay the appropriate level of attention. Its difficult to do that if one works all day with that level of access. Its a bit of a hassle, but with significant safety builtin.

I have scripts to gain access or remove access to the servers I normally work on. If I have already accessed a particular server as a user, there may be a user-level IPC$ connection which will cause a credentials collision. Eliminiate the user-level connect by net use \\machine\ipc$ /d . Occasionally I have to logoff as a user and log back in as an admin (probably couple times a week). In any case, I drastically reduce the chance of accidently doing damage by doing all my work as an admin account. This method makes me think about the level of access. I also can remove the IPC$ connection when I am through and not be so concerned if I leave the workstation temporarily unsecured. After all, my logon only has normal user access at that time.

This is a good way to avoid performing routine non-admin tasks such as web surfing, browsing email with too many privileges.

Featured Links