1 Reply Latest reply on Jun 2, 2017 4:28 PM by pvdven

    Use Dameware without opening up administrative shares

    pvdven

      Hi all,

       

      I am a security manager who is having a problem with Dameware, which I am not able to solve internally.

       

      The way we use Dameware is by having our servicedesk agents use a personal account which has direct access to the administrative share of all machines in the network. However, that means they can connect to each c: drive using \\remoteComputerName\C$. Given European privacy legislation, this is not something they should be able to do.

       

      However, our when I raise the subject internally, I keep hearing that it is impossible to use Dameware without also giving away access to C$ to servicedesk agents. I hope this is not really the case, and that someone can point me in the right direction.

       

      Now, I do believe it is possible to use a generic service account to connect instead. We would then use SCCM to distribute a console in which agents cannot see the password of this account. Is that correct? But that would also mean that and end user cannot see who is connecting to his machine, right? Instead, they would see the generic account name, which would be something like Group_IT_Remote_Access?

       

      Or is there another, better, way of handling this?

       

      It should be noted that our CAD systems apparently require that agents log on with access to the Administrative share.

       

      I have attempted a few searches, before asking the question. Apologies, if it has been asked before.

      Thanks in advance for your response,

      Kind regards,

      Patrick

        • Re: Use Dameware without opening up administrative shares
          pvdven

          I really do hope somebody is willing to take a few minutes to answer my question. I would assume my question isn't out of this world. We like Dameware because it allows are our servicedesk agents to completely support our users. At the same time, it forces us to open up 'underwater' access (ie. without users permission) to their machines through the C$ command. There must be a way we can do this better, isn't there?