Group Policy: Block access to \\localhost\C$

Solution 1:

You can disable the "Administrative share" from being created with GPP.

If you navigate to Computer Configuration / Preferences /Windows Settings / Network Shares, you’ll find this hidden gem. Right-click the Network Shares node to create a new share policy.

Source: http://sdmsoftware.com/group-policy-preferences/controlling-shares-on-windows-systems/

Would that solve your problem?

Solution 2:

I'd like to point out that Group Policies are just registry entries and depend on applications being programmed to read and obey them. If you really want to prevent local users from accessing the C: drive, you should set the permissions on the Security tab in its Properties dialog. This is separate from its sharing permissions. You could for example add a Deny permission (under Advanced) for your "Site user". (this is in addition to preventing them from accessing the C$ share, however you solve that issue)

Solution 3:

@Zoredache How can I check and fix these permissions? Can you please submit an answer and I will try it.

Open the Administrators group on local machine, see who are the members of that group. Check the people who are accessing \\localhost\C$ are not members of any of the groups (or are members of groups who are members of that group, Administrators <= GroupA <= GroupB <= User).

Once the user, group, or nested group that is a member of Administrators has been removed (via a change in the group policy settings or by hand) the users will no longer be able to access the \\localhost\C$ share.