This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Local Security Groups

Hey,

I have been looking at the Local Security Groups created by Sophos.

I have read the descriptions and I think I am clear on what each group allows it's members to do. However, I am not entirely sure of what role they play in the overall functionality of the Sophos software itself.

I have been searching for some documentation on exactly how these groups are used and what the difference is between the Domain accounts and the Local accounts, but I have been unsuccessful.

I was wondering if anyone knows of a document that explains them?

I was wondering how they are populated? Are they populated by automatically? I think they are because on almost all our machines the user that uses the PC is in the SophosAdministrators.

Do these groups play a role in the ability for virus's to be cleaned off the system? Let's say if a "Cleanup" was issued from the SEC, do these groups have to be populated by specific users in order for the "Cleanup" to be successful?

I want to make sure they are being used properly. We are not experiencing any issues, but I want to make sure I'm understanding their functionality and role correctly!

Thank you,

This thread was automatically locked due to age.

0 jak over 14 years ago

Hi,

http://community.sophos.com/t5/Sophos-Endpoint-Security-and/Customizing-the-SophosUser-SophosPowerUser-and-SophosAdmin/td-p/5387

is worth a look first.

Essentially they do to some extent control who can access the SAV GUI, i.e.. who can run SAVMain.exe but their primary use is to control what users can do what in SAV once they've launched the interface or what the service will do on the users behalf. The file machine.xml, has the SID values of these 3 Sophos groups as a way of mapping the friendly names to the actual local groups. So when you Run SAVMain.exe, in effect it asks the savservice is this user a member of one of these groups (identified by the SID), if so what level of access does this user have. The GUI then greys out settings accordingly for example.

If you look in the Quarantine Manager on the endpoint there is a link to "Configure user rights for Quarantine manager" (You can also get to it from the Configure option in SAV). This table shows you what members of each of the Sophos groups can do. Note: These mappings can not be controlled centrally.

As for how the groups are set-up: At install of SAV the 3 local Sophos user groups are created (I'm ignoring the on-access group as it's used internally and not something we need to touch). You can see in the SAV custom action log file:

2011-09-28 21:18:27 CreateUserGroups: Action started

2011-09-28 21:18:27 CreateUserGroups: Local name of well-known group Administrators is Administrators

2011-09-28 21:18:27 CreateUserGroups: Local name of well-known group PowerUsers is Power Users

2011-09-28 21:18:27 CreateUserGroups: Local name of well-known group Users is Users

2011-09-28 21:18:29 CreateUserGroups: Action succeeded

So in effect at install time, the 3 Sophos groups are created and then:

The members of the local "Administrators" group are added to "SophosAdministrator". So is SYSTEM, so the Management Agent, which runs as local system can configure SAV.

The members of the local "Power Users" group are added to "SophosPowerUser".

The members of the local "Users" group are added to "SophosUser".

The Windows group and Sophos groups aren't continually synced however; so as an example if after install you create a new user, you would need to manually add it to the Sophos group of choice. Just because the new user is a member of "Administrators" he would still need to be added. This is because you can't add a local group to a local group. Ideally I suppose you would want to add the Administrators group to SophosAdministrator so any new administrator is automatically a Sophos Administrator but this is not possible with local groups.

There are also the domain groups which the installer will look for:
SophosDomainAdministrators

SophosDomainPowerUser
SophosDomainUser

These groups aren't created by default (see other post for when they might be created), but if these domain groups exist these will be added to the Sophos local groups also, this can be seen to be taking place by the lines in the log:

2011-09-28 21:18:29 AddDomainGroups: Action started

2011-09-28 21:18:29 AddDomainGroups: Action succeeded

So these domain groups might give you further flexibility centrally but should be created before installing the endpoints ideally.

I hope this helps.

Regards,

Jak
:17219
Cancel
Vote Up 0 Vote Down

Cancel
0 toddh over 14 years ago

@jak
Well I obviously didn't search hard enough!
thank you for your detailed response as well as the links your provided!
Definitely has helped me better understand the role of these groups.
I was wondering. Let's say hypathetically, these groups were not populated at installation of SAV.
The software is pushed down from SEC and everything is functioning normally.
The computer in question is then hit by a virus which appears on the SEC. Can an administrator still push a
remote cleanup down from the SEC to the SAV with these groups not being populated correctly?
Since these groups only govern what the users can do in the SAV GUI locally, it should not affect the control done using the SEC. Is is this correct?
Thank you
:17257
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 14 years ago

Glad it helped to clarify a few things. Tasks pushed down by SEC run as local system.

You will notice for example, that if you perform a scan from SEC this will run under the local system context. In this example you can see the task in the endpoint GUI running as local system. Same with scheduled scans, these "Enterprise scans" also run as system.

Regards

Jak
:17271
Cancel
Vote Up 0 Vote Down

Cancel