Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 6912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos services from being disabled by domain users

Dann-PLC

Hi All,

Good to see there is finally a forum to post idea and questions out to end users!

I have a question that I hope someone can answer...

Im looking at rolling out EndPoint 9 to the company and we are going to start using the Sophos Firewall etc.

I wanted to know if there was a way to stop end users disabling or stopping sophos windows services to prevent them from navigating around the device control/firewall etc... 

I realise this is a Windows question more than Sophos and have looked at GPO secuirty settings but cannot get these to work with DENY permissions. It also seems that when I configure any rules in these services in GPO, Sophos AntiVirus service doesnt start up.

Just wondered if there was a way of doing this in Sophos based on the sub estate/roles or anything else...

Thanks!

Dann

:120


This thread was automatically locked due to age.
Parents
  • 0

    Hello Dann-PLC,

    As you said, this is more a Windows question, and yes, AD is definitely the proper way to achieve this.

    I suppose in your question that your users have local admin rights if they can stop the service, which is definitely not a good practice of safe computing.

    Prior trying to restrict access to windows services, i would recommend investingating if your users really need admin rights on their enterprise desktop/laptop, and must realize that if a user has admin rights on the computer, he has any permission that allow him to break everything on the computer. You can find more information about safe computing on this page : http://www.sophos.com/security/best-practice/10-tips.html

    That said, you can restrict access to the Sophos Endpoint Security & Control installation on the local computer using GPO. The idea is to restrict access to services and files to a Sophos Security group in AD. You also need to enforce access to SophosAdministrators group on the local client.

    In order to allow the service to start, you also need to leave other accounts permissions on the service, such as LocalSystem.

    Laurent.

    :155
Reply
  • 0

    Hello Dann-PLC,

    As you said, this is more a Windows question, and yes, AD is definitely the proper way to achieve this.

    I suppose in your question that your users have local admin rights if they can stop the service, which is definitely not a good practice of safe computing.

    Prior trying to restrict access to windows services, i would recommend investingating if your users really need admin rights on their enterprise desktop/laptop, and must realize that if a user has admin rights on the computer, he has any permission that allow him to break everything on the computer. You can find more information about safe computing on this page : http://www.sophos.com/security/best-practice/10-tips.html

    That said, you can restrict access to the Sophos Endpoint Security & Control installation on the local computer using GPO. The idea is to restrict access to services and files to a Sophos Security group in AD. You also need to enforce access to SophosAdministrators group on the local client.

    In order to allow the service to start, you also need to leave other accounts permissions on the service, such as LocalSystem.

    Laurent.

    :155
Children
No Data