Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 6911 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos services from being disabled by domain users

Dann-PLC

Hi All,

Good to see there is finally a forum to post idea and questions out to end users!

I have a question that I hope someone can answer...

Im looking at rolling out EndPoint 9 to the company and we are going to start using the Sophos Firewall etc.

I wanted to know if there was a way to stop end users disabling or stopping sophos windows services to prevent them from navigating around the device control/firewall etc... 

I realise this is a Windows question more than Sophos and have looked at GPO secuirty settings but cannot get these to work with DENY permissions. It also seems that when I configure any rules in these services in GPO, Sophos AntiVirus service doesnt start up.

Just wondered if there was a way of doing this in Sophos based on the sub estate/roles or anything else...

Thanks!

Dann

:120


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for your reply Laurent! :) This could get confusing...! 

    Yeah we dont let users (bar the IT dept) to have local admin but they do have local power user rights (requested by many people across the company). If im right, I still think you can stop and start services as a power user...or is this not the case? (Im going to test this now).

    Interesting that you mention whats possible via Sophos...so using groups in AD and sophos....is there any documentation on this as Im pretty sure thats what Im trying now?! 

    The groups setup in sophos are default apart from me adding in Domain Admins to the sophos admin groups and roles. 

    At the moment if I set the sophos anti virus service to be "automatic" but only for local system, interactive and domain admins (all with full rights) ...it doesnt start on startup even if i login as a domain admin....

    Checked GPO results wizard and there are no errors or permissions problems and its being applied fine. Seems like a GPO/AD issue but just wondered if there was a way you knew of that I could try... (i.e: via AD groups and sophos groups)

    Thanks!

    :166
Reply
  • 0

    Thanks for your reply Laurent! :) This could get confusing...! 

    Yeah we dont let users (bar the IT dept) to have local admin but they do have local power user rights (requested by many people across the company). If im right, I still think you can stop and start services as a power user...or is this not the case? (Im going to test this now).

    Interesting that you mention whats possible via Sophos...so using groups in AD and sophos....is there any documentation on this as Im pretty sure thats what Im trying now?! 

    The groups setup in sophos are default apart from me adding in Domain Admins to the sophos admin groups and roles. 

    At the moment if I set the sophos anti virus service to be "automatic" but only for local system, interactive and domain admins (all with full rights) ...it doesnt start on startup even if i login as a domain admin....

    Checked GPO results wizard and there are no errors or permissions problems and its being applied fine. Seems like a GPO/AD issue but just wondered if there was a way you knew of that I could try... (i.e: via AD groups and sophos groups)

    Thanks!

    :166
Children
No Data