Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 6912 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos services from being disabled by domain users

Dann-PLC

Hi All,

Good to see there is finally a forum to post idea and questions out to end users!

I have a question that I hope someone can answer...

Im looking at rolling out EndPoint 9 to the company and we are going to start using the Sophos Firewall etc.

I wanted to know if there was a way to stop end users disabling or stopping sophos windows services to prevent them from navigating around the device control/firewall etc... 

I realise this is a Windows question more than Sophos and have looked at GPO secuirty settings but cannot get these to work with DENY permissions. It also seems that when I configure any rules in these services in GPO, Sophos AntiVirus service doesnt start up.

Just wondered if there was a way of doing this in Sophos based on the sub estate/roles or anything else...

Thanks!

Dann

:120


This thread was automatically locked due to age.
Parents
  • 0

    Well, even IT staff shouldn't get permanent admin rights, but should instead have a regular account, and switch to admin mode only when required ... :smileywink:

    Power users don't have the right to interact with the Services, you're safe with that.

    What i mentionned about AD only apply for sensitive profiles who (unfortunately) have true administration privileges on the local machine, and who in this case have the right to start/stop services.

    Prior to explaining how to do that, i must enforce the following :

    This is NOT to be done straight in a production environment since it's a global configuration that - in case of mistake - will apply on all computers within the domain. I strongly recommend testing this on a real test, separate network, separate domain.

    Alternatively, Sophos Professional Services or a trusted Sophos Partner can help in doing the following.

    That said, and once you understand it completely, here is the how-to :

    1. Create a new security group in the domain, manageable by IT Security team only. Alternatively you could use the Domain Admins group which is supposed to be restricted enough.

    2. Open Group Policy Object Editor.

    3. Restrict access to the relevant service(s) to your newly created security group under "Computer Configuration", "Windows Settings", "Security Settings", "System Services".

    4. Restrict access to the relevant filesytem part(s) to your newly created security group under ""Computer Configuration", "Windows Settings", "Security Settings", "File System".

    For 3. and 4., you must leave system parameters unchanged (e.g System Account, Interactive, etc.)

    Regards,

    Laurent.

    :179
Reply
  • 0

    Well, even IT staff shouldn't get permanent admin rights, but should instead have a regular account, and switch to admin mode only when required ... :smileywink:

    Power users don't have the right to interact with the Services, you're safe with that.

    What i mentionned about AD only apply for sensitive profiles who (unfortunately) have true administration privileges on the local machine, and who in this case have the right to start/stop services.

    Prior to explaining how to do that, i must enforce the following :

    This is NOT to be done straight in a production environment since it's a global configuration that - in case of mistake - will apply on all computers within the domain. I strongly recommend testing this on a real test, separate network, separate domain.

    Alternatively, Sophos Professional Services or a trusted Sophos Partner can help in doing the following.

    That said, and once you understand it completely, here is the how-to :

    1. Create a new security group in the domain, manageable by IT Security team only. Alternatively you could use the Domain Admins group which is supposed to be restricted enough.

    2. Open Group Policy Object Editor.

    3. Restrict access to the relevant service(s) to your newly created security group under "Computer Configuration", "Windows Settings", "Security Settings", "System Services".

    4. Restrict access to the relevant filesytem part(s) to your newly created security group under ""Computer Configuration", "Windows Settings", "Security Settings", "File System".

    For 3. and 4., you must leave system parameters unchanged (e.g System Account, Interactive, etc.)

    Regards,

    Laurent.

    :179
Children
No Data