Preventing Sophos services from being disabled by domain users

We managed to wrestle the power users rights from both domain users and non-domain "VIP" notebook users (that we were hit by an outbreak of Conficker did help a lot).

From what you say I gather that you don't have the required backing from your management to enact the policies you deem necessary - and you are trying to "sneak in" a little bit more control. I recommend against it. Such course of action could backfire any moment. You have a job to do and for that you need certain resources - and these include the approval of necessary policies (and the "right" to enforce them).

If you can convince the users that your actions are for their benefit - fine (management always likes to make decisions which meet no resistance). If not, then you have to convince management - for this you need a "business case" (number of "incidents" on IT-managed vs. partially-user-managed computers for example). If certain applications only (seem to) work for power users try to identify the cause. Show that you care about the users' needs and that you are willing to find workarounds and implement exemptions - while clearly stating the consequences (reduced security, additional effort) and the responsible party (most of the time it's either a sloppy implementation by the vendor or simply "unfit" software and not exactly your fault). This worked for "us" (i.e. the group in IT responsible for the endpoints) - even though most of our colleagues called it mission impossible.

The bottom line is: When trying to achieve a strategic goal it is better (and easier) to permit specific actions, especially when it's clear that they are exemptions.

Christian

We managed to wrestle the power users rights from both domain users and non-domain "VIP" notebook users (that we were hit by an outbreak of Conficker did help a lot).

From what you say I gather that you don't have the required backing from your management to enact the policies you deem necessary - and you are trying to "sneak in" a little bit more control. I recommend against it. Such course of action could backfire any moment. You have a job to do and for that you need certain resources - and these include the approval of necessary policies (and the "right" to enforce them).

If you can convince the users that your actions are for their benefit - fine (management always likes to make decisions which meet no resistance). If not, then you have to convince management - for this you need a "business case" (number of "incidents" on IT-managed vs. partially-user-managed computers for example). If certain applications only (seem to) work for power users try to identify the cause. Show that you care about the users' needs and that you are willing to find workarounds and implement exemptions - while clearly stating the consequences (reduced security, additional effort) and the responsible party (most of the time it's either a sloppy implementation by the vendor or simply "unfit" software and not exactly your fault). This worked for "us" (i.e. the group in IT responsible for the endpoints) - even though most of our colleagues called it mission impossible.

The bottom line is: When trying to achieve a strategic goal it is better (and easier) to permit specific actions, especially when it's clear that they are exemptions.

Christian