How do you lock down SEP client interface so that end users cannot disable components or modify settings.

Article:TECH136678  |  Created: 2010-01-26  |  Updated: 2011-03-10  |  Article URL http://www.symantec.com/docs/TECH136678
Article Type
Technical Solution


Environment

Issue



You would like to be able to control which settings users have the ability to modify and prevent them from disabling components, while technicians access to the application if troubleshooting needs to be performed.

 


Solution



To eliminate the ability to make any changes from the client interface:

  1. In the Symantec Endpoint Protection Manager, click on Clients and select the target group.
  2. Under Policies, expand Location Specific Settings and open Client User Interface Control Settings.
  3. In the dialog box, select Server Control and click on Customize.
  4. Uncheck 'Display the Client' checkbox and click OK.

This will remove the ability to open the client interface and remove  removes the SEP icon from the system tray. Symantec Endpoint Protection will still be visible in the All Programs, but if the user attempts to launch Symantec Endpoint Protection, they will receive the following message, “The network administrator has disabled the Symantec Endpoint Protection main user interface.” From there, the only option will be to click OK.

To remove the SEP icon from the system tray but allow access to the application:

  1. In the Symantec Endpoint Protection Manager, click on Clients and select the target group.
  2. Under Policies, expand Location Specific Settings and open Client User Interface Control Settings.
  3. In the dialog box, select Server Control and click on Customize.
  4. Uncheck the 'Display the notification area icon' and click OK.

This give the users to the application and its interface through All Programs. The individual settings must be configured and locked down through the SEPM and then applied via policy to the client group.

To prevent end users from disabling Network Threat Protection:

  1. In the Symantec Endpoint Protection Manager, click on Clients and select the target group.
  2. Under Policies, expand Location Specific Settings and open Client User Interface Control Settings.
  3. In the dialog box, select Server Control and click on the Customize option.
  4. Uncheck the 'Allow Users to Enable and Disable Network Threat Protection' and click OK.

You can also set certain actions to require a password before being performed:

  1. In the Symantec Endpoint Protection Manager, click on Clients and select the target group.
  2. Under Policies, click on General Settings.
  3. In the General Settings dialog box, click on Security Settings.
  4. When enabling password protection, credentials must be supplied to do the following:
  • Open the client user interface
  • Stop the client service
  • Import or Export a policy
  • Uninstall the client

To set and lock auto-protect from being disabled:

  1. In the Symantec Endpoint Protection Manager, click on Clients and select the target group.
  2. Under Policies, expand Location Specific Policies and choose to edit the assigned Antivirus and Antispyware policy.
  3. In the policy window, select File System Auto Protect from the Navigation Bar.
  4. Under Scan Details, click on Advanced Scanning and Monitoring. This gives you the ability to set and lock settings of when Auto-Protect is loaded and settings for restarting Auto-Protect if it's somehow disabled. Once finished, click OK.
  5. Then in the policy window, select TruScan Proactive Threat Scans from the Navigation Bar. From here, you can set and lock all settings for Proactive Threat Protection (Proactive Threat Protection is not supported on 64-bit systems as well as Server Operating Systems).


Note: When making changes, verify that the padlock is locked on any of the above settings to prevent end user from modifying these settings. Once these settings are configured, the policy must be applied to the client group(s) that you want to lock down. Any group that has policy inheritance enabled will be ruled by the policy of the group they are inheriting from, so verify that an inherited policy does not prevent the lockdown.

Once these changes are applied, the user will be able to open the interface. If the user attempts to change settings, all settings will be grayed out.

 



Legacy ID



2010072612314748


Article URL http://www.symantec.com/docs/TECH136678


Terms of use for this information are found in Legal Notices