Video Screencast Help

Securing Your Altiris Agent(s) from Local Administrators Using Group Policy

Created: 02 Apr 2010 • Updated: 02 Apr 2010 | 9 comments
Language Translations
Screenbert's picture
+8 8 Votes
Login to vote
Here we will create a domain group that you want to have access to your Agent Services and then create a group policy that only allows Full Control access for groups that you want to have access to the Altiris Agent. Be sure that the Altiris Agent(s) that you want to secure at running on the computer where you follow these steps.
Step 1: Create a domain group that you want to have access to your Agent Services. Maybe it's a Desktop Admin Group, maybe it's an Altiris Admin Group.
Step 2: Create a group policy.
Step 3: Edit your newly created Group Policy.
Step 4: Expand Computer Configuration - > Policies - > Windows Settings - > Security Settings - > System Services
Step 5: Double Click the Altiris Agent to modify it's Properties. Check mark the "Define this policy setting" box and click Automatic for the startup mode.
Step 6: Click the Edit Security Button. Click Add to add the groups you want to administer this service.
Step 7: Modify the Administrators for the local machine so that they only have Read permission.
Step 8: Modify the Groups you added in step 6 so that they have Full Control. (All other needed rights will be added automatically)
Step 9: Click OK the the security windows and OK to the Agent Property window. Close out your Computer configuration Window.
 
Step 10: Apply your newly created group policy to whatever computer OUs you wish to protect.

Anyone who is not a member of the groups you specified in Step 2 will not be able to disable, stop or restart the service. When they open the services they will see the the options to start, stop, pause, resume and restart are all greyed out.

However when you login as a group member that has access you can manage the service as normal. You can also use the runas to run the services.msc MMC as an group member that is allowed to modify the service. This may come in handy if you have users or groups such as IS that are local administrators and have been found to disable your Altiris services. Now they can still be administrators, just not of the Altiris service.

Comments 9 CommentsJump to latest comment

KSchroeder's picture

Robert,
Nice work.  We are looking at doing the same for our Antivirus services, which some of our IT users have been notorious for terminating as it apparently affects their compiling performance.  The funny thing was that testing showed that their software compilation was actually a few seconds faster when A/V was enabled than with it off (strange I know)!  Unfortunately the above method does not (AFAIK) prevent local admins from simply terminating the service's .exe (AeXNSClient.exe); any tips for that one?  I was thinking of setting a Task Scheduler-based script that ran every 10 minutes or so to check for the services and restart them if they were disabled. 

I was also looking at using App Metering to meter the process Stop events, but of course you have to meter Start events to meter Stop events.  The tricky part was that in some cases it recorded a Stop event for a system shut down/reboot, not just the actual process terminating.  I've been thinking about how to best report that the system is up but the A/V service is down...probably have to use basic inventory or Event data of some sort.

Thanks,
Kyle
Symantec Trusted Advisor

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.

+1
Login to vote
Screenbert's picture

Every services has recovery options that can be set (The recovery tab when loooking at a service.) Just set thisvia Group policy to restart on failure, that way even if they kill the exe then it restarts automatically.

Screenbert

+2
Login to vote
reto.zuerrer's picture

Nice Idea! I will try that next time!

Reto Zürrer | FYRE Consulting | http://www.fyre-consulting.ch

+1
Login to vote
rweiss77's picture

Nice article, we were looking for a creative way to do this here at our company.

+1
Login to vote
Pascal KOTTE's picture

For sure, some "users" still need (or abuse) to keep use their machine with "local admin" rights. That's a good idea to follow, I will recommand this my customers.
Thanks your post.

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

+2
Login to vote
JStonerock's picture

This is something I created for my company a couple of years ago....so it might be a bit outdated (First posted on Altirigos.com) http://altirigos.com/vbulletin/scripting-tools-docs/5916-preventing-users-stopping-altiris-service.html

Assuming all these PC's are part of a Domain:

Create a Computer Group Policy Object that prohibits the stopping of both Altiris Services (NS and DS). Typically this policy must be created on a machine with the services installed.

Take away local admin rights to that policy and only allow the domain group of your choice to have full rights to it. (Example: If you are in Desktop_Engineering, only grant Desktop_Engineering group rights to this GPO)

Secondly, MAKE SURE YOU ADD 'AUTHENTICATED USERS' to have only READ rights to this GPO, other wise, the agents will stop reporting and NEVER start.

As a safety net, I have another GPO that adds Altiris_SVC to be an Administrator of all PC's within the domain. I also add this account with full rights to the GPO stated above (stopping users from disabing the Altiris services)

Doing this prohibits the users from stopping the service, the process and from deleting key files from the folders. Granted this may not be 100% effective, but in my environment it works great!

Great Article Screenbert!  I may need to updated my GPO's!!

+2
Login to vote
jlawson's picture

 I find it strange no one else discusses this issue but I had exactly the problem you describe where the service will not start.

Secondly, MAKE SURE YOU ADD 'AUTHENTICATED USERS' to have only READ rights to this GPO, other wise, the agents will stop reporting and NEVER start.

For clarification though,   this should read: "ADD 'AUTHENTICATED USERS' to have only READ rights to this SERVICE"  Atleast this is what I found.  Not sure how you give them READ Rights to the GPO only.  So I wanted to clarify what I found and what I think you meant.

0
Login to vote
JeffDG's picture

I think that a lot of people, particularly IT people, like to stop agents like this as soon as they can...they all perceive a performance hit from anything, whether real or imagined.  Being able to prevent and enforce the policy is a godsend.

0
Login to vote