Here we will create a domain group that you want to have access to your Agent Services and then create a group policy that only allows Full Control access for groups that you want to have access to the Altiris Agent. Be sure that the Altiris Agent(s) that you want to secure at running on the computer where you follow these steps.
Step 1: Create a domain group that you want to have access to your Agent Services. Maybe it's a Desktop Admin Group, maybe it's an Altiris Admin Group.
Step 2: Create a group policy.
Step 3: Edit your newly created Group Policy.
Step 4: Expand Computer Configuration - > Policies - > Windows Settings - > Security Settings - > System Services
Step 5: Double Click the Altiris Agent to modify it's Properties. Check mark the "Define this policy setting" box and click Automatic for the startup mode.
Step 6: Click the Edit Security Button. Click Add to add the groups you want to administer this service.
Step 7: Modify the Administrators for the local machine so that they only have Read permission.
Step 8: Modify the Groups you added in step 6 so that they have Full Control. (All other needed rights will be added automatically)
Step 9: Click OK the the security windows and OK to the Agent Property window. Close out your Computer configuration Window.
Step 10: Apply your newly created group policy to whatever computer OUs you wish to protect.
Anyone who is not a member of the groups you specified in Step 2 will not be able to disable, stop or restart the service. When they open the services they will see the the options to start, stop, pause, resume and restart are all greyed out.
However when you login as a group member that has access you can manage the service as normal. You can also use the runas to run the services.msc MMC as an group member that is allowed to modify the service. This may come in handy if you have users or groups such as IS that are local administrators and have been found to disable your Altiris services. Now they can still be administrators, just not of the Altiris service.