One of the challenges related to critical applications on Windows desktops is end user’s or malware’s ability to kill critical services and processes. Critical applications in an enterprise desktop can include antivirus and endpoint security products as well as systems management tools for software delivery, patching, and\or inventory. Protection of the services and processes related to these applications is key to ongoing operational security and availability.
Critical Windows applications typically run as a service that often can be stopped by a user running with administrator credentials. Any user who runs as a standard user is limited from stopping services, but as most users in enterprises run with administrator accounts they can stop those services and often do. Reasons for stopping critical services vary, but the most common reasons include complaints about performance impact of such applications or not wanting to be controlled by corporate IT. Whatever the reason, the result is the same: critical business applications are stopped exposing the organization to risk. Such risks include malicious software or hackers who look to disable security software which may impede their ability to further penetrate a system. Other risks are challenges in providing desktop support for users who need configuration fixes or new software.
The risks to critical applications do not stop at the service alone. There is also the process associated with the application as well as files and registry keys for that application. Killing the process is a quick way to disable a critical application and can be done by a number of common tools such as Microsoft’s Process Explorer or even the Windows Task Manager. Deleting the files and registry keys may be limited when the process is running, but are easy to accomplish once the process is stopped. By deleted or modifying files and registry keys, the process may not be able to start and the software is thereby disabled.
The key to application protection is setting the proper security permissions on the different components of that application. Files and registries can be hardened via common interfaces, but service permissions are less accessible to the average user. It requires advanced knowledge or tools to facilitate such changes. Arellia Local Security Solution is one such tool that has the ability to create secure permissions that can be set for critical applications making them tamper proof from the local user even if that user is an administrator.
By hardening critical applications, an enterprise will have more stability and security as end users are not able to stop mission critical software. Failure to do so puts the control of security and manageability to the end user who is likely to disable anything they perceive to be a nuisance.
Video: For an example of hardening, see this video on hardening the Symantec Management Agent service.
About Arellia: Arellia provides solutions for privilege management, application whitelisting, securing local administrator accounts, and compliance remediation. Arellia products are integrated with the Symantec Management Platform and sold through Symantec.