Video Screencast Help

Block users from disabling SEP 12.1 client

Created: 05 Feb 2013 • Updated: 06 Feb 2013 | 6 comments
This issue has been solved. See solution.

Hi,

We're looking for a sollution to allow only admins with the password to disable the SEP client.
I have followed the guide to disabeling this function; but the result is not what i'm looking for.

 

How to prevent SEP features from being disabled in the client GUI in SEP 12.1

 

Allow Administrators to Disable SEP 12.1 on all Clients

 

The SEP GUI is password blocked, this prevents users from accessing the console.
I have also set the password to stop the client, however the password is never prompted when disabling from the tray.

After folowing these guides, it is no longer possible to disable the client from the tray (it's grayed out).
But it is also not possible to disable specific functions from within the gui.
When an admin logs on to the GUI I want them to have full control over all settings.

How do I force the password promt when disabling the client (from the tray), without blocking all settings in the GUI (which the user can't access anyway...) ?

 

Thank you,
Domien 

Comments 6 CommentsJump to latest comment

_Brian's picture

have you seen this

How to block a user's ability to disable Symantec Endpoint Protection on Clients

Article:TECH102822  |  Created: 2007-01-05  |  Updated: 2012-07-02  |  Article URL http://www.symantec.com/docs/TECH102822

 

Chetan Savade's picture

Hi Domein,

Q .How do I force the password promt when disabling the client (from the tray), without blocking all settings in the GUI (which the user can't access anyway...)

--> I believe it's not possible or it's not designed that way.

However you can raise an idea or put the product enhancement request.

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
MASH1's picture

 

Hi Grandeco,
 
The option to require a password to stop the client service refers to the 
Symantec Management Client service (smc.exe) and applies to the user attempting 
to stop the service by running the command line "smc -stop".
 
It does not apply to stopping services in the Services Control Manager 
including Symantec Endpoint Protection . (Although you are 
prevented by Tamper Protection from stopping smc because it greys out the 
options).  It also does not apply to disabling protection by right-clicking the 
shield icon.
 
To disable SEP from system tray you would need to use the article Brian has suggested.
http://www.symantec.com/business/support/index?page=content&id=TECH102822 .
 
After following the above article found that "The Disable Endpoint Protection " won't be grayed out if the User is logged in as an Administrator or a Local Admin.
 
- MASH

- MASH

Sumit G's picture

 

There is one more way the user able to disable the sep service through Services.msc.

Check the below step it can help to disable the service change

 

Please do the following:

  1. Open the Symantec Endpoint Protection Manager.
  2. Click the Clients tab.
  3. For any group, on the right hand side, select the Policies tab.
  4. In the Location-independent Policies and Settings, click General Settings.
  5. On the General Settings screen, click the Tamper Protection tab.
  6. Verify the option labeled "Protect Symantec security software from being tampered with or shut down."

If this is enabled, the option to stop the Symantec Management Client service (smcservice) from service control manager will be unavailable. If it is disabled, stopping smc from the service control manager is allowed.

http://service1.symantec.com/SUPPORT/ent-security....

Regards

Sumit G.

Rafeeq's picture

You can install the clients in user mode instead of computer mode.

Set password for normal clients. 

no password for admins. 

 

Understanding computer and user mode in Symantec Endpoint Protection 11.0

 

http://www.symantec.com/business/support/index?pag...

Grandeco's picture

Hi,

The issue is disabling the SEP client from within the users session, so logging out and logging back in as an administrator isn't what we're looking for.

The general idea is, users can't access the GUI nor disable the client.
The admin arrives, can go into the console and change any setting he wants, or disable the client in general. Both by using the password not known to the users.

For the moment I'll leave this as it is, I have filled the product feedback / feature request. 
 

Thank you all for your support !

Kind regards,
Domien