Endpoint Protection

 View Only

  • 1.  Deny User "Disable Symantec Endpoint Protection" In Taskbar

    Posted Nov 05, 2013 09:08 AM

    SEPM 12.1.4

    i passworded the GUI but didnt lock features inside ( helpdesk may need access)

    what left is the "Disable Symantec Endpoint Protection" when right click the shield.

    how can i grey it out without locking settings in GUI, or at least with minimum impact.?

     

    thanks 



  • 2.  RE: Deny User "Disable Symantec Endpoint Protection" In Taskbar

    Posted Nov 05, 2013 09:11 AM

    Have you seen these?

     

    How to block a user's ability to disable Symantec Endpoint Protection on Clients

    Article:TECH102822  |  Created: 2007-01-05  |  Updated: 2013-07-30  |  Article URL http://www.symantec.com/docs/TECH102822

     

    How to restrict users from making configuration changes to the Symantec Endpoint Protection client.

    Article:TECH102370  |  Created: 2007-01-23  |  Updated: 2008-01-29  |  Article URL http://www.symantec.com/docs/TECH102370

     

    Make sure you have all the locks closed in the various policies.

    When you disable SEP via the task tray, open the GUI. What shows as disabled? Only the firewall? Or both firewall and IPS?

    To stop users from disabling NTP, try this:

    Remove the right to disable Network Threat Protection:

    1. Open the Symantec Endpoint Protection Manager.
    2. Click Clients.
    3. Select the group that contains the clients you want to be affected.
    4. Click Policies.
    5. Expand Location-specific Settings.
    6. Click Tasks to the right of "Client User Interface Control Settings", then click Edit Settings.
    7. Select Server control or Mixed control if it is not already set to one of these.
    8. Click Customize.
      • If Server control is enabled this will open the Client User Interface Settings dialog.
      • If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.

         
    9. Uncheck Allow users to enable and disable Network Threat Protection.
    10. Click OK> OK.


  • 3.  RE: Deny User "Disable Symantec Endpoint Protection" In Taskbar

    Posted Nov 05, 2013 09:26 AM

    i have seen the above.

    what i dont understand is:

     

    if i have passworded the GUI, why would i need to lock all the policies?

    how would my helpdesk techs be able to change settings? only from SEPM console? is it possible to do that  for specific client easily?



  • 4.  RE: Deny User "Disable Symantec Endpoint Protection" In Taskbar

    Posted Nov 05, 2013 09:31 AM

    Because if you right click you can still disable (even users). You need to lock the policies so end users cannot disable even by right clicking.

    Now, if you want helpdesk to to be able to admin it, than you you are best of keeping the password on it and only letting helpdesk know what it is.



  • 5.  RE: Deny User "Disable Symantec Endpoint Protection" In Taskbar

    Posted Nov 05, 2013 10:08 AM

    if i lock everything then the helpdesk wont have access to any settings.

    i need to block users from making changes but allow helpdesk passworded access to configure settings.

    is such a setup possible?

     



  • 6.  RE: Deny User "Disable Symantec Endpoint Protection" In Taskbar
    Best Answer

    Posted Nov 05, 2013 10:09 AM

    Than it won't be possible. The best you could do is keep the password protection but users will still be able to disable it if they right click the icon in the task tray.



  • 7.  RE: Deny User "Disable Symantec Endpoint Protection" In Taskbar

    Posted Nov 07, 2013 07:56 AM

    Came to the conclusion that the whole deny user setup is really stupid.

    What's the use of passwording the GUI if damage can be done outside the GUI(disable….)

    And the only way to deny the "disable…" it to lock everything and turn the GUI into a useless read only view.