Endpoint Protection

 View Only

  • 1.  SEP11 prevent changes to unmanaged client

    Posted Jul 27, 2012 10:19 AM

    I need to prevent users from making changes to the SEP11 client.  The machines are being run as stand alone units and can't have access to the network, so using managed clients is right out.  I've figured out that if I set DENY rights on C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe the users can't disable virus scanning, firewall or SEP11 as a whole.  I now need to prevent changes under the Change Settings button.  Is there an easy way to do this?



  • 2.  RE: SEP11 prevent changes to unmanaged client

    Posted Jul 27, 2012 10:29 AM

    Follow artcile below

    http://www.symantec.com/business/support/index?page=content&id=TECH102822&locale=en_US

    Make sure you create an Unamaged Package from SEPM while exporting it check link below

    http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/a5146874e7b6a6178825747f006d3462?OpenDocument

    Once you have SEP client package created in above format ie Unmanaged sep package simply install it on the machine where you want to Disable Users ability to make changes.

    Additional information on creating unamanaged package See Bold

    To create the new custom install package
    In the Symantec Endpoint Protection Manager Console, on the Admin tab, under Tasks, click Install Packages.
    The current default client installation packages appear on the right.
    Under View Install Packages, click Client Install Packages.
    Under Tasks, click Export client install package.
    Browse to or create a preferred export folder, and select it.
    Select whether or not you want to create a single ".exe" file.
    Select Installation Settings and Features.
    Select Custom Install Settings from the settings drop down.
    Select Custom feature set from the features drop down.
    Select the group to which the client will be installed. If no group has been created, select the Default group.(Or you can make the client as unmanaged)
    Select the Preferred Mode. The default is Computer mode.
    Click OK.
    The new install package is created in the location that you specified.

     



  • 3.  RE: SEP11 prevent changes to unmanaged client

    Posted Jul 27, 2012 10:39 AM

    I don't have access to use the SEPM.  This is a very low level project I'm being tasked with.  So, my options are as follows:

    1.  Create a user account with Local User rights.  (Done)

    2.  Deny local user rights to read&execute SMCGui.exe  (Done)

    3.  Prevent local user from making changes to SEP11  (Not done.)

    I really only need the appropriate registry key or file to deny read&execute rights to and I'm set.   I did find this article, but it doesn't include evey registry key.

    https://www-secure.symantec.com/connect/articles/symantec-endpoint-protection-few-registry-tweaks



  • 4.  RE: SEP11 prevent changes to unmanaged client

    Posted Jul 27, 2012 10:40 AM

    Ensure you have followed all the steps in this document:


    Title: 'How to block user's ability to disable Symantec Endpoint Protection on Clients'
    Document ID: 2007110514540148
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007110514540148?Open&seg=ent

    More specifically make sure you enacted this part:

     

     

    Step 1: Remove the right to disable Network Threat Protection:

    Open the "Symantec Endpoint Protection Manager."

    Click Clients.

    Select the group that contains the clients you want to be affected.

    Click Policies.

    Expand Location-specific settings.

    Click Tasks to the right of "Client User Interface Control Settings", then click Edit.

    Select Server control or Mixed control if it is not already set to one of these.

    Click Customize.

    If Server control is enabled this will open the Client User Interface Settings dialog.

    If Mixed control is enabled this will open the Client User Interface Mixed Control Settings dialog.

     

    Uncheck Allow users to enable or disable Network Threat protection.

    Click OK> OK.

     

    Hope that helps!



  • 5.  RE: SEP11 prevent changes to unmanaged client

    Posted Jul 27, 2012 10:44 AM

    As previously stated, I don't have access the SEPM, so step 1 is right out.  Are there any other options, or is it only able to be done through the Manager?