Critical System Protection

Hi,

Have an installation in an environment and have 20 or so service accounts all given trusted user status.  They are still generating a handful of events, mainly cmd.exe file access events trying to write to %TEMP%. 

Are there still some things that Trusted Users aren't allowed to do?  I thought a Trusted User had essentially free reign of everything.  All trusted users have been given SAFE privilages.

Is a prevention policy generating the event, or a detection policy? Adding someone to the "trusted users" within the prevention policy will not stop them from having those modifications logged via a detection policy.

Chris Tyrrell

Compliance Practice Lead

Conventus Corp

ctyrrell@conventus-sei.com

There are no detection policies in place

Alex,

When you are seeing the events, what process set are they being being routed to (available in the event details)? Adding trusted users only applies for "Interactive" programs. Services running as that user will still be governed by the controls of whatever service process set it is routed to.

Chris Tyrrell

Compliance Practice Lead

Conventus Corp

ctyrrell@conventus-sei.com.

It's being triggered from the kernel_ps set.

I've done a bit of rooting, and it might be because its a remote machine that's calling these service accounts to do their things, so I had to enable the "allow remote programs" check box inside that policy.  I *think* that is what is causing it.

Certainly let us know how it turns out and/or if that doesn't fix it. Good Luck!

Chris Tyrrell

Compliance Practice Lead

Conventus Corp

ctyrrell@conventus-sei.com