[Mobi]

Hi guyz,

I wanted to know how can we restrict access to the service on a particular system? Actually in our company we have given admin right to the users on their local system i.e. their domain user names are added in the local Admin group of that particular computer they use. For example "Alice.Shon" is the domain user name for Alice and the system issued to her, she is added in local admin group of that particular system. I know its not a good practice and it should not be allowed but the management says we have to give them admin rights or else they wont be able to install many softwares (even power user rights does not let the system install those software). Anyway so everyone has admin right on their local system, and they can do anything on that system.

But we have deployed Kaspersky Enterprise software as Anti virus, and when I tried to stop the service associated with this AV all the option are disabled. I even can't run the service under my logon name in the Service Name----->Properties------>Logon------->This account.

The AV server runs on one of our servers and the AV clients are installed on user's machines. They AV client gets its configuration from the AV server.

I am just wondering how I can deploy such kind of settings on any other service that even the local Admin cannot stop or start that service. How it is possible?

[Advertisements]

I wanted to know how can we restrict access to the service on a particular system? Actually in our company we have given admin right to the users on their local system i.e. their domain user names are added in the local Admin group of that particular computer they use. For example "Alice.Shon" is the domain user name for Alice and the system issued to her, she is added in local admin group of that particular system. I know its not a good practice and it should not be allowed but the management says we have to give them admin rights or else they wont be able to install many softwares (even power user rights does not let the system install those software). Anyway so everyone has admin right on their local system, and they can do anything on that system.

i know you already know this...since you've said it here...but this is the WORST practice possible on a corporate environment....elevated privileges on local systems CAN (and most likely will if you have an intelligent user with the motive to do so) allow a user to execute very powerful exploits that can compromise your entire domain structure (i.e. if someone really wants to...with local admin rights it's a hop skip and a jump over to getting admin rights on the domain)....plus sure...being a local admin allows the users to install something they need...like office or something like that...but it also allows them to install malware (even unintentionally) or games (productivity killer #1) or anything they want...you're opening yourself up for a lot of trouble down the road....i can assure you (from experience) that within 6 months there will be so much unapproved software on your network that you'll have a hard time clearing issues up.

[dsenette]

I wanted to know how can we restrict access to the service on a particular system? Actually in our company we have given admin right to the users on their local system i.e. their domain user names are added in the local Admin group of that particular computer they use. For example "Alice.Shon" is the domain user name for Alice and the system issued to her, she is added in local admin group of that particular system. I know its not a good practice and it should not be allowed but the management says we have to give them admin rights or else they wont be able to install many softwares (even power user rights does not let the system install those software). Anyway so everyone has admin right on their local system, and they can do anything on that system.

i know you already know this...since you've said it here...but this is the WORST practice possible on a corporate environment....elevated privileges on local systems CAN (and most likely will if you have an intelligent user with the motive to do so) allow a user to execute very powerful exploits that can compromise your entire domain structure (i.e. if someone really wants to...with local admin rights it's a hop skip and a jump over to getting admin rights on the domain)....plus sure...being a local admin allows the users to install something they need...like office or something like that...but it also allows them to install malware (even unintentionally) or games (productivity killer #1) or anything they want...you're opening yourself up for a lot of trouble down the road....i can assure you (from experience) that within 6 months there will be so much unapproved software on your network that you'll have a hard time clearing issues up.

[Mobi]

Yah you are right but My job is to tell them what is risk there and if they say we cannot offard a support personnel who will just perfrom the user's request what can I do?

Anyway what about yout comments on the follwoing I asked in previous mail?

But we have deployed Kaspersky Enterprise software as Anti virus, and when I tried to stop the service associated with this AV all the option are disabled. I even can't run the service under my logon name in the Service Name----->Properties------>Logon------->This account.

The AV server runs on one of our servers and the AV clients are installed on user's machines. They AV client gets its configuration from the AV server.

I am just wondering how I can deploy such kind of settings on any other service that even the local Admin cannot stop or start that service. How it is possible?

[dsenette]

to my knowledge it's not possible....

and i'm not sure why you're not able to kill the service on the local machine as it is...if you're logging in as a domain admin (i'm assuming the product was installed from the server with domain administrative credentials) you should have full control on the service...some services will by default limit access to accounts that didn't install it...but to my knowledge i don't think there's a way for a user to set those permissions

[Mobi]

...if you're logging in as a domain admin (i'm assuming the product was installed from the server with domain administrative credentials) you should have full control on the service...some services will by default limit access to accounts that didn't install it...but to my knowledge i don't think there's a way for a user to set those permissions

No I am not logging as domain Admin as I mentioed in the mail that user are added in the Local Administrator of their local PC, but on the domain they are normal users. But I was thinking that since I have the Local Admi rights on my machine and similalry other users will have on their machines then why I am not able to stop that service of Kaspersky. Is this due to the reason that Kaspsersky server is running under some other user name and the services running on my local machine is basically running under that user's credential? Well I do not think so but I also do not have any other justifaction for this.