Windows Services Permissions
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Windows Services Permissions

 
Post new topic   Reply to topic    Windows Server Forum Index -> Networking
Author Message
Craig Mann
Guest
Posted: Fri Oct 21, 2005 12:50 pm    Post subject: Windows Services Permissions Reply with quote
Here's a question ...

Is it possible to deny a network of users access to their local services ie;
so that they cannot stop or start any services on their computer but still
allow the service to start so that it's associate application can run.

The scenario here is we have corporate anti-virus software installed and
some of our users don't like this because they feel the antivirus solution
slows down their computer and to get around this they disable the antivirus
service that runs the antivirus software.

What I would like to do is define a policy in the GPMC (Group Policy
Management Console - Windows 2003 Server) to prevent all users on the
network access to the antivirus service on their computer. I tested this
quite recently by defining a GPO for the services and setting Everyone deny
rights to the antivirus service. When the group policy got updated, nobody
had access to the service (which was a good thing) but, the antivirus
service also failed to run which resulted in the antivirus software not
performing as it should.

The antivirus services mainly uses the LocalSystem account. Can anyone
suggest if it's possible to alter the service's permissions in such a way by
defining a GPO to prevent user access to stop/start the service but allowing
it to start when the operating system loads so that the antivirus program
still runs as expected?

Regards
Craig
Back to top
Miha Pihler [MVP]
Guest
Posted: Fri Oct 21, 2005 8:50 pm    Post subject: Re: Windows Services Permissions Reply with quote
Hi Craig,

As long as users are local administrators on their computers -- they will be
able to do whatever they want. Now they stop the service -- but if you take
that permission away from them (you could do that) they will just load up
e.g. task manager and kill the applications such as antivirus...

Best solution in this case would be to make users local users (and not
administrators) on their computers. This will prevent them from stopping
services and killing applications etc... It will also add a lot to security
of your network since less spyware will get installed on the computers and
potential viruses will not get executed or installed...

--
Mike
Microsoft MVP - Windows Security

"Craig Mann" <craig.cm@ardentia.co.uk> wrote in message
news:uGlvLCj1FHA.3924@TK2MSFTNGP14.phx.gbl...
Quote:
Here's a question ...

Is it possible to deny a network of users access to their local services
ie; so that they cannot stop or start any services on their computer but
still allow the service to start so that it's associate application can
run.

The scenario here is we have corporate anti-virus software installed and
some of our users don't like this because they feel the antivirus solution
slows down their computer and to get around this they disable the
antivirus service that runs the antivirus software.

What I would like to do is define a policy in the GPMC (Group Policy
Management Console - Windows 2003 Server) to prevent all users on the
network access to the antivirus service on their computer. I tested this
quite recently by defining a GPO for the services and setting Everyone
deny rights to the antivirus service. When the group policy got updated,
nobody had access to the service (which was a good thing) but, the
antivirus service also failed to run which resulted in the antivirus
software not performing as it should.

The antivirus services mainly uses the LocalSystem account. Can anyone
suggest if it's possible to alter the service's permissions in such a way
by defining a GPO to prevent user access to stop/start the service but
allowing it to start when the operating system loads so that the antivirus
program still runs as expected?

Regards
Craig




Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Networking All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB