This article explains how to create an Active Directory group policy to prevent administrators from stopping the Sophos Anti-Virus service.
By default all users who are a member of the administrators group can stop services on a client computer. This means that it is possible to stop the Sophos Anti-Virus service and remove Sophos endpoint security software if you have these rights. To remove this ability from administrators follow the steps below.
- Sophos Tamper Protection is designed to prevent changes within the program for non-authorized users. Tamper Protection is not designed to limit administrators from stopping services as this is a requirement of being an administrator. We may look to extend Tamper Protection functionality in a future product release.
- If you decide to restrict all endpoint security services you may notice, after an update and installation, the administrator account is again allowed to control Sophos AutoUpdate and Sophos Remote Management System services. This is due to the update installation changing permissions locally. The key Sophos Anti-Virus and Sophos Device Control services cannot be controlled, even after an update. Once the GPO policy is refreshed on a client the restrictions on all restricted services will be applied.
- If a user is added to an administrative group they can potentially circumvent any restrict applied. Therefore the solution below is only offered as an example.
- If you require further assistance with creating or configuring a group policy please consult Microsoft documentation.
Known to apply to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control
What To Do
The instructions below are for a Windows 2008 server.
On the Windows 2008 Domain Controller:
- Create a New Security Group in Active Directory (for Example 'Service Security'). This is required as you may already have a security group that contains different members of Domain Admins.
- Open the Group Policy Editor (Start | Run | Type:
gpmc.msc | Press return) and create a New Group Policy object called 'Service Security'.
- Edit the new group policy and browse to the following location:
Computer Configuration | Policies | Windows Settings | Security Settings | System Services
- Scroll through the listed services until you reach the Sophos Anti-Virus service.
- Configure the service by double clicking on the service name, selecting 'Define this policy', selecting 'Automatic' and editing the security groups.
- Add the account 'Network Service' and grant Read permissions, remove the Administrators and/or Domain Administrators group as required.
WARNING: DO NOT remove the SYSTEM or INTERACTIVE accounts from the list.
- Add the account 'Local Service' and grant read, start, stop and pause permissions
- Repeat this for all the Sophos Services you need to restrict. Please see note two in the first section of this article. The 'Network Service' account is only required on the Sophos Anti-Virus Service.
You can now apply the group policy to required containers in the normal way and allow the policy to be applied to the client computers.
You can test the functionality by enabling the GPO and logging onto a client computer as an administrator or as an account with group permissions that you have restricted. Attempting to stop the service should result in the following message being displayed:
Could not stop the service on Local Computer.
Error 5: Access is denied.
OR the option to stop the service is greyed out and unavailable. Either of these shows the GPO has been configured and applied to the client successfully.
If the error message is not shown and you are still able to stop a restricted service check the GPO has been configured correctly and that there are no conflicting GPOs. For more information please consult Microsoft documentation.