Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 19 subscribers
  • Views 45161 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Option to prevent tampering with Sophos services and settings

ksmith0724

Hello Folks -

We just recently implemented Sophos S&C 9.0 for our end-users.  The product works great but we are looking for some sort of mechanism to prevent our limited number of users who are also local administrators on their laptops from stopping the Sophos services.  I know with other vendors products that regardless of whether the user is an admin or not they still provided some sort of setting(s) that would prevent the users from doing so.

I do realize (and I saw this on other posts in this forum) that it doesn't go along with "safe computing practices" but in some companies (i.e. telecoms) it is often at times cumbersome to lock down certain departments (RF engineers, field crews, etc) especially when these departments are in direct contact with vendors, etc.  I can restrict with a Group Policy the "Install with Elevated Privilges" settings but many applications are hard coded to require an administrator installing the software.

I saw that Sophos Professional Services can assist with this type of configuration but in my honest opinion this is something that should be included in an enterprise class endpoint solution.  I also may be searching on the wrong keywords so if there is an article / suggestion on how to accomplish this please steer me in the correct direction.

Thanks!

:2028


This thread was automatically locked due to age.
Parents
  • 0

    I'm repeating myself ...

    All the so-called tamper protection (whether from Sophos,  another vendor or MS) is basically putting the cart before the horse. Not that it is absolutely useless.

    It can offer significant protection from must-be-admin users with limited technical knowledge - until some sympathetic programmer writes the next indispensable tool for the unjustly confined (turn off this, bypass that , access hidden items and so on). Works like your standard security lock which is easy to pick if you know how - most of us just don't bother to learn it.

    You can add a second layer of protection by entwining the various components so that a tamper attempt renders the device all but useless and in effect you add another layer to the OS where the user is no longer administrator - and if you haven't got it perfectly right you'll soon face the same problem (must give administrative rights for some users) again.

    Now you can argue that certain software (malware) offers the very "functionality" you are looking for: processes, files and registry keys are hidden even from administrators, it's hard to remove and so on. Then why not using the same technology to protect legitimate applications? Well, apart from "moral qualms" it's quite an effort to get it right. Malware doesn't need to work perfectly on all encountered computers ...

    Your users - irritating as they may be - should not be your enemies (and you not theirs). And bad guys should not be in your organization at all  No one expects a company's trucks to be equipped with some nifty device which would prevent drivers from using the trucks for "private business". Or that a copier can't be used for private copies. 

    If a computer gets infected because the user has turned off scanning - who should be held responsible?

    Christian

    :2281
Reply
  • 0

    I'm repeating myself ...

    All the so-called tamper protection (whether from Sophos,  another vendor or MS) is basically putting the cart before the horse. Not that it is absolutely useless.

    It can offer significant protection from must-be-admin users with limited technical knowledge - until some sympathetic programmer writes the next indispensable tool for the unjustly confined (turn off this, bypass that , access hidden items and so on). Works like your standard security lock which is easy to pick if you know how - most of us just don't bother to learn it.

    You can add a second layer of protection by entwining the various components so that a tamper attempt renders the device all but useless and in effect you add another layer to the OS where the user is no longer administrator - and if you haven't got it perfectly right you'll soon face the same problem (must give administrative rights for some users) again.

    Now you can argue that certain software (malware) offers the very "functionality" you are looking for: processes, files and registry keys are hidden even from administrators, it's hard to remove and so on. Then why not using the same technology to protect legitimate applications? Well, apart from "moral qualms" it's quite an effort to get it right. Malware doesn't need to work perfectly on all encountered computers ...

    Your users - irritating as they may be - should not be your enemies (and you not theirs). And bad guys should not be in your organization at all  No one expects a company's trucks to be equipped with some nifty device which would prevent drivers from using the trucks for "private business". Or that a copier can't be used for private copies. 

    If a computer gets infected because the user has turned off scanning - who should be held responsible?

    Christian

    :2281
Children
No Data
Unfiltered HTML