Option to prevent tampering with Sophos services and settings

Hello kesm0724,

Sophos moderators / power users

guess I should count myself among them :smileywink:. I'll make another attempt explaining a possible (again: I'm not Sophos so this is just guessing) rationale trying to avoid the don't-give-admin-rights mantra.

the Iron Fist mentality

As far as my posts are concerned I might have failed in clearly citing this as last resort. I think I've always emphasized - but maybe not enough - that education, raising awareness, and siding with the users are the preferred measures for dealing with the tampering problem.

other competitors have been able to figure out how to do

It's not that Sophos wouldn't be able to figure it out. It's not black and white though. While it is arguably MORE secure it can also complicate working with the product. Not only in case of issues when troubleshooting is required but likewise in those very situations for which the users have admin rights - if they have to make changes to the system for which they need administrative rights they might also have the need to temporarily reconfigure or disable the security software (and this at a time when the endpoint is out of reach for central management).

As you can see with other products tamper protection is apparently never finished. Situations arise when you have to legitimately disable or circumvent it, and the knowledge how to do it can only be kept "secret" for a limited time. Then you have to come up with an improved scheme (which again adds complexity to the product's architecture with all its consequences) and it starts all over again.

Assessing the security benefit, unwanted side-effects, the remaining shortcomings, customer demand, and the (ongoing) implementation effort you eventually arrive at a decision. You likely can't come up with hard numbers for all the aspects (and different vendors certainly arrive at different estimates depending on the customer base) and thus the decision is also influenced by "corporate philosophy".

I hope I could somewhat dispel the impression that I advocate shaking (and using) the Iron Fist. As far as Sophos is concerned the above is solely my own conjecture.

Christian 

Hello kesm0724,

Sophos moderators / power users

guess I should count myself among them :smileywink:. I'll make another attempt explaining a possible (again: I'm not Sophos so this is just guessing) rationale trying to avoid the don't-give-admin-rights mantra.

the Iron Fist mentality

As far as my posts are concerned I might have failed in clearly citing this as last resort. I think I've always emphasized - but maybe not enough - that education, raising awareness, and siding with the users are the preferred measures for dealing with the tampering problem.

other competitors have been able to figure out how to do

It's not that Sophos wouldn't be able to figure it out. It's not black and white though. While it is arguably MORE secure it can also complicate working with the product. Not only in case of issues when troubleshooting is required but likewise in those very situations for which the users have admin rights - if they have to make changes to the system for which they need administrative rights they might also have the need to temporarily reconfigure or disable the security software (and this at a time when the endpoint is out of reach for central management).

As you can see with other products tamper protection is apparently never finished. Situations arise when you have to legitimately disable or circumvent it, and the knowledge how to do it can only be kept "secret" for a limited time. Then you have to come up with an improved scheme (which again adds complexity to the product's architecture with all its consequences) and it starts all over again.

Assessing the security benefit, unwanted side-effects, the remaining shortcomings, customer demand, and the (ongoing) implementation effort you eventually arrive at a decision. You likely can't come up with hard numbers for all the aspects (and different vendors certainly arrive at different estimates depending on the customer base) and thus the decision is also influenced by "corporate philosophy".

I hope I could somewhat dispel the impression that I advocate shaking (and using) the Iron Fist. As far as Sophos is concerned the above is solely my own conjecture.

Christian