Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 19 subscribers
  • Views 45155 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Option to prevent tampering with Sophos services and settings

ksmith0724

Hello Folks -

We just recently implemented Sophos S&C 9.0 for our end-users.  The product works great but we are looking for some sort of mechanism to prevent our limited number of users who are also local administrators on their laptops from stopping the Sophos services.  I know with other vendors products that regardless of whether the user is an admin or not they still provided some sort of setting(s) that would prevent the users from doing so.

I do realize (and I saw this on other posts in this forum) that it doesn't go along with "safe computing practices" but in some companies (i.e. telecoms) it is often at times cumbersome to lock down certain departments (RF engineers, field crews, etc) especially when these departments are in direct contact with vendors, etc.  I can restrict with a Group Policy the "Install with Elevated Privilges" settings but many applications are hard coded to require an administrator installing the software.

I saw that Sophos Professional Services can assist with this type of configuration but in my honest opinion this is something that should be included in an enterprise class endpoint solution.  I also may be searching on the wrong keywords so if there is an article / suggestion on how to accomplish this please steer me in the correct direction.

Thanks!

:2028


This thread was automatically locked due to age.
  • 0

    I posted my original question about Tamper Proof 4 years ago - Sophos has made strides in implementing tamper proof since then but like some other users are reporting the services can be stopped by admin users.  This has been one of my largest "beefs" with Sophos - something other competitors have been able to figure out how to do (and long ago might i add) - prevent the AV services from being disabled by users with Admin priviliges.  Sophos moderators / power users continuously respond with the typical "Well you shouldn't be giving out admin rights..." ...yes we all know those priviliges should not be granted on a whim but in some industries / situations / IT shops with limited support you just need to grant those rights to certain individuals.

    Posts here on the forum seem to rely on the Iron Fist mentality that if those services are disabled by your users then there should be repurcussions internally - the offending user(s) should be reprimanded / fired.  That again is not always practical - might fly in a government / financial setting.  I've mentioned this fact to our account team for YEARS so hopefully one of these versions it may get locked down better then it is currently.  I guess in the end we are still using Sophos for whatever that is worth.

    :55157
  • 0

    Hello froggy,

    just in case - I'm not Sophos (and I don't want to give the impression that they are [not] interested in hearing constructive criticism).

    At a certain point the MORE of something enters the zone of diminishing marginal utility. Locking the front door is good practice and the costs are minimal - it doesn't make much sense though to install a triple-lock burglary-resistant security door when you have a glass front in the back.

    I've said it several times before - if you have users who have to be admins and who have to be kept from fiddling with AV (and security in general) you have an educational problem - one that has a vast impact on security and that can't for the most part be solved by technology.

    (Near) real-time monitoring of an endpoint's health and integrity is a technology sector in its own right and goes beyond simple management. It'd not only require a lot more resources (and intelligence) on the server side but also significant development effort to make it watertight ... though then it could be used for general monitoring as well.  If one needs something like this one probably has it already.

    Christian

    :55161
  • 0

    Hello kesm0724,

    Sophos moderators / power users

    guess I should count myself among them :smileywink:. I'll make another attempt explaining a possible (again: I'm not Sophos so this is just guessing) rationale trying to avoid the don't-give-admin-rights mantra.

    the Iron Fist mentality

    As far as my posts are concerned I might have failed in clearly citing this as last resort. I think I've always emphasized - but maybe not enough - that education, raising awareness, and siding with the users are the preferred measures for dealing with the tampering problem.

    other competitors have been able to figure out how to do

    It's not that Sophos wouldn't be able to figure it out. It's not black and white though. While it is arguably MORE secure it can also complicate working with the product. Not only in case of issues when troubleshooting is required but likewise in those very situations for which the users have admin rights - if they have to make changes to the system for which they need administrative rights they might also have the need to temporarily reconfigure or disable the security software (and this at a time when the endpoint is out of reach for central management).

    As you can see with other products tamper protection is apparently never finished. Situations arise when you have to legitimately disable or circumvent it, and the knowledge how to do it can only be kept "secret" for a limited time. Then you have to come up with an improved scheme (which again adds complexity to the product's architecture with all its consequences) and it starts all over again.

    Assessing the security benefit, unwanted side-effects, the remaining shortcomings, customer demand, and the (ongoing) implementation effort you eventually arrive at a decision. You likely can't come up with hard numbers for all the aspects (and different vendors certainly arrive at different estimates depending on the customer base) and thus the decision is also influenced by "corporate philosophy".

    I hope I could somewhat dispel the impression that I advocate shaking (and using) the Iron Fist. As far as Sophos is concerned the above is solely my own conjecture.

    Christian 

    :55198
Unfiltered HTML