Tamper Protection

That was precisely my point. In an environment where most users are Power User or have Local Admin rights the Tamper Protection is useless. Also, many rootkits and priveledge escalation attacks attempt to stop these services with local admin rights under context of the current user priveledges.

But I disgress... there are ways that you can manage this security, just not within Sophos natively.

If you are in a AD environment using Group Policy, you can set these services as protected at the Domain Admin level. This prevents even users with Local Admin rights from stopping or disabling these particular services.

Under your Default Domain Policy (or any OU policy for that matter) -> Computer Configuration -> Windows Settings -> Security Settings -> System Services.

Define each Sophos service there and remove the Administrators group from each while adding Domain Admins. Make sure to leave SYSTEM permission as is.

That was precisely my point. In an environment where most users are Power User or have Local Admin rights the Tamper Protection is useless. Also, many rootkits and priveledge escalation attacks attempt to stop these services with local admin rights under context of the current user priveledges.

But I disgress... there are ways that you can manage this security, just not within Sophos natively.

If you are in a AD environment using Group Policy, you can set these services as protected at the Domain Admin level. This prevents even users with Local Admin rights from stopping or disabling these particular services.

Under your Default Domain Policy (or any OU policy for that matter) -> Computer Configuration -> Windows Settings -> Security Settings -> System Services.

Define each Sophos service there and remove the Administrators group from each while adding Domain Admins. Make sure to leave SYSTEM permission as is.