This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tamper Protection Greyed Out

Hello,

I am having some difficulties with Tamper Protection,

We have set Tamper Protection Policies for each group,

but most of the end points have the Authenticate User option greyed out.

I activated and deactivated the policy in the management console several times but with no effect.

I restarted the end points computers,

I changed the computers from group to group. 

The result is the same, the Authenticate User option remains greyed out.

Can you help me in this situation?



This thread was automatically locked due to age.
Parents
  • Hello Adrian Ceteras,

    Authenticate User option greyed out
    did you check with a user that is a member of the SophosAdministrator group or is it that the usual users have this option greyed out? If the latter it's the expected behaviour.

    Christian

Reply
  • Hello Adrian Ceteras,

    Authenticate User option greyed out
    did you check with a user that is a member of the SophosAdministrator group or is it that the usual users have this option greyed out? If the latter it's the expected behaviour.

    Christian

Children
  • Hello Christian!

    We tried with the logged on user.

    I saw that if I log in with my domain account the option appears.

    This is the normal behaviour?

  • Hello Adrian Ceteras,

    it is. Tamper Protection restricts a SophosAdministrator's rights (unless the correct password is entered) so that a local admin can't change the settings. The SophosAdministrator group is populated with the members of the local Administrators group at install time. For a non-SophosAdministrator TP doesn't make a difference anyway. 

    Christian

  • Sorry Christian but for us this sounds bad on many levels:

    1. Every time something wrong happens and we have to use the Tamper protection it is uncomfortable for us and for the user, because we have to log out that user, (go through the users: I have to save close everything now? I am in the middle of so many things...)

    2. Once we log out that user all the mapped drives, recycle bean, folders programs, files, etc...  are password protected and that can be an issue at the scanning point

    3.  After the moment of installation other admins could show up, like not all admins have logged on to every single computer in the network, new admins could show up in the company, will they have access to this option?

     

    To be able to have the option active no matter what the login user it sounds like a much better option. You will need the password anyway... and that password is known only by the admins. 

  • Hello Adrian Ceteras,

    Sorry
    I'm not Sophos so I won't take comments on a product personally [:)]

    This is perhaps a misunderstanding - or several.

    • First of all, as already noted, TP isn't there to elevate a user's rights. Sophos has added it (and now even beefed it up) only reluctantly after years of demands by customers
    • With standard TP the SophosAdministrator membership isn't an issue as local admins can always add themselves to this group. And domain admins group are usually indirectly local admins
    • While you can add any user to the SophosAdministrator group this won't elevate their Windows rights

    What is the something wrong you need to resolve? As you mention password protected - do you use EFS or some other file encryption?

    Christian

  • Hello!

    It was never intended to offend or to take this personally... Sorry if it sound like that...

    We found a work around for this.

    From the already logged on user if we start Sophos to run as admin, then we can put our domain admin credentials, and the TP option is there for the use.

    So problem solved.

     

    Thank you for clearing all the misunderstandings.