Monitoring Services

Hi,

Has anyone come up with a way to use IEM to monitor services running on the network?

For example, take a baseline of what services are running and then monitor for changes from that point on?

If you’re subscribed to the “Security Policy Manager” site, there is a wizard called “Service Baseline Wizard” for creating your whitelist and blacklist of services. Although the services would need to be named manually, you can use it to explicitly deny services.

but the user is still able to start the service again by going to the services->properties and from drop down menu it will be started . how to enforce that the user cant be able to start it again ? plus is there any list view or analysis that shows how many services have been blocked on several desktop by using that wizard ?

If it was me, I would put an SC delete in the action to remove the service from the services list. Would that be a viable option for you?

It should be possible to set the permissions on the service to prevent most users from starting them.

i have a scenario, some of our users having laptops and they are on workgroup, so they can disable the besclient service by going to services.msc

How can we restrict that a user can’t be able to see besclient service in the service list, so they can’t be able to start/ stop or disable it

I already hide an application from add/remove programs by using a fixlet provided in bigfix.

Any suggestions in order to restrict it

@jmaple @jgstew any recommendations in order to achieve this ?? i just wanted to hide or restrict user for disabling the besclient service from services.msc . if its disabled, it gets started on those certain clients immediately

I would say there is one of two things you could do. You could install the BESClientHelper service and set an appropriate interval or there is the “Automatically Restart Stopped BES Clients Using TaskScheduler” task (Task 250).

Or inflict serious pain and anguish on users who stop the service…

1 Like

Network Access Control or similar is a good idea.

Have a look at https://blog.netspi.com/penetration-testing-stopping-an-unstoppable-windows-service/ , it should help get you started.

You can change the ACL for the service …
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/Preventing+Tampering+with+BigFix+Agents

1 Like