Preventing users from stopping the BESClient

BenKus · December 24, 2008, 4:08am

Some of our customers have requested that we try to take steps to prevent users from stopping the BESClient service. In general, our response is that any determined user with LocalAdmin privileges will be able to figure out how to stop the service no matter what we do… However, we have come up with a relatively simple way to make it a little harder to stop the BESClient service.

The trick we use is to change the permissions on the BESClient service to DENY Administrators from changing the service and only allow the SYSTEM to change the state. This means that if a user on the computer tries to stop the BESClient service, they will get an error “Access is Denied”.

See the Task to enable/disable this (right-click to save and then import to your server):

http://support.bigfix.com/download/temp/Change%20BESClient%20Service%20Permissions.bes

Note that this has the potential to make some of your users very angry/frustrated if they have a legitimate need to shut the BESClient off (for instance: troubleshooting) so make sure you are comfortable with this approach.

Ben

system · December 26, 2008, 9:15pm

(imported comment written by rdamours91)

I like it…

I’ll use it in some trouble spots to begin with…

system · January 23, 2009, 12:01am

(imported comment written by SystemAdmin)

This is aweseome Ben! Thank you.

I receive an XML parsing error when trying to run (Invalid at the top level of document Line 1, Character 1:).

Looking in the file line 1 - character 1 is C of Change. Have tried several attempts at the file. Strange.

Mike

BenKus · January 23, 2009, 9:04am

(imported comment written by BenKus)

Hmm… i just tried it and it worked… i used IE 7 and BigFix 7.1…

Ben

system · May 16, 2013, 4:50pm

(imported comment written by Yuvaraj_Devadass)

Hi Ben,

above URL not working
http://support.bigfix.com/download/temp/Change%20BESClient%20Service%20Permissions.bes

Do you have any other URL?

BenKus · May 18, 2013, 1:56am

(imported comment written by BenKus)

Hi. I just checked it and it is working for me… maybe try again?

system · May 22, 2013, 3:32pm

(imported comment written by suresh.h@techsa.net)

Hi Ben Kus,

I have run the action

// Remove the BUILTIN\Administrators ability to start/stop the service

waithidden cmd.exe /C sc sdset BESClient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

DENY Administrators from stopping the BESClient service. its working fine

When i am running ALLOW Administrators from starting the BESClient service (this is the default state).

its not working

kindly help to resolve the issue.

Regards

Suresh

BenKus · May 23, 2013, 12:53am

(imported comment written by BenKus)

Hi Suresh,

How do you run the “Allow”? I think you need to remove the “Deny” entry.

Ben