4 Replies Latest reply on Jun 2, 2015 6:30 PM by jamesl1

    AM 8.9 - Granting a subset of administrators rights to stop/start AM services

    SupportEmployee
      My customer has the following users:

      corp\john
      corp\dave
      corp\sarah
      corp\john_sa
      corp\dave_sa

      john_sa and dave_sa have local Administrator rights over all workstations.

      John is a level 3 IT tech so I want him to be able to stop and start AM on all workstations. Dave is level 1 so I want to prevent him from doing so.

      Is there any way of achieving this without either a) creating a new john_am AppSense-specific admin account for John (that *doesn't* have local admin rights) or b) granting these rights to his non-admin (corp\john) account?

      Ideally I'd apply the 'BuiltIn Restrict' system control to the Administrators group rule and create a new Group Rule to apply the 'BuiltIn Elevate' system control to corp\level3 (which contains john_sa). However, most-restrictive wins in this scenario so the john_sa account ends up restricted because it's subject to both rules.

      Any suggestions?
        • 1. Re: AM 8.9 - Granting a subset of administrators rights to stop/start AM services
          Landon Winburn ITSMMVPGroup
          Just throwing it out there that I have yet to look at AM 8.9 but here is how I used to lock down the services before AM 8.9. Just set the SID to the SID of the group you wish to allow.

          ' set variables
          Dim ServiceList(12)
          SID = "S-1-5-21-872159438-1767452750-305008010-64129"
          Set WshShell = CreateObject("WScript.Shell")
          
          ' create array of services
          ServiceList(0) = "AppSense Application Manager Agent"
          ServiceList(1) = "AppSense Client Communications Agent"
          ServiceList(2) = "AppSense EmCoreService"
          ServiceList(3) = "AppSense Watchdog Service"
          ServiceList(4) = "MBAMAgent" 'BitLocker Management Client Service
          ServiceList(5) = "BDESVC" 'BitLocker Drive Encryption Service
          ServiceList(6) = "Sophos Agent"
          ServiceList(7) = "SAVService"
          ServiceList(8) = "SAVAdminService"
          ServiceList(9) = "Sophos AutoUpdate Service"
          ServiceList(10) = "Sophos Message Router"
          ServiceList(11) = "swi_service" 'Sophos Web Intelligence Service
          ServiceList(12) = "MsMpSvc" 'Microsoft Antimalware Service
          
          ' iterate through each service
          for each sService in ServiceList
           Set objOutput = WshShell.Exec("sc sdshow """ & sService & """")
           If InStr(objOutput.StdOut.ReadAll, SID) = 0 then
            ' set permissions on service
            WshShell.Run "sc sdset """ & sService & """ D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RP;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;" & SID & ")", 0, True
           End If
          Next
          
          • 2. Re: AM 8.9 - Granting a subset of administrators rights to stop/start AM services
            Employee
            In AM 8.9, you could just create a User Rule for corp/john and elevate his rights to the AM Service.
            • 3. Re: AM 8.9 - Granting a subset of administrators rights to stop/start AM services
              SupportEmployee

              AppSense_GaryM wrote:

               

              In AM 8.9, you could just create a User Rule for corp/john and elevate his rights to the AM Service.



              That was option b on my list of options to avoid. I guess some customers might be happy assigning privileged rights to a standard user account but I suspect most wouldn't. I guess it's their choice - assign the right to the standard user account or create a third account.
              • 4. Re: AM 8.9 - Granting a subset of administrators rights to stop/start AM services
                jamesl1 Apprentice
                Giving administrator rights to a users every day user account, that they are supposed to use on their desktop for day to day work, could be seen as a security concern. This solution will be ok for some customers but I am not sure if that will work in Secure gov customers, banks, insurance and a host of other customer types?

                Any more ideas?