The default Arellia Agent and Arellia Application Control Solution (ACS) Agent installations allow Administrators to terminate those processes and services. This article will walk through how to prevent administrators from tampering with the Arellia Services.
Manual Steps
...
To secure Arellia agents, do the following steps:
- Harden the Arellia Agent and ACS services need to be hardened against administrators (for details about service hardening, go to Service Hardening).
This alters the service Security descriptors such that an administrator cannot stop services via the Service Control Manager.
- Second the Arellia processes can be protected against administrators by removing the Debug Remove the debug privilege from Administrators. The quick way to do it is enable the Remove Advanced Privileges for Interactive Users application control policy
Debug privileges are generally only made available to Developers. Debug privilege disables checks on the process security descriptor. The Remove Advanced Privileges for Interactive Users policy would generally be cloned to actually exclude those programs (developer tools ) that actually require debug rights such as Visual Studio.
- The last step to protect the Arellia Agent Service is to remove the terminate privilege from Administrators. This can be done by creating a new Adjust Process Security action and then applying it via an Application Control Policy targeting the "Arellia.Agent.Service.exe" executable.
...