Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The default Arellia Agent and Arellia Application Control Solution (ACS) Agent installations allow Administrators to terminate those processes and services. This article will walk through how to prevent administrators from tampering with the Arellia Services.

Steps

...

To secure Arellia agents, do the following steps:

  1. Harden the Arellia Agent and Application Control services need to be hardened against administrators. This can be done by Service Hardening in Local Security
    1. This alters the service Security descriptors such that an administrator cannot stop services via the Service Control Manager.

    Second the Arellia processes can be protected against administrators by removing the Debug privilege from Administrators. The quick way to do it is enable ACS services against administrators (for details about service hardening, go to Service Hardening).
  2. Remove the debug privilege from Administrators by enabling the Remove Advanced Privileges for Interactive Users 

    application control

    ACS policy.

    Note
    Debug privileges are generally only made available to Developers.  Debug privilege disables checks on the process security descriptor. The 
    titleWarning

    Debug rights trump Remove Advanced Privileges for Interactive Users

    policy would generally be cloned to actually exclude those programs (developer tools ) that actually require debug rights such as Visual Studio.

     policy, so be aware anyone with debug rights will still be able to kill protected processes.

  3. Remove the terminate privilege from Administrators by creating a new process security action and then applying it via an Application Control Policy targeting the "Arellia.Agent.Service.exe" executable. (For details about adjusting process security, go to Adjust Process Security.)

How to enable process and service hardening using ACS and LSS