The default Arellia Agent and Arellia Application Control Solution (ACS) Agent installations allow Administrators to terminate those processes and services. This article will walk through how to prevent administrators from tampering with the Arellia Services.
To secure Arellia agents, do the following steps:
- Harden the Arellia Agent and ACS services against administrators (for details about service hardening, go to Service Hardening).
Remove the debug privilege from Administrators by enabling the Remove Advanced Privileges for Interactive Users ACS policy.
Note
Debug privileges disable checks on the process security descriptor and are generally granted to only developers. When you clone the Remove Advanced Privileges for Interactive Users policy, the policy excludes those programs (such as developer tools) that actually require debug rights such as Visual Studio.
- Remove the terminate privilege from Administrators by creating a new process security action and then applying it via an Application Control Policy targeting the "Arellia.Agent.Service.exe" executable. (For details about adjusting process security, go to Adjust Process Security.)