Arellia has 2 built-in tasks to set security descriptors. The first is Set Restrictive Service Security Client Task and the second is Set Standard Service Security Client Task. For most customers, the default security descriptors referenced in these tasks will accomplish what they are trying to do.
The Restrictive Service Security task will remove the ability for Administrator users to stop/modify a service. The Standard Service Security task will set the service security to the Windows default, where Administrator users can stop/modify a service.
To apply restrictive service security:
- Navigate to Tasks > Client Tasks > Local Security > Set Restrictive Service Security Client Task
- (optional) Clone the client task
- Set the Service to the service you are targeting (ie. the Arellia Agent)
- (optional) Set the security descriptor to a custom one
- Save the client task
- Select Run Now and execute the task on endpoints