How to enable process and service hardening using ACS and LSS

Owned by Anonymous
Last updated: Oct 09, 2015 by Max Pinion (Deactivated)
3 min read

This documentation is for 7.1 Arellia Solutions, for 8.0 please see Service Hardening and Adjust Process Security

Process and Service Hardening are useful features in environments where IT administrators want to ensure that a particular list of services and processes are running at all times on a managed endpoint. Normally this is not a concern when end users are running as normal users. However in some environments there is a requirement to grant end users Local Administrator rights to their endpoint.

In this scenario the default Windows configuration allows anyone with Administrator rights to kill not only processes they own, but any process running on the system. This is due to the default Windows configuration granting any user in the Administrators group with the Debug and Act as part of the Operating System privileges. Granting this to a user allows them complete and unrestricted access to the Windows operating system.

A powerful new feature in Arellia Application Control Solution (ACS) allows IT administrators to dynamically set Process Security Descriptors (SD) on any process running on a managed endpoint. Effectively this allows a SD to remove an administrator's ability to terminate a process. This process security can then be combined with an ACS policy to remove powerful system privileges from  administrators. The result is a secured process that cannot be terminated by an end user, even if they have administrator rights.

Process Security is just half of the picture though. Even if you protect the running process belonging to a service, the default Windows configuration allows for Administrators and Power Users to control the service running state through control messages such as stop, start, pause, etc. This is where Service Security Descriptors can be used. Service SD's can be set using Local Security Solution.

For detailed information about Service Security Descriptors, go to the KB article Service Security Provisioning.

Process hardening in ACS

To set appropriate process hardening in ACS, do the following steps:

  1. Import the attached Process Hardening.xml file into the desired location within the file library in the Security Manager console.
  2. This will create a folder called Process Hardening that contains two policies and two filters.
  3. By default, the protected processes filter contains only AeXNSAgent.exe. (Note: You can expand this to protect other processes such as SEP. The list does not include ArelliaACSvc.exe because this protection is built into the service with SP3.
  4. The policy Remove Advanced Privileges for Interactive Users stops Administrators forcing a process to be killed by using Debug or Act as part of the Operating System privileges.
  5. The policy Protect Symantec Management Agent process sets the Process Security Descriptor on the SMA service process so that Administrators do not have the terminate privilege.

Once the ACS agent refreshes its client item cache and the system is restarted the Symantec Management Agent will be protected and unable to be killed by an Administrator.

Service hardening in Local Security Solution (LSS)

To set appropriate process hardening in LSS, do the following steps:

  1. Import the attached Service Hardening.xml into the desired location within the file library in the Security Manager console.
  2. This will create a folder called Service Hardening that contains a task called Set Restricted Service Configuration.
  3. Edit this task and secure the required Windows services.

Two examples of restricted services are:

  • AeXNSClient
  • ArelliaACSvc

Run this restricted service task against all machines that must be secured, for example the filter Local Security Agent Installed.

When process hardening is in place, Administrators will not be able to stop or start any of the hardened services.