Environment
- EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Objective
Using the steps below, in a domain environment you can limit the control of services to System and a specific user group, or groups.
Resolution
This configuration is outside of the EDR product. Please use at your own discretion
- On the domain controller open Group Policy Management.
- Edit the GPO configuration your devices are in
- In the editor navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services
- Within the services menu you should see the Carbon Black Sensor listed; Edit this service.
- Check the box to Define this policy Setting.
- Set the service to startup mode "Automatic".
- Click the Edit Security button.
- Grant full permissions to the user or group that you wish to be able to stop the service; Leave System and Administrators with full permissions.
- Once configured and saved, the group policy will need to be updated which should happen after a reboot, or you can force an update on a specific device for testing using the command: gpupdate /force