Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Prevent Users From Stopping the Sensor Service

EDR: How to Prevent Users From Stopping the Sensor Service

Environment

  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Objective

Using the steps below, in a domain environment you can limit the control of services to System and a specific user group, or groups. 

Resolution

This configuration is outside of the EDR product. Please use at your own discretion

 
  1. On the domain controller open Group Policy Management. 
  2. Edit the GPO configuration your devices are in
  3. In the editor navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services 
  4. Within the services menu you should see the Carbon Black Sensor listed; Edit this service. 
  5. Check the box to Define this policy Setting. 
  6. Set the service to startup mode "Automatic". 
  7. Click the Edit Security button.
  8. Grant full permissions to the user or group that you wish to be able to stop the service; Leave System and Administrators with full permissions. 
  9. Once configured and saved, the group policy will need to be updated which should happen after a reboot, or you can force an update on a specific device for testing using the command: gpupdate /force
 

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-06-2018
Views:
2534
Contributors