How can I prevent users who are local administrators on their computers from stopping or disabling the Altiris Service?

Article Id: 180932
Status: Published
Updated On: 24-04-2008 10:51
Legacy Id: HOWTO7026
Products:
Management Platform (Formerly known as Notification Server)
Issue/Introduction:

 

Resolution:

Question
Can I prevent users who are local administrators on their computers from stopping or disabling the Altiris Service?

Answer

Hardening the Altiris Agent

This document outlines how to prevent Local administrators from being able to stop or disable the Altiris Agent, AClient, or Carbon Copy. While this document describes the process using Deployment Solution, it can also be done using Software Delivery.

  1. Download subinacl.exe from Microsoft's Web site (http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en) and extract it.
  2. Place Subinacl.exe into a folder under the eXpress share (that is, Tools).
  3. Set up a new job in Deployment Solution; Task 1 is to copy subinacl.exe onto the target computer into C:\windows\temp. Task 2 should run the following script:

    'vbscript
    Option Explicit
    On error Resume Next
    Dim WshShell
    Dim oShell
    Dim strServiceName(5)
    Dim strDFSPath
    Dim n
    Set oShell = CreateObject("wscript.shell")
    Set WshShell = WScript.CreateObject("WScript.Shell")
    strDFSPath = "c:\windows\temp\"
    strServiceName(0) = "Aclient"
    strServiceName(1) = "AeXNSClient"
    strServiceName(2) = "AeXNSClientTransport"
    strServiceName(3) = "CarbonCopy32"
    n = 0
    For n = 0 to 3
    WshShell.run (strDFSPath & "subinacl.exe /service " & strServiceName(n) & " /grant=SYSTEM=F"),0,True
    WshShell.run (strDFSPath & "subinacl.exe /service " & strServiceName(n) & " /revoke=Administrators"),0,True
    WshShell.run (strDFSPath & "subinacl.exe /service " & strServiceName(n) & " /revoke=" & chr(34) & "Power Users" & chr(34)),0,True
    Next