Securing Altiris Agents from Local Administrators Using Group Policy
Release: IT Management Suite versions 8.5 and 8.6
1. Go to Start>Windows Administrative Tools>Active Directory Users and Computers and create a Domain Group.
2. Go to Start>Windows Administrative Tools>Group Policy Management. In the left panel of the Group Policy Management utility, expand Domains, expand the domain you want to use, Right-Click Group Policy Objects, and select "New".
Choose a name and click OK.
3. In the left panel, expand Group Policy Objects, then Right-Click the GPO you just created (in our example, it is Allow Altiris Agent Services) and choose "Edit". The Group Policy Management Editor appears.
4. In the left panel, expand Computer Configuration - > Policies - > Windows Settings - > Security Settings - > System Services.
5. In the right panel, double-click Symantec Management Agent to modify its Properties. Check mark the "Define this policy setting" box and click Automatic for the startup mode.
6. Click the "Edit Security Button". Click Add to add the groups you want to administer this service (in our case ITMS Admin Group from Step 1 above). Click OK.
7. Modify the INTERACTIVE account so that they only have Read permission.
8. Modify the Groups you added in step 6 so that they have Full Control. (All other needed rights will be added automatically)
9. Click OK on the security windows and OK to the Agent Property window. Close out your Computer configuration Window.
10. Apply your newly created group policy to whatever computer OUs you wish to protect.
Anyone who is not a member of the groups you specified in Step 2, will not be able to disable, stop or restart the service. When they open the services they will see that the options to start, stop, pause, resume, and restart are all greyed out.
However, when you log in as a group member that has access you can manage the service as normal. You can also use the run as to run the services.msc MMC as a group member that is allowed to modify the service. This may come in handy if you have users or groups such as IS that are local administrators and have been found to disable your Altiris services. Now they can still be administrators, just not of the Altiris service.