EDR: How to Prevent Users From Stopping the Sensor Service
search cancel

EDR: How to Prevent Users From Stopping the Sensor Service

book

Article ID: 288803

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Using the steps below, in a domain environment you can limit the control of services to System and a specific user group, or groups. 

Environment

  • EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

$#%This configuration is outside of the EDR product. Please use at your own discretion$#% 
  1. On the domain controller open Group Policy Management. 
  2. Edit the GPO configuration your devices are in
  3. In the editor navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services 
  4. Within the services menu you should see the Carbon Black Sensor listed; Edit this service. 
  5. Check the box to Define this policy Setting. 
  6. Set the service to startup mode "Automatic". 
  7. Click the Edit Security button.
  8. Grant full permissions to the user or group that you wish to be able to stop the service; Leave System and Administrators with full permissions. 
  9. Once configured and saved, the group policy will need to be updated which should happen after a reboot, or you can force an update on a specific device for testing using the command: gpupdate /force
 
Powered by Wolken Software