McAfreeFramework Service Lockdown

[Tony]

Has anyone here used gpo to restrict stop/start/pause right for
McAfeeFramework service for local machine's administrators? Basically, we
removed the local administrators group from the McAfeeFramework service ACL
and we noticed strange problem afterward (Autoupdate failed to function
correctly with certain machines). Does anyone has the right access needed
to prevent local admins tampering with it? Thanks.


Note: We had similar services lockdown with McShield and SMS and they
appeared fine.

 

[Oli Restorick [MVP]]

The idea of a restricted administrator is nonsense. There is no way to
restrict an administrator from doing anything. You can break things and
make things more complicated in the hope that your administrators won't know
how to get around it, but an ACL certainly isn't going to help you.

Oli

 

[Itsme]

Maybe a better solution would be restricting users from having local admin
rights.

 

[Tony]

I know it goes beyond conventional wisdom by trying to revoking
administrators access. In this case, the change is the service security
descriptor via GPO. There are third party products that protects services,
files, or other resources. McAfee's Entercept has the ability to lock down
a service regardless if you're administrator to the local box. Files can
be locked down similiarly. We just want to utilize GPO to get similar
result. We understand the removal of the admin. right of the account that
is expected to have those right could cause havoc. What I want to know is
if someone have done it successfully.

The idea of a restricted administrator is nonsense. There is no way to
restrict an administrator from doing anything. You can break things and
make things more complicated in the hope that your administrators won't know
how to get around it, but an ACL certainly isn't going to help you.

Oli