Windows Services Permissions

Here's a question ...

Is it possible to deny a network of users access to their local services ie;
so that they cannot stop or start any services on their computer but still
allow the service to start so that it's associate application can run.

The scenario here is we have corporate anti-virus software installed and
some of our users don't like this because they feel the antivirus solution
slows down their computer and to get around this they disable the antivirus
service that runs the antivirus software.

What I would like to do is define a policy in the GPMC (Group Policy
Management Console - Windows 2003 Server) to prevent all users on the
network access to the antivirus service on their computer. I tested this
quite recently by defining a GPO for the services and setting Everyone deny
rights to the antivirus service. When the group policy got updated, nobody
had access to the service (which was a good thing) but, the antivirus
service also failed to run which resulted in the antivirus software not
performing as it should.

The antivirus services mainly uses the LocalSystem account. Can anyone
suggest if it's possible to alter the service's permissions in such a way by
defining a GPO to prevent user access to stop/start the service but allowing
it to start when the operating system loads so that the antivirus program
still runs as expected?

Regards
Craig

Hi Craig,

As long as users are local administrators on their computers -- they will be
able to do whatever they want. Now they stop the service -- but if you take
that permission away from them (you could do that) they will just load up
e.g. task manager and kill the applications such as antivirus...

Best solution in this case would be to make users local users (and not
administrators) on their computers. This will prevent them from stopping
services and killing applications etc... It will also add a lot to security
of your network since less spyware will get installed on the computers and
potential viruses will not get executed or installed...

--
Mike
Microsoft MVP - Windows Security

"Craig Mann" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Here's a question ...
>
> Is it possible to deny a network of users access to their local services
> ie; so that they cannot stop or start any services on their computer but
> still allow the service to start so that it's associate application can
> run.
>
> The scenario here is we have corporate anti-virus software installed and
> some of our users don't like this because they feel the antivirus solution
> slows down their computer and to get around this they disable the
> antivirus service that runs the antivirus software.
>
> What I would like to do is define a policy in the GPMC (Group Policy
> Management Console - Windows 2003 Server) to prevent all users on the
> network access to the antivirus service on their computer. I tested this
> quite recently by defining a GPO for the services and setting Everyone
> deny rights to the antivirus service. When the group policy got updated,
> nobody had access to the service (which was a good thing) but, the
> antivirus service also failed to run which resulted in the antivirus
> software not performing as it should.
>
> The antivirus services mainly uses the LocalSystem account. Can anyone
> suggest if it's possible to alter the service's permissions in such a way
> by defining a GPO to prevent user access to stop/start the service but
> allowing it to start when the operating system loads so that the antivirus
> program still runs as expected?
>
> Regards
> Craig
>
>
>
>
>