CSA 5.0 - how to allow only admins to be able to stop the csagent service

mshell · ‎03-09-2006

In CSA 4.0 and 4.5 it was very easy to enable Agent Service Control rule to allow only administrators the ability to stop the CSAgent service. However in CSA 5.0, that checkbox has been removed from the Agent Service Control rule screen. You can assign rules to a module which is tied to a User State, but I've done a substantial amount of testing, and I can't get it to work. I opened a TAC case on it, and I was told that Agent Service Control rules can not recognize User States. Has anyone found a workaround?

Patrick Laidlaw · ‎03-12-2006

I did not realize that the Agent Service Control rules didn't recognize States in 5.0. I'll have to go look at my install again.

Patrick

jsteffensen · ‎07-26-2006

Hi

I've also been testing this for some time now - and I just found your post on the forum.

Did I get this right?

With CSA 5.0 it is not possible to Challenge Users and or Administrators before the Agent Service is stopped or deactivared.

Does it not work to create "Windows Rule module - which checks the User States of Administrators".

Then on this Windows Rule Module

- to add Rules for the "Agent Service Control"

with a "Query User" Default action = Agent Service Control - Stop Agent Service - With Challenge

I've been trying for a while now, but it does not seems to work....

Would be grateful for every feedback

Greetings

Jarle

netjim_66 · ‎07-26-2006

I applied the .187 hotfix to the CSA 5.0.176 I had installed.

I was looking at the rule for the query action on "All Applications, disable the agent security".

It is located in the "Required System Module".

However, after applying the "hotfix" the CSA created a new group called "All Windows", which is different than the "" group where all of my hosts are located.

Now, this new group "All Windows" stole the "Application Classification" and the "Operating Systems - Base Permissions" policies away from my original group "", so in essence these two policies were no longer being applied.

I had to manually add these two policies back into the "" group where all of my hosts are.

So check the rule, check what policy it's in, check what group the policy is assigned to. It may not be attached to anything, like in my case.

joseph.hamilton · ‎07-31-2006

I believe I might've found a work around...

I cloned the "Required System Module", re-named it "Admin Required System Module", then changed the State Conditions for the latter to Apply only on the User State "Administrators", then changed the former to apply only on User State "Non-Administrators". I had to modify the individual rules for Agent control to reflect the different situations.

The only issue I'm running into now is discovering what groups I can pull from. It appears like my domain groups will not pull into a User State. Also, I added my account to the Administrators group in Windows (I'm not actually a Domain Admin), but I still am not able to disable CSA. In order for my account to do it, I have to add my account into the User part of the User State settings.

However, that should allow you to start tinkering with this.

joseph.hamilton · ‎07-31-2006

Update to the previous post...I was able to get my domain groups to recognize in the User State.

sampathsundararajan · ‎12-17-2008

How to achieve the same with the local machine user?

tsteger1 · ‎12-18-2008

Use the Administrators group for the User State.

Tom