In a typical Tivoli Endpoint Manager (TEM or aka BigFix) deployment, end users shouldn't be having the administrative rights else they may just uninstall the TEM agent or stop the TEM agent.
TEM Clients listen for UDP commands which have been sent to them by their parent Relay or Server. Many times UDP commands may not reach the TEM Client, as when UDP has been blocked by a firewall or there is a significant amount of network traffic. For such cases the TEM Client has been configured to poll its parent Relay or Server and check if there is any command for it.
If the TEM agent service is stopped, the machine will be grayed out in the TEM console after the default client poll time ( typically it is every 4 hours ) ... For a secure endpoint management we need to prevent user from disabling TEM (BigFix) agent.
On Windows, we can prevent the TEM Client service from being stopped or disabled.
We can also configure the service to automatically restart incase it is killed/stopped.
DENY Administrators from starting/stopping the BESClient service:
ALLOW Administrators to start/stop the BESClient service (default state):
Restoring the security descriptor is a little harder. The best way, is to use a third-party CLI tool called SCAcl as follows:
You should also apply the client helper Fixlet 591 which installs a watchdog executable file that will start the BESClient even if its stopped or disabled.
TEM Clients listen for UDP commands which have been sent to them by their parent Relay or Server. Many times UDP commands may not reach the TEM Client, as when UDP has been blocked by a firewall or there is a significant amount of network traffic. For such cases the TEM Client has been configured to poll its parent Relay or Server and check if there is any command for it.
If the TEM agent service is stopped, the machine will be grayed out in the TEM console after the default client poll time ( typically it is every 4 hours ) ... For a secure endpoint management we need to prevent user from disabling TEM (BigFix) agent.
On Windows, we can prevent the TEM Client service from being stopped or disabled.
We can also configure the service to automatically restart incase it is killed/stopped.
DENY Administrators from starting/stopping the BESClient service:
cmd.exe /c sc failure besclient reset= 1 actions= restart/5000
cmd.exe /c sc sdset besclient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
cmd.exe /c sc sdset besclient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
ALLOW Administrators to start/stop the BESClient service (default state):
cmd.exe /c sc failure besclient reset= 1 actions= restart/5000
cmd.exe /C sc sdset BESClient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
cmd.exe /C sc sdset BESClient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Restoring the security descriptor is a little harder. The best way, is to use a third-party CLI tool called SCAcl as follows:
scacl besclient /Q /T /I
sc failure besclient reset= 0 actions= none
However instead of using third party tools, I suggest to use the following Fixlets provided OOTB with TEM:sc failure besclient reset= 0 actions= none
| ID | Name | Site |
| 251 | Hide BES Clients from the Add/Remove Programs List - BES Client < 8.0 | BES Support |
| 325 | Hide BES Clients from the Add/Remove Programs List - MSI | BES Support |
| 713 | Hide BES Clients from the Add/Remove Programs List - BES Client >= 8.0 | BES Support |
| 591 | Install BES Client Helper Service | BES Support |
You should also apply the client helper Fixlet 591 which installs a watchdog executable file that will start the BESClient even if its stopped or disabled.
 deployment, end users shouldn't be having the administrative rights else they ...){kind=link}
0 comments:
Post a Comment