Topic
  • 16 replies
  • Latest Post - ‏2013-05-18T04:23:53Z by Yuvaraj_Devadass
chipjnr
chipjnr
2 Posts

Pinned topic Locking Down BES Client Service

‏2006-11-16T10:41:24Z |
Hi,

Some users set the BES Client service to disabled/manual to prevent the workstations rebooting after patches have been deployed. I'd like to lock down the BES Client service so they can't change the Startup type or Stop the service.
The user would be local administrator on the box so can this be done?

Regards,
Neil
  • SystemAdmin
    SystemAdmin
    757 Posts

    Re: Locking Down BES Client Service

    ‏2006-11-16T21:18:56Z  
    Hi Neil,

    I don't believe Windows will let you stop an administrator from being able to modify services in this way.

    The best you could do is have another service restart the BES Client if an administrator does this.
  • BenKus
    BenKus
    480 Posts

    Re: Locking Down BES Client Service

    ‏2006-11-16T21:37:09Z  
    Hey Neil,

    Tyler is correct and an administrator has full-authority on the computer by design. Any trick you put in place can be undone by a determined administrator.

    Some tools put in place "uninstall passwords" or hook the OS to prevent shutdown of services, but not only are these defeatable, but they are potentially destabilizing. They can also cause extra administrative overhead which can be annoying and costly.

    Note that you will always see the "Last Report Time" of computers and if you are using BES Asset Discovery, you can find computers with the agent turned off.

    Also, we have built a solution in the past where we have a "watcher" application that will start the BES Client if it is stopped. I can send you info on this if you would like.

    Ben
  • chipjnr
    chipjnr
    2 Posts

    Re: Locking Down BES Client Service

    ‏2006-11-17T09:19:33Z  
    Hi Tyler/Ben,

    Thanks for your replies. Could you please send me on the info regarding the watcher application?
    neil.murphy@c2kni.net

    I had initally set the Recovery action to restart the service but the administrator changed the service startup type to disabled.

    Thanks,
    Neil
  • StacyLee
    StacyLee
    12 Posts

    Re: Locking Down BES Client Service

    ‏2006-11-17T17:51:40Z  
    If your computers are in a Active Directory Domain you could force BES Client Service setting to automatic via GPO. The local administrator could still stop and disable it but it would be set back to automatic upon the next GPO refresh. I'm not sure if the service would restart with the restart failure setting though.
  • go4u
    go4u
    4 Posts

    Re: Locking Down BES Client Service

    ‏2007-02-10T06:36:35Z  
    Hi Ben,could u send a copy about the "watcher" application to my email list in the forum?thanks!
  • rkc91
    rkc91
    11 Posts

    Re: Locking Down BES Client Service

    ‏2007-04-04T17:42:42Z  
    Ben

    Is there a way to change time on this fixlet from 30 seconds to 1 hour
    rkc
  • SystemAdmin
    SystemAdmin
    757 Posts

    Re: Locking Down BES Client Service

    ‏2007-04-05T20:20:34Z  
    Here's an updated version of the client watcher that will take a command line argument for the wait time.

    http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe

    To set it to an hour you would run it like this:
    besclientwatcher-1.2.exe -w 3600

    Would someone be willing to change the Fixlet to make use of this?
  • go4u
    go4u
    4 Posts

    Re: Locking Down BES Client Service

    ‏2007-04-19T03:34:55Z  
    Tyler Duni
    Here's an updated version of the client watcher that will take a command line argument for the wait time.

    http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe

    To set it to an hour you would run it like this:
    besclientwatcher-1.2.exe -w 3600

    Would someone be willing to change the Fixlet to make use of this?
    version of besclientwatcher-1.1.exe is "1.1.0.0"
    but version of besclientwatcher-1.2.exe is "0.0.0.0" ?

    so maybe need to change the version part of besclientwatcher-1.2.exe because when exists besclientwatcher-1.1.exe ,we could replace it with a newer one such as 1.2
  • go4u
    go4u
    4 Posts

    Re: Locking Down BES Client Service

    ‏2007-04-19T06:55:06Z  
    Tyler Duni
    Here's an updated version of the client watcher that will take a command line argument for the wait time.

    http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe

    To set it to an hour you would run it like this:
    besclientwatcher-1.2.exe -w 3600

    Would someone be willing to change the Fixlet to make use of this?
    Try this,
    action part:
    
    
    //enter the time action parameter query  
    "time" with  description 
    "Please enter your desired time (seconds)" and with  
    
    default value 
    "60" 
    // check to see if the  watcher was downloaded already... if so, run it sliently.. 
    
    if 
    {exists file 
    "besclientwatcher.exe" of parent folder of regapp 
    "besclient.exe"
    } runhidden 
    "{pathname of parent folder of regapp "besclient.exe
    "}\besclientwatcher.exe" -w  
    "{parameter "time
    " of action}"   
    // if not already downloaded, download and run silently... 
    
    else prefetch besclientwatcher.exe sha1:5c0b057c37e3f23e987ee2472187e0a9324aaea7 size:1282114  http:
    //support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe copy __download\besclientwatcher.exe 
    "{pathname of parent folder of regapp "besclient.exe
    "}\besclientwatcher.exe" runhidden 
    "{pathname of parent folder of regapp "besclient.exe
    "}\besclientwatcher.exe"  -w  
    "{parameter "time
    " of action}" endif
    

    I tested it .It works ok!
  • mc116991
    mc116991
    1 Post

    Re: Locking Down BES Client Service

    ‏2007-09-18T16:50:12Z  
    You can prevent admins from stopping or changing the properties of the service by setting permissions on the service itself at the domain level. Create a domain group and add to it any members that should not have access to start/stop/pause BES Client service. Then set the permissions for this service so this group has an explicit deny. This will override any allow that their admin permissions might have. Deny always wins. We use this with great success--many of our users are admins and they just love to disable AV...
  • BenKus
    BenKus
    480 Posts

    Re: Locking Down BES Client Service

    ‏2008-12-24T01:42:00Z  
    FYI... This could help:
    http://forum.bigfix.com/viewtopic.php?id=2701
  • BenKus
    BenKus
    480 Posts

    Re: Locking Down BES Client Service

    ‏2011-12-08T18:12:52Z  
    Hi go4u,

    I am attaching a Fixlet that will download and run the client watcher program. If the client watcher is running, it will take care of restarting the BES Client service if it is stopped and it also will change the status from "Manual" or "Disabled" back to "Automatic". More information is in the Fixlet text.

    Some of my tests showed that the logging wasn't being written out properly and I will investigate further, but it appears to work other than that.

    You must be logged in as your user account to see the attached Fixlet.

    Note that this has not been extensively tested and is provided "as-is" with no guarantees.

    Let me know if you see any issues,
    Ben
  • Yuvaraj_Devadass
    Yuvaraj_Devadass
    3 Posts

    Re: Locking Down BES Client Service

    ‏2013-05-11T12:53:18Z  
    • go4u
    • ‏2007-04-19T06:46:13Z
    Tyler Duni
    Here's an updated version of the client watcher that will take a command line argument for the wait time.

    http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe

    To set it to an hour you would run it like this:
    besclientwatcher-1.2.exe -w 3600

    Would someone be willing to change the Fixlet to make use of this?
    Try this,
    action part:
    <pre class="jive-pre"> //enter the time action parameter query "time" with description "Please enter your desired time (seconds)" and with default value "60" // check to see if the watcher was downloaded already... if so, run it sliently.. if {exists file "besclientwatcher.exe" of parent folder of regapp "besclient.exe" } runhidden "{pathname of parent folder of regapp "besclient.exe "}\besclientwatcher.exe" -w "{parameter "time " of action}" // if not already downloaded, download and run silently... else prefetch besclientwatcher.exe sha1:5c0b057c37e3f23e987ee2472187e0a9324aaea7 size:1282114 http: //support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe copy __download\besclientwatcher.exe "{pathname of parent folder of regapp "besclient.exe "}\besclientwatcher.exe" runhidden "{pathname of parent folder of regapp "besclient.exe "}\besclientwatcher.exe" -w "{parameter "time " of action}" endif </pre>
    I tested it .It works ok!

    Hi,

    I have done the fixlet below script but when I do take action getting failed, request to check the script once. Thanks in advance. 

    //enter the time action parameter query  "time" with  description "Please enter your desired time (seconds)" and with default value "60"
    // check to see if the  watcher was downloaded already... if so, run it sliently..
    if {exists file "besclientwatcher.exe" of parent folder of regapp "besclient.exe"}
    runhidden "{pathname of parent folder of regapp "besclient.exe"}\besclientwatcher.exe" -w  "{parameter "time" of action}" // if not already downloaded, download and run silently...
    else prefetch besclientwatcher.exe sha1:5c0b057c37e3f23e987ee2472187e0a9324aaea7 size:1282114  http://support.bigfix.com/download/bes/util/besclientwatcher-1.2.exe
    copy __download\besclientwatcher.exe"{pathname of parent folder of regapp "besclient.exe"}\besclientwatcher.exe"
    runhidden "{pathname of parent folder of regapp "besclient.exe"}\besclientwatcher.exe"  -w  "{parameter "time" of action}"
    endif

    Attachments

  • Yuvaraj_Devadass
    Yuvaraj_Devadass
    3 Posts

    Re: Locking Down BES Client Service

    ‏2013-05-16T13:04:44Z  
    • BenKus
    • ‏2007-02-13T03:31:01Z
    Hi go4u,

    I am attaching a Fixlet that will download and run the client watcher program. If the client watcher is running, it will take care of restarting the BES Client service if it is stopped and it also will change the status from "Manual" or "Disabled" back to "Automatic". More information is in the Fixlet text.

    Some of my tests showed that the logging wasn't being written out properly and I will investigate further, but it appears to work other than that.

    You must be logged in as your user account to see the attached Fixlet.

    Note that this has not been extensively tested and is provided "as-is" with no guarantees.

    Let me know if you see any issues,
    Ben

    Hi Ben,

    when I import watcher.bes file in TEM console I am getting below error.

    ---------------------------
    Content Import Error
    ---------------------------
    The content in 'attachment_14745116_client_watcher.bes' could not be imported.

     

    XML parsing error:

      '>' expected.

      Line 84, Character 22
    ---------------------------
    OK  
    ---------------------------

  • BenKus
    BenKus
    480 Posts

    Re: Locking Down BES Client Service

    ‏2013-05-17T22:04:10Z  

    Hi Ben,

    when I import watcher.bes file in TEM console I am getting below error.

    ---------------------------
    Content Import Error
    ---------------------------
    The content in 'attachment_14745116_client_watcher.bes' could not be imported.

     

    XML parsing error:

      '>' expected.

      Line 84, Character 22
    ---------------------------
    OK  
    ---------------------------

    I just tried it again and it worked... You might look at the .bes (xml) file to see if it looks formatted properly... it is possible some network filtering device changed it when you downloaded it?


    Ben

  • Yuvaraj_Devadass
    Yuvaraj_Devadass
    3 Posts

    Re: Locking Down BES Client Service

    ‏2013-05-18T04:23:53Z  
    • BenKus
    • ‏2013-05-17T22:04:10Z

    I just tried it again and it worked... You might look at the .bes (xml) file to see if it looks formatted properly... it is possible some network filtering device changed it when you downloaded it?


    Ben

    Thanks Ben! I am able to view the script now… and its working fine one more info after reboots the system besclientwatcher.exe not running in the endpoints do we have any solution for that ? thanks in advance