I have a service that should never be stopped and am looking into different ways to prevent stopping the process. This is a managed environment connected to Active Directory.
Can any Windows-based technique or McAfee EPO solution that can assist in preventing the process from being stopped (or restarting it once stopped)
The service is running as LocalSystem
Every service can be secured to allow certain operations on it, such as starting and stopping.
To show the permissions of a service use:
sc.exe sdshow servicename
it shows something fairly cryptic like:
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)
you can now use sc.exe sdset... to change permissions, but you need to understand / learn this security descriptor language.
When I quickly need to change permissions on services, I rather use Process Hacker, it gives you a GUI option to set permissions on services, select the Services tab, find your service and on the property tab Security you can remove permissions for administrators.
I would make sure that at least one user/group still has full access to the service. Also Local System usually should retain its permissions, otherwise the system/service control manager can't manage the service anymore.
If an admin without permissions wants to stop the service, he/she can still start a process under local system and then stop the service, I don't think you can prevent that.
Also this is all about starting and stopping services, an administrator may still be able to kill the process for the service even if he/she doesn't have permissions to the service itself.
The best option is to have as few administrators as possible and restrict what people can do, using something like Just-Enough-Administration.
Why dont you try running the process as a service? Services shouldnt be able to just get stopped.
Only administrators can stop processes created by another user (or by system).
Limit the administrators rights and users wont be able to kill the process, otherwise you'll have to try to block a lot of things (killing process, stopping service,...)
