https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321078#M82188 <P>Hi,</P><P>We run always-on VPN. Our users have found they can disable GP by going to services.msc and disabling the service, then killing GP from task manager.</P><P>&nbsp;</P><P>Especially with everyone working from home at the moment this is quite a big deal and we need to find a way to prevent them from stopping the GP service (some kind of tamper protection similar to what Traps/XDR or other AV products have).</P><P>&nbsp;</P><P>Does anyone have any ideas on how we can stop this behaviour?</P><P>&nbsp;</P><P>Cheers,</P><P>Shannon</P> Mon, 06 Apr 2020 23:32:39 GMT SARowe_NZ 2020-04-06T23:32:39Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321078#M82188 <P>Hi,</P><P>We run always-on VPN. Our users have found they can disable GP by going to services.msc and disabling the service, then killing GP from task manager.</P><P>&nbsp;</P><P>Especially with everyone working from home at the moment this is quite a big deal and we need to find a way to prevent them from stopping the GP service (some kind of tamper protection similar to what Traps/XDR or other AV products have).</P><P>&nbsp;</P><P>Does anyone have any ideas on how we can stop this behaviour?</P><P>&nbsp;</P><P>Cheers,</P><P>Shannon</P> Mon, 06 Apr 2020 23:32:39 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321078#M82188 SARowe_NZ 2020-04-06T23:32:39Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321091#M82190 <P>Hi,</P><P>&nbsp;</P><P>With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect. Or you can also set a time limit after which GlobalProtect tries to connect back to the portal / gateway. You can find more information here:&nbsp;<A href="https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-for-windows/disable-the-globalprotect-app-for-windows.html" target="_blank">https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-for-windows/disable-the-globalprotect-app-for-windows.html</A></P><P>&nbsp;</P><P>Regards,</P><P>Varun</P> Tue, 07 Apr 2020 00:48:36 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321091#M82190 vathreya 2020-04-07T00:48:36Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321093#M82192 <P>We also a new GP Space and would encourage you to post there moving forward <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/GlobalProtect/ct-p/GlobalProtect" target="_blank">https://live.paloaltonetworks.com/t5/GlobalProtect/ct-p/GlobalProtect</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Varun</P> Tue, 07 Apr 2020 00:49:36 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321093#M82192 vathreya 2020-04-07T00:49:36Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321095#M82193 <P>Thanks Varun,</P><P>"<SPAN>With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect."</SPAN></P><P><SPAN>Will that also prevent users from stopping the actual GP service? We already have it configured to stop users from disabling it through the GP App, and that works, but they have found they can simply go into services.msc and disable the service, then kill the GP app through task manager. This effectively allows them to completely turn off GP.</SPAN></P><P>&nbsp;</P><P><SPAN>The only difference there is we are currently using agent version 4.1.x not 5.1.</SPAN></P> Tue, 07 Apr 2020 00:58:17 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/321095#M82193 SARowe_NZ 2020-04-07T00:58:17Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/322043#M82398 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58478">@SARowe_NZ</a>&nbsp;</P><P>&nbsp;</P><P>I do not think that there is a standard option (I did not find any at least) that would allow you to prevent users from disabling PanGPS service using the method you mentioned.</P><P data-unlink="true">I would propose you to enable User Account Control&nbsp;and to use domain/local Windows Group Policy settings&nbsp;to disable an access to Windows administrator's tools like 'services.msc' for standard users. It is also possible to prevent&nbsp;IT admins to stop particular service too. Search for 'group policy prevent user to stop service' to find how to do it.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 Apr 2020 01:28:38 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/322043#M82398 DanilaKh 2020-04-10T01:28:38Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/322380#M82469 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58478">@SARowe_NZ</a>,</P><P>&nbsp;</P><P>PA GP settings can not control the actions taken under services.msc on end system. Best way is to make restriction on the endpoints through Windows Group policy.</P><P>&nbsp;</P><P>Hope it helps!</P><P>&nbsp;</P><P>Mayur</P> Sun, 12 Apr 2020 13:20:26 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/322380#M82469 SutareMayur 2020-04-12T13:20:26Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/322533#M82489 <P>Hi,</P><P>Thanks for the replies.</P><P>I also found this article:&nbsp;<A href="http://michlstechblog.info/blog/windows-set-permissions-on-a-service/" target="_blank">http://michlstechblog.info/blog/windows-set-permissions-on-a-service/</A></P><P>This will resolve the issue but need to find a way to deploy it easily (eg via GPO). I will take a bit more detailed look at your suggestions as suspect a combination will provide the answer.</P><P>Surprised PAN don't have tamper protection enabled natively, like is available in Traps.</P><P>Thanks again,</P><P>Shannon</P> Mon, 13 Apr 2020 20:07:17 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/322533#M82489 SARowe_NZ 2020-04-13T20:07:17Z https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/378673#M89501 <P>I am very surprised too!</P><P>Tamper protection must be a basic feature for any endpoint products such as AVs and VPN clients. Remember, we are doing all this VPN connection to make sure that we have full control over internet traffic and policies. If a user can easily stop the service and GP process the goal is not achieved even if it is for a few minutes.</P><P>I do understand that if a user does not have admin rights this becomes difficult or impossible to do but again, there should be a built in function for GP service for tamper protection regardless of whether or not the end users have admin rights!</P><P>&nbsp;</P> Fri, 08 Jan 2021 18:49:34 GMT https://live.paloaltonetworks.com/t5/general-topics/users-disabling-gp-through-services-msc/m-p/378673#M89501 Shahin.A 2021-01-08T18:49:34Z