Users disabling GP through services.msc

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
SARowe_NZ
L3 Networker

Users disabling GP through services.msc

Hi,

We run always-on VPN. Our users have found they can disable GP by going to services.msc and disabling the service, then killing GP from task manager.

 

Especially with everyone working from home at the moment this is quite a big deal and we need to find a way to prevent them from stopping the GP service (some kind of tamper protection similar to what Traps/XDR or other AV products have).

 

Does anyone have any ideas on how we can stop this behaviour?

 

Cheers,

Shannon

vathreya
L3 Networker

Hi,

 

With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect. Or you can also set a time limit after which GlobalProtect tries to connect back to the portal / gateway. You can find more information here: https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-f...

 

Regards,

Varun

vathreya
L3 Networker

We also a new GP Space and would encourage you to post there moving forward

 

https://live.paloaltonetworks.com/t5/GlobalProtect/ct-p/GlobalProtect

 

 

Regards,

Varun

SARowe_NZ
L3 Networker

Thanks Varun,

"With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect."

Will that also prevent users from stopping the actual GP service? We already have it configured to stop users from disabling it through the GP App, and that works, but they have found they can simply go into services.msc and disable the service, then kill the GP app through task manager. This effectively allows them to completely turn off GP.

 

The only difference there is we are currently using agent version 4.1.x not 5.1.

DanilaKh
L2 Linker

Hello @SARowe_NZ 

 

I do not think that there is a standard option (I did not find any at least) that would allow you to prevent users from disabling PanGPS service using the method you mentioned.

I would propose you to enable User Account Control and to use domain/local Windows Group Policy settings to disable an access to Windows administrator's tools like 'services.msc' for standard users. It is also possible to prevent IT admins to stop particular service too. Search for 'group policy prevent user to stop service' to find how to do it.

 

 

SutareMayur
L6 Presenter

@SARowe_NZ,

 

PA GP settings can not control the actions taken under services.msc on end system. Best way is to make restriction on the endpoints through Windows Group policy.

 

Hope it helps!

 

Mayur

Mayur S.
SARowe_NZ
L3 Networker

Hi,

Thanks for the replies.

I also found this article: http://michlstechblog.info/blog/windows-set-permissions-on-a-service/

This will resolve the issue but need to find a way to deploy it easily (eg via GPO). I will take a bit more detailed look at your suggestions as suspect a combination will provide the answer.

Surprised PAN don't have tamper protection enabled natively, like is available in Traps.

Thanks again,

Shannon

Shahin.A
L0 Member

I am very surprised too!

Tamper protection must be a basic feature for any endpoint products such as AVs and VPN clients. Remember, we are doing all this VPN connection to make sure that we have full control over internet traffic and policies. If a user can easily stop the service and GP process the goal is not achieved even if it is for a few minutes.

I do understand that if a user does not have admin rights this becomes difficult or impossible to do but again, there should be a built in function for GP service for tamper protection regardless of whether or not the end users have admin rights!

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!