Users disabling GP through services.msc

Reply
Highlighted
L3 Networker

Users disabling GP through services.msc

Hi,

We run always-on VPN. Our users have found they can disable GP by going to services.msc and disabling the service, then killing GP from task manager.

 

Especially with everyone working from home at the moment this is quite a big deal and we need to find a way to prevent them from stopping the GP service (some kind of tamper protection similar to what Traps/XDR or other AV products have).

 

Does anyone have any ideas on how we can stop this behaviour?

 

Cheers,

Shannon

Tags (1)
L3 Networker

Hi,

 

With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect. Or you can also set a time limit after which GlobalProtect tries to connect back to the portal / gateway. You can find more information here: https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-f...

 

Regards,

Varun

Highlighted
L3 Networker

We also a new GP Space and would encourage you to post there moving forward

 

https://live.paloaltonetworks.com/t5/GlobalProtect/ct-p/GlobalProtect

 

 

Regards,

Varun

Highlighted
L3 Networker

Thanks Varun,

"With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect."

Will that also prevent users from stopping the actual GP service? We already have it configured to stop users from disabling it through the GP App, and that works, but they have found they can simply go into services.msc and disable the service, then kill the GP app through task manager. This effectively allows them to completely turn off GP.

 

The only difference there is we are currently using agent version 4.1.x not 5.1.

Highlighted
L2 Linker

Hello @SARowe_NZ 

 

I do not think that there is a standard option (I did not find any at least) that would allow you to prevent users from disabling PanGPS service using the method you mentioned.

I would propose you to enable User Account Control and to use domain/local Windows Group Policy settings to disable an access to Windows administrator's tools like 'services.msc' for standard users. It is also possible to prevent IT admins to stop particular service too. Search for 'group policy prevent user to stop service' to find how to do it.

 

 

Highlighted
L5 Sessionator

@SARowe_NZ,

 

PA GP settings can not control the actions taken under services.msc on end system. Best way is to make restriction on the endpoints through Windows Group policy.

 

Hope it helps!

 

Mayur



Mayur
Highlighted
L3 Networker

Hi,

Thanks for the replies.

I also found this article: http://michlstechblog.info/blog/windows-set-permissions-on-a-service/

This will resolve the issue but need to find a way to deploy it easily (eg via GPO). I will take a bit more detailed look at your suggestions as suspect a combination will provide the answer.

Surprised PAN don't have tamper protection enabled natively, like is available in Traps.

Thanks again,

Shannon

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!