Users disabling GP through services.msc

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Users disabling GP through services.msc

L3 Networker

Hi,

We run always-on VPN. Our users have found they can disable GP by going to services.msc and disabling the service, then killing GP from task manager.

 

Especially with everyone working from home at the moment this is quite a big deal and we need to find a way to prevent them from stopping the GP service (some kind of tamper protection similar to what Traps/XDR or other AV products have).

 

Does anyone have any ideas on how we can stop this behaviour?

 

Cheers,

Shannon

7 REPLIES 7

L4 Transporter

Hi,

 

With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect. Or you can also set a time limit after which GlobalProtect tries to connect back to the portal / gateway. You can find more information here: https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-f...

 

Regards,

Varun

We also a new GP Space and would encourage you to post there moving forward 🙂

 

https://live.paloaltonetworks.com/t5/GlobalProtect/ct-p/GlobalProtect

 

 

Regards,

Varun

Thanks Varun,

"With 5.1 GlobalProtect App, as an admin, you can set Disable Option to Not Allow on Dynamic App Config on the firewall to prevent users from disabling GlobalProtect."

Will that also prevent users from stopping the actual GP service? We already have it configured to stop users from disabling it through the GP App, and that works, but they have found they can simply go into services.msc and disable the service, then kill the GP app through task manager. This effectively allows them to completely turn off GP.

 

The only difference there is we are currently using agent version 4.1.x not 5.1.

Hello @SARowe_NZ 

 

I do not think that there is a standard option (I did not find any at least) that would allow you to prevent users from disabling PanGPS service using the method you mentioned.

I would propose you to enable User Account Control and to use domain/local Windows Group Policy settings to disable an access to Windows administrator's tools like 'services.msc' for standard users. It is also possible to prevent IT admins to stop particular service too. Search for 'group policy prevent user to stop service' to find how to do it.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!