Prevent DNSFilter service stop.
Balazs Czviin
I'm aware at least one other platform where any manipulation of the local agent is pre-authorized by the generation of tokens in the admin console. So, instead of relying on local user permissions (or the lack of), improve the RC to ask for a time-bombed token that only the console admins can generate as needed (e.g. stopping, removing)
Greg Gelman
I also 2nd this request. McAfee requires passwords to disable, stop, or tamper in any way with their agent. Even administrative access to do this should be logged and monitored so theres nothing wrong with limiting admins in this manner too because who ever thought of an admin being a potential insider threat? No one has those. Removing local admin rights only solves part of the problem, the other problem is preventing admins from doing this without monitoring.
Steve Staden
Greg Gelman: appreciate the feedback. I did want to mention that there is an uninstall notification option that can be enabled - https://help.dnsfilter.com/hc/en-us/articles/24995915099027-Uninstalling-Windows-Roaming-Clients. I know this doesn't fully solve for your situation, but wanted to mention it.
Greg Gelman
Steve Staden Thank you, yes the notification helps, we receive those. But that is more of a reactive measure and we would love to see a preventative measure otherwise DNSFilter could risk an ongoing battle between all of company widget maker's users just disabling their DNSFilter services and admins trying to reinstate DNSFilter (whether automated or not).
Jack Dacey
I'd like to add to this, if this is implemented we need some way from the portal to suspend this protection for maintenance purposes. But, I consider this a necessary change to the agent. +1
Brad Boozer
Sometimes need to be off for testing. I deployed Sheduled task PS script to restart service every 5 mins if it is stopped. Works well.
Darrin Piotrowski
Removing local admin rights will fix this.
Thomas Sweet
Darrin Piotrowski: I agree. This is not a DNS Filter problem. Tools such as AutoElevate remove admin rights and are inexpensive. Typically, the #2 item during a Cyber audit, after MFA is, "have you removed local admin rights?"
Aaron
Agree, this is a common antimalware control.
Bill
How about a scheduled task that makes sure the DNS Agent is running without the need to have the User logged on. Modify this to a scheduled event every 10 minutes so DNS Filter remains on.
C:\Windows\System32\cmd.exe /c net start "DNS Agent" & c:\windows\system32\schtasks.exe /create /tn "MTS_DNSFilter" /ru SYSTEM /Sc ONSTART /tr "C:\Windows\System32\cmd.exe /c sc config 'DNS Agent' start=Auto" /F & C:\Windows\System32\cmd.exe /c sc start 'DNS Agent'"
Brad Boozer
Bill: This is exactly what I did, as we occasionally have to turn off on user machines for testing. Ours is set to 5 mins.
Joel
Yes this needs to be a feature so that users cant turn it off to get around the filtering
Simon
Yes, when i'm talking about "service", I mean the windows service in services.msc. @Isaac is correct in that AV companies and Cisco Umbrella (where I've just come from) are able to prevent services from being stopped.
Isaac Good
You don't have control of the firewalls everywhere your users are, that's the main point of having an agent. This can definitely be done somehow, AV companies do it.
Load More
→