Preventing users from disabling protection on client computers

HOWTO81223
Last Updated April 24, 2019

As the Symantec Endpoint Protection Manager administrator, you prevent users from disabling protection on the client computer by setting the user control level or by locking the policy options. For example, the firewall policy uses a control level, whereas Virus and Spyware Protection policy uses a lock.

Symantec recommends that you prevent users from disabling protection at all times.

What are the user control levels?

You use the user control levels to give the client user control of specific features. The user control level also determines whether the client user interface can be completely invisible, display a partial set of features, or display in full.

Table: User control levels

User control level

Description

Server control

Gives the users the least control over the client. With server control, the user can make changes to unlocked settings, but they are overwritten at the next heartbeat.

Client control

Gives the users the most control over the client. Client control allows users to configure the settings. Client-modified settings take precedence over server settings. They are not overwritten when the new policy is applied, unless the setting has been locked in the new policy.

Client control is useful for employees who work in a remote location or a home location.

Note:

The user must be in a Windows administrators group to change any of the settings in Client control mode or Mixed control mode.

Mixed control

Gives the user a mixture of control over the client. You determine which options you let users configure by setting the option to Server control or to Client control. For those items that are under client control, the user retains control over the setting. For those items that are under server control, you retain control over the setting.

For the Windows client, you can configure all the options. For the Mac client, only the notification area icon and some IPS options are available in server control and client control.

Clients that run in Client control or Mixed control switch to Server control when the server applies a Quarantine policy.

See Preventing and allowing users to change the client's user interface.

Changing the user control level

Some managed settings have dependencies. For example, users may have permission to configure firewall rules, but cannot access the client user interface. Because users do not have access to the Configure Firewall Rules dialog box, they cannot create rules.

To change the user control level

  1. In the console, click Clients.

  2. Under View Clients, select the group, and click the Policies tab.

  3. Under Location-specific Policies and Settings, under the location you want to modify, expand Location-specific Settings.

  4. Next to Client User Interface Control Settings, click Tasks > Edit Settings.

  5. In the Client User Interface Control Settings dialog box, do one of the following options:

    • Click Server control, and then click Customize.

      Configure any of the settings, and then click OK.

    • Click Client control.

    • Click Mixed control, and then click Customize.

      Configure any of the settings, and then click OK.

  6. Click OK.

See Configuring firewall settings for mixed control.

Locking and unlocking policy settings

You can lock and unlock some policy settings. Users cannot change locked settings. A padlock icon appears next to a lockable setting. You can lock and unlock Virus and Spyware Protection settings, Tamper Protection settings, Submissions settings, and intrusion prevention settings.

Preventing users from disabling specific protection technologies

If you set the client to Mixed control or Server control but do not lock the options, then the user can change the settings. These changes remain in place until the next heartbeat with Symantec Endpoint Protection Manager. Locking the policy options in the various policies ensures that the user cannot make any changes to the settings, even in Client control.

Note:

Windows users who are not the Administrators group cannot change settings in the Symantec Endpoint Protection client user interface, regardless of the Location-specific Settings configuration. Windows 10 Administrators can still disable the product through the notification area icon even after you set these options. However, they cannot disable the individual protection technologies through the client user interface.

Note:

If you do not want to change policies for all groups, disable policy inheritance on the group on which you want to make changes. If you edit a shared policy, the edited policy applies to every group to which the shared policy applies, even with policy inheritance disabled.

To prevent users from disabling the firewall or Application and Device Control

  1. In the console, click Clients.

  2. Click the client group that you want to restrict, and then click the Policies tab.

  3. Expand Location-specific Settings.

  4. Next to Client User Interface Control Settings, click Tasks > Edit Settings.

  5. Click Server control or Mixed control, and then click Customize.

  6. On the Client User Interface Settings dialog box (server control) or pane (mixed control), uncheck Allow the following users to enable and disable the firewall and Allow user to enable and disable the application device control.

  7. Click OK, and then click OK again.

To prevent users from disabling intrusion prevention

  1. In the console, click Clients.

  2. Click the client group that you want to restrict, and then click the policy Policies tab.

  3. Expand Location-specific Policies.

  4. Next to Intrusion Prevention policy, click Tasks > Edit Policy.

  5. Click Intrusion Prevention, and then click the locks next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention to lock these features.

  6. For version 14 only, click Generic Exploit Mitigation, then click the lock next to Enable Generic Exploit Mitigation to lock this feature.

  7. Click OK.

To prevent users from disabling Virus and Spyware Protection

  1. In the console, click Clients.

  2. Click the client group that you want to restrict, and then click the Policies tab.

  3. Expand Location-specific Policies.

  4. Next to Virus and Spyware Protection policy, click Tasks > Edit Policy.

  5. Under Windows Settings, lock the following features:

    • Click Auto-Protect, and then click the lock next to Enable Auto-Protect.

    • Click Download Protection, and then click the lock next to Enable Download Insight to detect potential risks downloaded files based on file reputation.

    • Click SONAR, and then click the lock next to Enable SONAR.

    • Click Early Launch Anti-Malware Driver, and then click the lock next to Enable Symantec early launch anti-malware.

    • Click Microsoft Outlook Auto-Protect, and then click the lock next to Enable Microsoft Outlook Auto-Protect.

    • For versions earlier than 14.2 RU1, click Internet Email Auto-Protect, and then click the lock next to Enable Internet Email Auto-Protect.

    • For versions earlier than 14.2 RU1, click Lotus Notes Auto-Protect, and then click the lock next to Enable Lotus Notes Auto-Protect.

    • Click Global Scan Options, and then click the locks next to Enable Insight for and Enable Bloodhound heuristic virus detection.

  6. Click OK.

To prevent users from disabling Memory Exploit Mitigation (starting in 14.0.1)

In version 14, Memory Exploit Mitigation appeared in the Intrusion Prevention policy and was called Generic Exploit Mitigation.

  1. In the console, click Clients.

  2. Click the client group that you want to restrict, and then click the policy Policies tab.

  3. Expand Location-specific Settings.

  4. Next to Memory Exploit Mitigation, click Tasks > Edit Policy.

  5. Click Memory Exploit Mitigation, and then click the lock next to Enable Memory Exploit Mitigation.

  6. Click OK.

Updating the client policy from Symantec Endpoint Protection Manager

After you make these changes, the clients in the group receive the updated policies depending on the group's communication settings. If the group is in push mode, Symantec Endpoint Protection Manager prompts the client to check in with a few seconds. If the group is in pull mode, the client checks in on the next scheduled heartbeat.

If you want them to have it sooner than the next heartbeat, you can prompt the client to check in and update its policy. You can also update the policy from the Symantec Endpoint Protection client.

See Updating client policies.

Once the client updates the policy, Disable Symantec Endpoint Protection is grayed out when you right-click the Symantec Endpoint Protection notification area icon.

Legacy ID: v9510980_v81626096
  • Endpoint Protection

    14.2 RU1, 14.2 MP1, 14.2, 14.0.1 MP2, 14.0.1 MP1, 14.0.1, 14.0.0 MP2, 14 MP1, 14, 12.1 RU6 MP8, 12.1 RU6 MP7, 12.1 RU6 MP6, 12.1 RU6 MP5, 12.1 RU6 MP4, 12.1 RU6 MP3, 12.1 RU6 MP2, 12.1 RU6 MP1, 12.1 RU6, 12.1 RU5, 12.1 RU4, 12.1 RU3, 12.1 RU2

Obrigado pelo seu feedback. Conte se você tem comentários adicionais abaixo. (é necessário fazer o login)

    © 1995-2019 Symantec Corporation