How to restrict Administrator’s permissions for managing Kaspersky Embedded Systems Security and its service

 

 

Kaspersky Embedded Systems Security

 
 
 

How to restrict Administrator’s permissions for managing Kaspersky Embedded Systems Security and its service

Back to "Settings"
2016 Dec 21 ID: 13198
 
 
 
 

The default Administrator role has full permissions on launching, stopping, and managing Kaspersky Security (kavfs) even if application settings are password-protected.

If the Administrator’s role does not match the information security administrator’s role, you can restrict access to application management:

  1. Open the Kaspersky Embedded Systems Security Console.

You can also configure the permissions using Kaspersky Security Center.

  1. In the context menu, select Modify user rights of application management.

kess_13198_01

  1. Restrict the permissions for the Administrator according to your company’s security policy.
  2. Click OK.

kess_13198_02

  1. In the context menu, select Modify user rights of Kaspersky Security Service management.  

kess_13198_03

  1. Restrict the permissions for the Administrator according to your company’s security policy. 
  2. Click OK.

kess_13198_04

To block access to managing the product and the kavfs service for the Administrator, clear the Allow check boxes for the permissions you want to restrict. For stricter restrictions, select the Deny check boxes. They have the highest priority.

  1. Restrict the Administrator’s role permissions on managing security settings of other users and groups. In the Applications Launch Control policy or task properties, set the permissions for the following processes:

For all operating systems:

  • C:\windows\system32\contol.exe
  • C:\windows\system32\net.exe
  • C:\windows\system32\oleacc.dll
  • C:\windows\system32\nusrmgr.cpl
  • C:\windows\system32\regedit.exe
  • C:\windows\system32\regedt32.exe
  • C:\windows\system32\reg.exe

Additional processes for Windows Vista family and later:

  • C:\windows\system32\netplwiz.exe
  • C:\windows\system32\netplwiz.dll

In the settings of each rule, specify the following:

  • Type : Denying. Denying rules for Applications Launch Control have absolute priority and are applied regardless to any other allowing rules for the user or the user group.
  • User or user group : Administrator.
  • Scope : Executable files.

kess_13198_05

After you create denying rules for Applications Launch Control, the users with the default Administrator role will no longer be allowed to manage other user accounts (including changing their credentials).

 
 
 
 
 

Restricting the permissions for the default Administrator role

 
 
 
 
Was this information helpful?
Yes No
 
 
 

 
 

Have you found what you were looking for?

Please let us know how we can make this website more comfortable for you

Send feedback Send feedback

Thank you!

Thank you for submitting your feedback.
We will review your feedback shortly.