How to restrict Administrator’s permissions for managing Kaspersky Embedded Systems Security 1.1 and its service

 

Kaspersky Embedded Systems Security 1.1

 
 
 

How to restrict Administrator’s permissions for managing Kaspersky Embedded Systems Security 1.1 and its service

Back to "Settings"
2017 Jun 23 ID: 13198
 
 
 
 

By default, predefined Administrator role has full permissions on launching, stopping, and managing Kaspersky Security (kavfs) even if application settings are password-protected.

If the Administrator’s role does not match the information security administrator’s role, you can restrict access to application management:

  1. Open the Kaspersky Embedded Systems Security Console.

You can also configure the permissions using Kaspersky Security Center.

  1. In the context menu, select Modify user rights of application management.

kess_13198_01

  1. Restrict the permissions for the Administrator according to your company’s security policy.
  2. Click OK.

kess_13198_02

  1. In the context menu, select Modify user rights of Kaspersky Security Service management.  

kess_13198_03

  1. Restrict the permissions for the Administrator according to your company’s security policy. 
  2. Click OK.

kess_13198_04

To block access to managing the product and the kavfs service for the Administrator, clear the Allow check boxes for the permissions you want to restrict. For stricter restrictions, select the Deny check boxes. They have the highest priority.

  1. Restrict the Administrator’s role permissions on managing security settings of other users and groups. In the Applications Launch Control policy or task properties, set the permissions for the following processes:

For all operating systems:

  • C:\windows\system32\contol.exe
  • C:\windows\system32\net.exe
  • C:\windows\system32\oleacc.dll
  • C:\windows\system32\nusrmgr.cpl
  • C:\windows\system32\regedit.exe
  • C:\windows\system32\regedt32.exe
  • C:\windows\system32\reg.exe

Additional processes for Windows Vista family and later:

  • C:\windows\system32\netplwiz.exe
  • C:\windows\system32\netplwiz.dll

In the settings of each rule, specify the following:

  • Type : Denying. Denying rules for Applications Launch Control have absolute priority and are applied regardless to any other allowing rules for the user or the user group.
  • User or user group : Administrator.
  • Scope : Executable files.

kess_13198_05

After you create denying rules for Applications Launch Control, the users with the default Administrator role will no longer be allowed to manage other user accounts (including changing their credentials).

 
 
 
 
 

Restricting the permissions for the default Administrator role

 
 
 
 
Was this information helpful?
Yes No
Thank you
 
 
 

 
 

How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.

OK