Kaseya Community

How to protect the agent from getting turned off

This question is not answered

Hey there,

 

i have some coworkers who feel bothered by the agent and just turn it off (kill the service).
i want the service and process not to be able to get killed.

i have no idea how to do that :(
i was already searching here and found some answeres which didnt help.

there was one idea about starting a batchfile on an online-agent and the batchfile will start the agent-service through the network but the problem was that its not working on the different OS. We have all kinds of Windows OS running, XP-Windows 7 and Windows servers.
Also i want it to happen automaticly and i have no idea how to do that with a batchfile. It needs to proof currently if the service and process is running and if not they need to be restarted.

also, if i would handle this with kaseya which starts an script which starts the agent through the network, i have no idea how kaseya could see the different bertween a killed agent or a turned off machine.

did one of you have the same problem and you have a solution?
do one of you have an idea what could help?
maybe somebody knows how to configure the service and process so its not able to be turned off.

thanks,

Sander

All Replies
  • you can set the permissions on the service so that the user cannot stop it. The process will be linked to the service so I assume they will not be able to kill that. i think I have a script for that if not it should definitely be in the forum...

  • <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="Lockdown Kaseya Service" treePres="3" id="17566616">

       <Body description="This script prevents administrators from manipulating the Kaseya agent services.  Many thanks to MMartin with IT Focus on the Kaseya Partner forum!   Benjamin Lavalley, Sr. Sales Engineer, Kaseya benjamin.lavalley@kaseya.com">

         <If description="This script prevents administrators from manipulating the Kaseya agent services.  Many thanks to MMartin with IT Focus on the Kaseya Partner forum!   Benjamin Lavalley, Sr. Sales Engineer, Kaseya benjamin.lavalley@kaseya.com">

           <Condition name="True" />

           <Then>

             <Statement name="ExecuteShellCommand" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Command" value="sc sdset "KaseyaAgent" "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;BA)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" >> #vAgentconfiguration.AgentTempDir#\lock_kaseya_service.log" />

               <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

               <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

             </Statement>

             <Statement name="ExecuteShellCommand" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Command" value="sc sdset "KaseyaAVService" "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;BA)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"  >>>> #vAgentconfiguration.AgentTempDir#\lock_kaseya_service.log" />

               <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

               <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

             </Statement>

             <Statement name="GetVariable" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="EnumParameter" name="VariableType" value="FileContent" />

               <Parameter xsi:type="StringParameter" name="SourceContent" value="#vAgentConfiguration.AgentTempDir#\lock_kaseya_service.log" />

               <Parameter xsi:type="StringParameter" name="VariableName" value="lock_kaseya_service" />

             </Statement>

             <Statement name="GetFile" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="RemoteFileName" value="#vAgentConfiguration.AgentTempDir#\lock_kaseya_service.log" />

               <Parameter xsi:type="StringParameter" name="KServerFileName" value="..\Docs\lock_kaseya_service.log" />

               <Parameter xsi:type="EnumParameter" name="Action" value="OverwriteNoAlert" />

             </Statement>

             <Statement name="WriteScriptLogEntry" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Comment" value="#lock_kaseya_service#" />

             </Statement>

             <Statement name="DeleteFile" continueOnFail="true" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.AgentTempDir#\lock_kaseya_service.log" />

             </Statement>

           </Then>

         </If>

       </Body>

     </Procedure>

    </ScriptExport>

  • its an old one but locks the service down... I have an undo too...

  • Martin,

    I wonder if there's a way to password the agent. So, if you want to unload/kill/stop the service you need to use a password. Same for uninstall I think. That would be an awesome add to Kaseya agent control. I wonder though if it'd cause any issues on agent reloads and such when updating from the kserver.

  • Hey mmartin,

    i remember seeing this script before somewhere in the forum, but i dont even know what to do with it :( Sorry

    i tried to import it to the kaseya scripts, but its no working.

    i get this info: "The IF statement l version="1.0" encoding="utf-8"?> is not valid"

    We are working with Managed Service Edition - G1  :  5.2.0.0.

    Would be great if somebody could tell me how to use the script :)

    Danrche also has an good idea, but i think this could only be done by Kaseya, who has to change something at their product then.

    thanks for your fast responds :)

  • can we have the undo also please?

  • UNDO

    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="Lockdown Kaseya Service - UNDO" treePres="3" id="7906371">

       <Body description="This script allows administrators to manipulate the Kaseya agent services.  Many thanks to MMartin with IT Focus on the Kaseya Partner forum!   Benjamin Lavalley, Sr. Sales Engineer, Kaseya benjamin.lavalley@kaseya.com">

         <If description="This script allows administrators to manipulate the Kaseya agent services.  Many thanks to MMartin with IT Focus on the Kaseya Partner forum!   Benjamin Lavalley, Sr. Sales Engineer, Kaseya benjamin.lavalley@kaseya.com">

           <Condition name="True" />

           <Then>

             <Statement name="ExecuteShellCommand" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Command" value="sc sdset "KaseyaAgent" "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" >> #vAgentconfiguration.AgentTempDir#\unlock_kaseya_service.log" />

               <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

               <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

             </Statement>

             <Statement name="ExecuteShellCommand" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Command" value="sc sdset "KaseyaAVService" "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"  >>>> #vAgentconfiguration.AgentTempDir#\unlock_kaseya_service.log" />

               <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

               <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

             </Statement>

             <Statement name="GetVariable" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="EnumParameter" name="VariableType" value="FileContent" />

               <Parameter xsi:type="StringParameter" name="SourceContent" value="#vAgentConfiguration.AgentTempDir#\unlock_kaseya_service.log" />

               <Parameter xsi:type="StringParameter" name="VariableName" value="unlock_kaseya_service" />

             </Statement>

             <Statement name="GetFile" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="RemoteFileName" value="#vAgentConfiguration.AgentTempDir#\unlock_kaseya_service.log" />

               <Parameter xsi:type="StringParameter" name="KServerFileName" value="..\Docs\unlock_kaseya_service.log" />

               <Parameter xsi:type="EnumParameter" name="Action" value="OverwriteNoAlert" />

             </Statement>

             <Statement name="WriteScriptLogEntry" continueOnFail="false" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Comment" value="#unlock_kaseya_service#" />

             </Statement>

             <Statement name="DeleteFile" continueOnFail="true" osType="Windows">

               <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.AgentTempDir#\unlock_kaseya_service.log" />

             </Statement>

           </Then>

         </If>

       </Body>

     </Procedure>

    </ScriptExport>

  • lockdown.xml

    I put the copy/paste above into a working XML file (attached).

     

    Note: You still need to change the "KaseyaAgent" service name to your unique K2 service name!

  • lockdown-undo.xml

    ...and here is the "undo" XML file.

  • Hey Sander, try this. I've rejigged it a bit, as the service name is unique now, so we first need to determine the service name before we can set permissions on it. I use this method in other scripts in order to (for example) restart a dead agent from another machine which is running.

    Hrm, I can't see how to attach a file here. I'll link to it instead.

    Anyway, this works for me. Hope it does for you also. Not sure about adding a password. I don't know if Windows supports that.

    Cheers,

    Greig.

  • Hey, that's pretty cool. Right on.

  • Here's another tidbit I can contribute. Locking down the service does not stop admins from ending the AgentMon.exe process from the Task Manager. What we can do to prevent this is take advantage of the service recovery options built into Windows. The below code will configure the service to automatically restart on its own.

    sc failure KA<YourID> reset= 0 actions= restart/0

    To undo this configuration

    sc failure KA<YourID> reset= "" actions= ""

  • Nice suggestion, Smason.

    You should actually have a custom step to try that will let you set the service recovery settings right in the agent procedure editor. You can set them all to restart :)

  • Just read this whole post and I have a comment... to me the answer seems to be a bit more simplier than a brute force answer. Why not just record when the agent is killed (offline) and hand that report to your boss? It seems to me these guys are violating company policy and dictating their own rules. If I were the boss I would have only one response... If you don't want to play by the established rules, go work somewhere else. To be these guys are bad apples and need to be pruned out.

  • There is probably a whole heap more effort and time involved in trying to get something done on a HR level when you can simply stop them doing it... its like saying here you can have local admin rights on your pc but company policy is don't install anything and then trying to reprimand people who do - instead you don't give them the rights you don't have to deal with it.