CJD138 0 Posted December 12, 2014 Share Posted December 12, 2014 Hi there, I am new to this forum and not sure if this has been asked before so please forgive me if it has. We have a 2003 terminal server set up which is running ESET EndPoint Antivirus v5.0.2229.1 on it. We have had an issue where a user received an infected email and was prompted by ESET to restart the machine to remove the infection. The user accepted the offer not realising it would affect other terminal server users. I was hoping someone could point me in the right direction to prevent users from being able to restart the terminal server in this situation but instead have the administrator informed of the problem. Thanks in advance for any help. Colin. Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 12, 2014 Share Posted December 12, 2014 (edited) So all the users that login to your terminal server have administrative privileges ?? If so this is not a great idea, and i don't recommend it unless absolutely have to. It is also a security risk. By default, non-administrative Terminal Services users do not have computer restart privileges. -Source:Technet - hxxp://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx I am working on a solution. You may be able to do this through the Local Security policy which would conclude by adding whatever account ESET uses to initiate a restart, and ensure it does not have the restart capability, while still maintaining elevation for fighting malware and interacting with crucial windows services and files etc. I am not entirely sure, but i thought the Remote Administrator Console for ESET had the option of either suppressing user restarts or similar to assist with these situations as well. Another solution would be to remove the Endpoint Antivirus and install File security, then lock down ALL the settings with a master password. I think that may prevent restarts too. Edited December 12, 2014 by Arakasi Link to comment Share on other sites More sharing options...
Arakasi 549 Posted December 12, 2014 Share Posted December 12, 2014 Yes ERA is all you need to change the settings around on your users so they cant do anything, and you can allow a sysadmin to manage and reboot during non production hours. See my attached pic for policy location. Link to comment Share on other sites More sharing options...
Recommended Posts