Solved

Agent uninstallation restriction

  • 15 April 2024
  • 5 replies
  • 50 views

Badge

Hey Folks,

 

We were told that automox team has this road map on agent tamper protection last year, Where are we on this do we have any ETA when this will be implemented.

This would be very useful and does not let end users tamper or play with the agents when they are provided with admin rights.

icon

Best answer by jack.smith 15 April 2024, 18:32

View original

5 replies

Userlevel 5
Badge +1

@Arunchandar N That would be a great idea! Meanwhile you could consider locking down the service to say the NT System account and perhaps a security group for those allowed to manage the service. 

 

Checkout https://decoder.cloud/2019/02/07/demystifying-windows-service-permissions-configuration/

Badge

Hi Jack,

 

Thanks for your answer, We have tried this on our environment already this works only on an onprem domain joined machine where we have a dedicated policy server to control things.

Our challenge is to do this from Intune registered AAD joined machines. Although we have added LAPS and Admin rights restrictions still developers needs admin rights for their jobs. If there is any other way out of this would be really nice.

We need this for both MAC (Jamf Registered) and Windows (Intune Autopilot) devices.?

Userlevel 5
Badge +1

@Arunchandar N This would be using Automox or Intune to push a script that modifies the permissions of the amagent service to only SYSTEM account, removing the Administrator from having any permissions to change the state of the service. Think of it as a mitigating technique. 

Alternatively. since your using Intune, use remediation scripts to run frequently that just put it back into the desired state. 

I’m personally not worried about tamper protection myself as I’m extreme focused on overall health of Automox against the inventory of assets (analyzing metadata from every security/infrastructure tool as to what is a live asset) and then asking the data to tell me is Automox installed and scanning as expected. Any deviation from that expectation and a ticket is opened to allow triage against the problem agent.

Badge

Yeah, I never thought of the remediation scripts from intune to put back the settings..

Thanks Jack, let me try this and let you know. 

If you do also have a worklet or script already doing this If you can share I could use that..

Userlevel 5
Badge +1

I’m using two remediation scripts within Intune. One makes sure the service is running (it can occasionally fail) and the other to make sure Automox is installed. Best part of those Intune remediation scripts, you can set the frequency much tighter than an Automox worklet. For example every few hours as opposed to once daily. 

 

Check Automox Service -- If you suspect end users are disabling the service, I'd add some logic to set the service to automatic.

# Detection

$service = Get-Service amagent

IF($service.Status -ne 'Running'){exit 1}

# Remediation

function Stop-ServiceWithTimeout ([string] $name, [int] $timeoutSeconds) {
$timespan = New-Object -TypeName System.Timespan -ArgumentList 0,0,$timeoutSeconds
$svc = Get-Service -Name $name
if ($svc -eq $null) { return $false }
if ($svc.Status -eq [ServiceProcess.ServiceControllerStatus]::Stopped) { return $true }
$svc.Stop()
try {
$svc.WaitForStatus([ServiceProcess.ServiceControllerStatus]::Stopped, $timespan)
}
catch [ServiceProcess.TimeoutException] {
Write-Verbose "Timeout stopping service $($svc.Name)"
return $false
}
return $true
}

$service = Get-Service amagent

IF($service.Status -ne 'Running'){
Write-Output "Detected Automox amagent service running. Stopping service"
$try = Stop-ServiceWithTimeOut -name amagent -timeoutSeconds 10 -verbose
$status = Get-WmiObject win32_service | where name -eq amagent
IF($status.State -ne "stopped")
{
taskkill /PID $status.ProcessId /F
}
$service = Get-Service amagent
IF($service.Status -eq 'Stopped'){Write-Output "Service stopped successfully."}
Write-Output "Starting amagent service"
Start-Service amagent -Verbose
}else{
Write-Output "Automox status was $($service.Status). Restarting anyway"
Restart-Service amagent -Verbose
}

 

Check if Automox is installed, if not, install.

 

# Detection

# Check if already installed
$unkeys = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach ($key in Get-ChildItem $unkeys -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object { ($_.DisplayName -like "*Automox*" -and $_.DisplayVersion) })
{
Write-Output "Automox Agent is already installed"
$i++
}
$un64keys = "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
foreach ($key in Get-ChildItem $un64keys -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object { ($_.DisplayName -like "*Automox*" -and $_.DisplayVersion) })
{
Write-Output "Automox Agent is already installed"
$i++
}
IF($i -gt 0){exit 0}else{exit 1}

# Remediation

# Access Key
$accesskey = '0000000000000000000000'
# Install
$TLS12Protocol = [System.Net.SecurityProtocolType] 'Ssl3 , Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $TLS12Protocol
$source = 'https://console.automox.com/installers/Automox_Installer-latest.msi'
$destination = 'C:\Automox_Installer-latest.msi'
$client = (New-Object Net.WebClient)
$client.DownloadFile($source, $destination)
Start-Process msiexec.exe -ArgumentList "/i $destination /qn /norestart ACCESSKEY=$accesskey" -Wait
del $destination

# Check if install worked
$unkeys = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach ($key in Get-ChildItem $unkeys -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object { ($_.DisplayName -like "*Automox*" -and $_.DisplayVersion) })
{
$installed++
}
$un64keys = "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
foreach ($key in Get-ChildItem $un64keys -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object { ($_.DisplayName -like "*Automox*" -and $_.DisplayVersion) })
{
$installed++
}

IF($installed -gt 0)
{
Write-Output "Automox Agent installed Succesfully"
exit 0
}else{
exit 1
}

 

Reply