When you install Deep Security, the Third Brigade Deep Security service is created in Microsoft Windows. This service is used to control the agent and can also be used to stop the protection.
Within a Microsoft Active Directory Infrastructure, a group policy can be applied to restrict control of this service to a group of users.
To restrict control of the Deep Security Agent service, you need to create a new group policy object (GPO). This GPO will then be applied to the workstations or servers where control of the service needs to be restricted.
The requirements needed to make a new GPO are as follows:
- Active Directory Group with Authorized Users
- Microsoft Active Directory and Users installed on the same machine as Deep Security Agent
The following steps will define a GPO for the entire domain.
- Open the Active Directory Users and Computers.
- Right-click the domain and then select Properties.
- Go to the Group Policy tab and then click New.
- Enter “Third Brigade Service Control” as the group policy name.
- Select the group policy and then click Edit.
- Go to Computer Configuration > Windows Settings > Security Settings > System Services.
- From the list of services, right-click Third Brigade Deep Security Agent and then click Properties.
- Select Define this policy settings and then choose Automatic from the service startup mode.
- Remove Administrators from the list and then add the Active Directory group containing the authorized users. Grant this group Full Control.
- Select the group policy object.
An update of the group policy will occur based on the settings configured within Active Directory. An update can be forced on the server or workstation by running “gpupdate /force” from the command line.