Top menu

Topic: «DeviceLock Service not stoppable»

« Previous topic | Next topic »

security service


User profile

Posts: 1
Joined: 10/23/2008
Can anyone explain it in detail so that will be very useful to everyone.
Posted: 10/23/2008 11:00:59

Top

Pavel Yusov
Guest



security service wrote:
Can anyone explain it in detail so that will be very useful to everyone.

Explain what? Specify your request, please.
Posted: 10/23/2008 11:11:22

Top

Ed Braiter


User profile

Posts: 46
Joined: 10/23/2008
I think what "security service" asked is how to properly let (domain) administrators start and stop DLService. We have both the Domain Administrators and a lesser MIS group with Full Control in Computer Configuration -> Device Lock -> Service Options -> DeviceLock Administrators (in AD) and yet as part of the lesser group, I can't start or stop the service through the Services applet in the Control Panel. The same goes as if I log in with Domain administrators credentials. If I use "dlservice -e", I get "The process cannot access the file because it is being used by another process."

Posted: 10/29/2008 19:47:39

Top

Roman Gaditskiy
Guest



To be able to stop the service you should enable Default Security option in DeviceLock Service Options=>DeviceLock Administrators.
Posted: 10/29/2008 20:48:50

Top

Ed Braiter


User profile

Posts: 46
Joined: 10/23/2008

OK. With the default security, who has haccess? According to the manual, everyone who's a local administrator.

According to the manual on page 82, "When DeviceLock Security is enabled, no one except authorized users can connect to DeviceLock Service or stop and uninstall it." That's in the section of adding users or groups instead of relying on the "default". We have users with admin rights on their system.
Posted: 10/29/2008 21:45:52

Top

Roman Gaditskiy
Guest



DeviceLock Administrators is a complex defence mechanism which not only restricts local admins from changing service settings via a console but also restrics any access to the service itself and to the related registry information. Imagine the service is stopped when DeviceLock Administrators are in use; in this case there is no more defence of the service and the registry, since the service must be running to provide it. Hence it means that the Administrators feature is compromised. That is why there is no sense in your wishing DeviceLock Default Security to be off and the service to be stopped at the same time.
Posted: 10/29/2008 22:14:10

Top

Ed Braiter


User profile

Posts: 46
Joined: 10/23/2008
OK. then what's the point of having the feature at all?

While I agree that it does make the system temporarily unsecure, it's not likely that an administrator will leave the service disabled permanently.

Might as well, just remove it from the next version of DeviceLock.
Posted: 10/29/2008 22:36:42

Top

Roman Gaditskiy
Guest



I will afford myself repeating what was already said:
Roman Gaditskiy wrote:
DeviceLock Administrators is a complex defence mechanism which not only restricts local admins from changing service settings via a console but also restrics any access to the service itself and to the related registry information.


You can always disable the option before stopping the service.
Posted: 10/29/2008 23:36:55

Top

Ed Braiter


User profile

Posts: 46
Joined: 10/23/2008
One last thing regarding the "dlservice -e", while a few machines I tested on allows the service to stop with this command, I had one case where it comes back with the message that the service can't be stopped because it's in use. What would cause this? A device attached to the system using DeviceLock?
Posted: 11/06/2008 22:15:59

Top

Pavel Yusov
Guest



This may be caused by enabled DeviceLock Administrators.

Does this problem appear each time on that computer?
Posted: 11/07/2008 11:17:08

Top