Introduction
Currently, this feature is supported on Windows Stealth Agent only.
In some cases, Windows Update might break the Agent protection. We are checking on how to address this. For now, the recommendation is to remove the protection, update Windows, and then turn the protection back on.
You can optionally install the Teramind Stealth Agent in a protected mode. Installing the Agent in protected mode has the following advantages:
prevent users from seeing the Agent in system services list
prevent the stopping of the service using commands such as “sc stop”
prevents corruption of the service registration
prevent uninstall by unauthorized admins
There are two steps to protecting an Agent installation:
Step 1: Install the Stealth Agent in Protected Mode
When installing the Agent with msiexec, use the DO_PROTECTION=yes parameter. For example:
Local Installation
msiexec /i <teramind_agent.msi> DO_PROTECTION=yes TMINSTANCE=<instance name | ID> /qn
Here:
teramind_agent.msiis the exact name of the Agent file, i.e.teramind_agent_v0.1.9999_x64.msi.<instance name | ID>is either the instance name or instance ID. For example, “mycompany”, or “__b89a5c47a3cdd45682c21d3f764218c2aed88bd5”.
For example:
msiexec /i teramind_agent__v0.1.9999_x64.msi DO_PROTECTION=yes TMINSTANCE=mycompany /qn
Or:
msiexec /i teramind_agent__v0.1.9999_x64.msi DO_PROTECTION=yes TMINSTANCE=__b89a5c47a3cdd45682c21d3f764218c2aed88bd5 /qn
Notes:
If the agent file name already contains the instance name (within a
-i()parameter), and you don’t include the/qnparameter (silent install), then you don't have to specify theTMINSTANCEparameter. For example:
msiexec /i teramind_agent_x64_s-i(mycompany).msi DO_PROTECTION=yes
If there’s already a protected Agent installed, attempting to install another Agent without protection (
DO_PROTECTION=no, or without any parameter) will fail.Installing/upgrading/uninstalling of the protected Agent must be run from local admin with “Take Ownership” rights. The list of users and groups with this rights is regulated by GPO. To view/edit the rights do, the following:
mmc.exeSelect File > Add/Remove Snap-in. The Add or Remove Snap-ins window will pop up.
Select Group Policy Object Editor from the left panel and click the Add button. Another window titled, Select Group Policy Object will pop up.
Make sure Local Computer is selected, then press the Finish button to close the Select Group Policy Object window.
Click the Ok button to close the Add or Remove Snap-ins window. You should be back to the main Console window.
From the main Console window, on the left panel, expand Console Root > Local Computer Policy > Computer Configuration > Windows settings > Security Settings > Local Policies > User Rights Assignments.
Double click Take Ownership of files or other objects. You will be able to see which users/groups have this right assigned to them. You can add/remove users and groups from the pop-up window.
Remote Installation (On-Premise deployment)
Select COMPUTERS from the main menu on the dashboard. Then click the REMOTE INSTALL AGENTS button on top. Add DO_PROTECTION=yes into the MSI arguments (optional) field. Then do the installation as usual.
Step 2: Set the Protection Password (optional)
You should also set a password to protect the Agent. If you set a password, other admins can remove the Agent using the password. Otherwise, only the original admin who installed the Agent will be able to remove it.
You can define the password under the Settings > Security > Stealth agent protection section of the Dashboard:
Check out this article, to learn how to uninstall a protected agent.