I am pushing the Splunk forwarder out to a bunch of workstations. I don't want users to be able to remove the forwarder once it's installed. I've noticed that on my workstation I can go into the Add/Remove programs list in Windows and uninstall it. Also, I can stop the service from running. Is there any way to hide the forwarder from these places so that users don't remove it? Some of the users will have local admin rights so I don't think I can take away their ability to uninstall, but if it's hidden it's more likely to stay around.
Hi,
Take a look at this: http://www.winhelponline.com/articles/15/1/How-to-hide-an-entry-in-the-AddRemove-Programs-applet.htm...
With regards to the service start/stop, while you can't easily stop your local admins from starting/stopping the Splunk service on Windows, you can monitor what's going on periodically:
But most importantly, there's something that really helped me in the past: get support from senior management on this. If someone senior enough informs your employees that stopping certain security/logging tools is not permitted unless there's a valid reason for it, people would think twice before doing so. It won't stop them but if they do, and you manage to find out, there will be consequences.
Hope that helps.
Thanks,
J