Skip to main content
All CollectionsTroubleshooting and How-ToHow-To Articles
How to protect your Agent installation from tampering
How to protect your Agent installation from tampering
A
Written by Arick Disilva
Updated over 2 weeks ago

Introduction

Currently, this feature is supported on Windows only.

In some cases, Windows Update might break the Agent protection. We are checking on how to address this. For now, the recommendation is to remove the protection, update Windows, and then turn the protection back on.

You can optionally install the Teramind Hidden/Silent Agent in a protected mode. Installing the Agent in protected mode has the following advantages:

  • prevent users from seeing the Agent in system services list

  • prevent the stopping of the service using commands such as “sc stop”

  • prevents corruption of the service registration

  • prevent uninstall by unauthorized admins

There are two steps to protecting an Agent installation:

Step 1: Install the Hidden Agent in Protected Mode

When installing the Agent with msiexec, use the DO_PROTECTION=yes parameter. For example:

Local Installation

msiexec /i <teramind_agent.msi> DO_PROTECTION=yes TMINSTANCE=<instance name | ID> /qn

Where, teramind_agent.msi is the exact name of the Agent file, i.e. teramind_agent_v0.1.9999_x64.msi.

<instance name | ID> is either the instance name or instance ID. For example, “mycompany”, or “__b89a5c47a3cdd45682c21d3f764218c2aed88bd5”.

For example:

msiexec /i teramind_agent__v0.1.9999_x64.msi DO_PROTECTION=yes TMINSTANCE=mycompany /qn

Or:

msiexec /i teramind_agent__v0.1.9999_x64.msi DO_PROTECTION=yes TMINSTANCE=__b89a5c47a3cdd45682c21d3f764218c2aed88bd5 /qn

Notes:

  • If the agent file name already contains the instance name (within a -i() parameter), and you don’t include the /qn parameter (silent install), then you don't have to specify the TMINSTANCE parameter. For example:

msiexec /i teramind_agent_x64_s-i(mycompany).msi DO_PROTECTION=yes

  • If there’s already a protected Agent installed, attempting to install agent without protection (DO_PROTECTION=no, or without any parameter) will fail.

  • Installing/upgrading/uninstalling of protected agent must be run from local admin with “Take Ownership” rights. The list of users and groups with this rights is regulated by GPO:

    1. mmc.exe

    2. File > Add/Remove Snap-in > Group Policy Object Editor for local computer

    3. Console Root > Local Computer Policy > Computer Configuration > Windows settings > Security Settings > Local Policies > User Rights Assignments > Take Ownership of files or other objects.

Remote Installation (On-Premise deployment)

Select COMPUTERS from the main menu on the dashboard. Then click the REMOTE INSTALL AGENTS button on top. Add DO_PROTECTION=yes into the MSI arguments (optional) field. Then do the installation as usual.

Step 2: Set the Protection Password (optional)

You should also set a password to protect the Agent. If you set a password, other admins can remove the Agent using the password. Otherwise, only the original admin who installed the Agent will be able to remove it.

You can define the password from the Teramind Dashboard:

1. Click the Gear icon from the top right corner of the dashboard.

2. Select Settings.

3. Select the Security tab.

4. Under Agent removal protection, specify the uninstall password.

5. Click SAVE.

Check out this article, to learn how to uninstall a protected agent.

Related Articles
How to download and install the Teramind Agent
How to install the Windows Agent remotely (Cloud)
How to install the Windows Agent remotely (On-Premise)
How to uninstall a Protected Agent
How to Obtain the Agent Download Links (Cloud)
Did this answer your question?