I understand that a user permission should be based to the OS, instead of the protection software (CIS).
For example, in Windows, a user profile could be change from Administrator to Limited User, blocking availabilities to change the time, enable or disable services, etc.
The problem I’m having is that I cannot change the type of Window user for many reasons. I’m only looking to block the user’s availability to not be able to disable only ONE service (service must always run). Understanding that CIS protects some areas like File and Folders, Registry Keys, COM Interfaces, etc… I thought there could be a way or tweak that can be used through CIS to block the user request to disable that specific Windows Service.
Does anyone know how could I achieve that?