Creating Required DFSR Policy Components

DFSR uses two services to for the replication process, dfsrs.exe and ntoskrnl.exe that must be associated with the NT AUTHORITY user. In order to do this, you need to create a process set and a user set that must then be combined into a security rule in the policy.

How you do this depends on the key manager that you are using.

Once you create these components, you can use them in any number of policies for both standard and CTE-LDT GuardPoints.

Process Using CipherTrust Manager

1. Log into the CipherTrust Manager Console and switch to the correct domain if required.

2. Launch the Transparent Encryption application.

3. In the left-hand menu bar, expand Policies and select Policy Elements.

4. Create a process set for the required DFSR processes:

   1. Click the Process Sets tab.

   2. Click Create Process Set.

   3. In the Name field, enter a name for this process set. In this example, we will use DFSR-Processes.

   4. Click Next.

   5. Enter the first DFSR process:

      • In the Directory field, enter C:\Windows\System32\.

      • In the File field, enter dfsrs.exe.

   6. Click Next.

   7. Below the table, click Add Another Process:

      • In the Directory field, enter \SystemRoot\System32\.

      • In the File field, enter ntoskrnl.exe.

   8. Click Next. The process set should look like this:

      

   9. Click Save to save the process set.

5. Create the user set for the required NT AUTHORITY user:

   1. Click the User Sets tab.

   2. Click Create User Set.

   3. In the Name field, enter a name for the user set. In this example we will use Local_NT_AUTHORITY.

   4. Click Next.

   5. Click the Manually Add Users tab.

   6. In the uname field, enter SYSTEM.

   7. In the OS domain field, enter NT AUTHORITY.

   8. Click Next. The user set should look like this:

      

   9. Click Save to save the user set.

   10. Optionally create another user set for other authorized users in the namespace. For example, you may want to add the "Administrator" user in each of the domains that are part of the namespace. You can create as many separate user sets as required.

6. When you have finished created the required components, you can use those components to create your policies and GuardPoints. How you do so depends on which encryption method you are using. For details, see one of the following:

   • Using the Standard Encryption Method

   • Using the CTE-LDT Encryption Method