Creating Required DFS(R) Policy Components
DFS(R) uses two services to for the replication process, dfsrs.exe
and ntoskrnl.exe
that must be associated with the NT AUTHORITY user. In order to do this, you need to create a process set and a user set that must then be combined into a security rule in the policy.
Once you create these components, you can use them in any number of policies for both standard and LDT GuardPoints.
-
Log into the CipherTrust Manager Console and switch to the correct domain.
-
Launch the Transparent Encryption application.
-
In the left-hand menu bar, expand Policies and select Policy Elements.
-
Create a process set for the required DFS(R) processes:
-
Click Process Sets.
-
Click Create Process Set.
-
In the Name field, enter a name for this process set. In this example, we will use DFS(R)-Processes.
-
Click Next.
-
Enter the first DFS(R) process:
-
In the Directory field, enter
C:\Windows\System32\
. -
In the File field, enter
dfsrs.exe
.
-
-
Click Next.
-
Below the table, click Add Another Process:
-
In the Directory field, enter
\SystemRoot\System32\
. -
In the File field, enter
ntoskrnl.exe
.
-
-
Click Next. The process set should look like this:
-
Click Save to save the process set.
-
-
Create the user set for the required
NT AUTHORITY
user:-
Click User Sets tab.
-
Click Create User Set.
-
In the Name field, enter a name for the user set. In this example we will use
Local_NT_AUTHORITY
. -
Click Next.
-
Click the Manually Add Users tab.
-
In the uname field, enter
SYSTEM
. -
In the OS domain field, enter
NT AUTHORITY
. -
Click Next. The user set should look like this:
-
Click Save to save the user set.
-
Optionally, create another user set for other authorized users in the namespace. For example, you may want to add the "Administrator" user in each of the domains that are part of the namespace. You can create as many separate user sets as required.
-
-
Create the mandatory security rule for DFS(R):
The first security rule in a standard policy is for the DFS(R) process set (created in the previous section). This rule allows the DFS(R) processes to access the data and manage the replication under
DfsrPrivate
folder. The minimum permissions must be:Rule Permissions Description Process Set DFS(R)_service Contains the process dfsrs.exe
andntoskrnl.exe
Action all_ops Allows all read/write operations Effect Permit Allows data to be copied/moved/replaced as encrypted -
When you have finished created the required components, you can use the components to create the appropriate policy for your chosen encryption method.