Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE with Microsoft DFSR

Creating Required DFS(R) Policy Components

search

Please Note:

Creating Required DFS(R) Policy Components

DFS(R) uses two services to for the replication process, dfsrs.exe and ntoskrnl.exe that must be associated with the NT AUTHORITY user. In order to do this, you need to create a process set and a user set that must then be combined into a security rule in the policy.

Note

Once you create these components, you can use them in any number of policies for both standard and LDT GuardPoints.

  1. Log into the CipherTrust Manager Console and switch to the correct domain.

  2. Launch the Transparent Encryption application.

  3. In the left-hand menu bar, expand Policies and select Policy Elements.

  4. Create a process set for the required DFS(R) processes:

    1. Click Process Sets.

    2. Click Create Process Set.

    3. In the Name field, enter a name for this process set. In this example, we will use DFS(R)-Processes.

    4. Click Next.

    5. Enter the first DFS(R) process:

      • In the Directory field, enter C:\Windows\System32\.

      • In the File field, enter dfsrs.exe.

    6. Click Next.

    7. Below the table, click Add Another Process:

      • In the Directory field, enter \SystemRoot\System32\.

      • In the File field, enter ntoskrnl.exe.

    8. Click Next. The process set should look like this:

    9. Click Save to save the process set.

  5. Create the user set for the required NT AUTHORITY user:

    1. Click User Sets tab.

    2. Click Create User Set.

    3. In the Name field, enter a name for the user set. In this example we will use Local_NT_AUTHORITY.

    4. Click Next.

    5. Click the Manually Add Users tab.

    6. In the uname field, enter SYSTEM.

    7. In the OS domain field, enter NT AUTHORITY.

    8. Click Next. The user set should look like this:

    9. Click Save to save the user set.

    10. Optionally, create another user set for other authorized users in the namespace. For example, you may want to add the "Administrator" user in each of the domains that are part of the namespace. You can create as many separate user sets as required.

  6. Create the mandatory security rule for DFS(R):

    The first security rule in a standard policy is for the DFS(R) process set (created in the previous section). This rule allows the DFS(R) processes to access the data and manage the replication under DfsrPrivate folder. The minimum permissions must be:

    Rule Permissions Description
    Process Set DFS(R)_service Contains the process dfsrs.exe and ntoskrnl.exe
    Action all_ops Allows all read/write operations
    Effect Permit Allows data to be copied/moved/replaced as encrypted

  7. When you have finished created the required components, you can use the components to create the appropriate policy for your chosen encryption method.

On this page