Best Practices for Encrypting and Protecting the AD Service
Thales recommends the following best practices when using Secure Start with an AD service.
Access Control with Secure Start
User can setup a restricted access control policy with encryption to prevent the unauthorized access of AD database files. The restricted policy with Secure Start:
-
Prevents a rogue user from logging into the system, and moving or copying the AD database files to another directory and tampering with it.
-
Denies permissions, after you setup and guard files, so that no one can move a file from the guarded directory. Plus it restricts any other unwanted/unnecessary process or users from tampering with AD files.
-
Provides permission for an authorized user who needs access to AD services and files.
Creating a Minimal Policy Required for AD with Access Control
When creating a normal, strict policy for access control, you must allow access to the following processes and directories for Active Directory.
Processes
secfsd.exe (C:\Program
Files\Vormetric\DataSecurityExpert\agent\secfs\ sec\bin\)
lsass.exe (C:\Windows\System32\)
vds.exe (C:\Windows\System32\)
vssvc.exe (C:\Windows\System32\)
wbengine.exe (C:\Windows\System32\)
ntoskrnl.exe (C:\Windows\System32\)
Users
NT AUTHORITY\SYSTEM
To create a minimal policy:
-
Create a User Set named AD_Minimum_User_Set with the following parameters:
ID Uname osDomains 1 SYSTEM NT AUTHORITY -
Create a Process Set named: AD_Process_Set with the following parameters:
ID Directory Base Name 1 C:\Program Files\Vormetric\DataSecurityExpert\agent\secfs\sec\bin secfsd.exe 3 c:\Windows\System32|ntoskrnl.exe 4 c:\Windows\System32|vds.exe 5 c:\Windows\System32|vssvc.exe 6 c:\Windows\System32|wbengine.exe 7 c:\Windows\System32|lsass.exe -
Create a Security rule set with the following parameters:
Order User Process Action Effect Browsing 1 AD_Minimum_User_Set AD_Process_Set all_ops Audit, Permit, Apply key 2 Audit, Deny Yes
Creating a Restricted Policy in DSRM Mode
Create the following policy for the initial transformation of an AD database in DSRM mode. The policy allows access to the local administrator.
In DSRM mode, you use the NTDSUTIL utility to perform maintenance for an Active Directory.
To create a restricted policy:
-
Create a User Set named AD_Minimum_User_Set with the following parameters:
ID uname osDomains 1 SYSTEM NT AUTHORITY 2 Administrator localhost -
Create a Process Set named: AD_Process_Set with the following parameters:
ID Directory Base Name 1 C:\Program Files\Vormetric\DataSecurityExpert\agent\secfs\sec\bin secfsd.exe 2 c:\Windows\System32\ ntdsutil.exe 3 c:\Windows\System32\ ntoskrnl.exe 4 c:\Windows\System32\ vds.exe 5 c:\Windows\System32\ vssvc.exe 6 c:\Windows\System32\ wbengine.exe 7 c:\Windows\System32\ lsass.exe -
Create a Security rule with the following parameters:
Order User Process Action Effect Browsing 1 AD_Minimum_User_Set AD_Process_Set all_ops Audit, Permit, Apply key Yes 2 Audit, Deny Yes
Guard Directories
The best practice for guarding a directory with a Secure Start GuardPoint is to:
-
Create a directory.
-
Guard that directory with a standard production or LDT policy. Follow the steps in Apply Secure Start GuardPoints to a Directory with CipherTrust Manager.
-
Move the AD service into that directory.
Perform Subsequent System State Backups
After you move an AD service into a guarded directory, or out of a guarded directory:
-
Perform another system state backup.
-
Save this subsequent backup to a different location.
