Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Encrypt Active Directory Database with Secure Start

Best Practices for Encrypting and Protecting the AD Service

search

Please Note:

printsuggest an editpdf paneldownload

Best Practices for Encrypting and Protecting the AD Service

Thales recommends the following best practices when using Secure Start with an AD service.

copy link to clipboardAccess Control with Secure Start

User can setup a restricted access control policy with encryption to prevent the unauthorized access of AD database files. The restricted policy with Secure Start:

  • Prevents a rogue user from logging into the system, and moving or copying the AD database files to another directory and tampering with it.

  • Denies permissions, after you setup and guard files, so that no one can move a file from the guarded directory. Plus it restricts any other unwanted/unnecessary process or users from tampering with AD files.

  • Provides permission for an authorized user who needs access to AD services and files.

copy link to clipboardCreating a Minimal Policy Required for AD with Access Control

When creating a normal, strict policy for access control, you must allow access to the following processes and directories for Active Directory.

Processes

secfsd.exe (C:\Program
Files\Vormetric\DataSecurityExpert\agent\secfs\ sec\bin\)
lsass.exe (C:\Windows\System32\)
vds.exe (C:\Windows\System32\)
vssvc.exe (C:\Windows\System32\)
wbengine.exe (C:\Windows\System32\)
ntoskrnl.exe (C:\Windows\System32\)

Users

NT AUTHORITY\SYSTEM

To create a minimal policy:

  1. Create a User Set named AD_Minimum_User_Set with the following parameters:

    ID Uname osDomains
    1 SYSTEM NT AUTHORITY

  2. Create a Process Set named: AD_Process_Set with the following parameters:

    ID Directory Base Name
    1 C:\Program Files\Vormetric\DataSecurityExpert\agent\secfs\sec\bin secfsd.exe
    3 c:\Windows\System32|ntoskrnl.exe
    4 c:\Windows\System32|vds.exe
    5 c:\Windows\System32|vssvc.exe
    6 c:\Windows\System32|wbengine.exe
    7 c:\Windows\System32|lsass.exe

  3. Create a Security rule set with the following parameters:

    Order User Process Action Effect Browsing
    1 AD_Minimum_User_Set AD_Process_Set all_ops Audit, Permit, Apply key
    2 Audit, Deny Yes

copy link to clipboardCreating a Restricted Policy in DSRM Mode

Create the following policy for the initial transformation of an AD database in DSRM mode. The policy allows access to the local administrator.

In DSRM mode, you use the NTDSUTIL utility to perform maintenance for an Active Directory.

To create a restricted policy:

  1. Create a User Set named AD_Minimum_User_Set with the following parameters:

    ID uname osDomains
    1 SYSTEM NT AUTHORITY
    2 Administrator localhost

  2. Create a Process Set named: AD_Process_Set with the following parameters:

    ID Directory Base Name
    1 C:\Program Files\Vormetric\DataSecurityExpert\agent\secfs\sec\bin secfsd.exe
    2 c:\Windows\System32\ ntdsutil.exe
    3 c:\Windows\System32\ ntoskrnl.exe
    4 c:\Windows\System32\ vds.exe
    5 c:\Windows\System32\ vssvc.exe
    6 c:\Windows\System32\ wbengine.exe
    7 c:\Windows\System32\ lsass.exe

  3. Create a Security rule with the following parameters:

    Order User Process Action Effect Browsing
    1 AD_Minimum_User_Set AD_Process_Set all_ops Audit, Permit, Apply key Yes
    2 Audit, Deny Yes

copy link to clipboardGuard Directories

The best practice for guarding a directory with a Secure Start GuardPoint is to:

  1. Create a directory.

  2. Guard that directory with a standard production or LDT policy. Follow the steps in Apply Secure Start GuardPoints to a Directory with CipherTrust Manager.

  3. Move the AD service into that directory.

copy link to clipboardPerform Subsequent System State Backups

After you move an AD service into a guarded directory, or out of a guarded directory:

  1. Perform another system state backup.

  2. Save this subsequent backup to a different location.

On this page