Creating a Windows Access Control Policy

Windows Access Control Policies can control who can access the files and folders on a disk, who can access the data blocks on a disk, or both. The rules are independent, which means that you create one list of users who have filesystem-level access and a separate list of users that have block-level access. You can specify both local and Active Directory (AD) users and groups in the rule permission lists.

We recommend that you create both types of rules in all Windows Access Control Policies so that your data disks are fully protected. We also recommend that you include only AD users and groups in your permissions lists. For more information, see Windows Access Control Rule Recommendations and Considerations.

The following procedure describes how to create a Windows Access Control Policy. For Linux, see Creating a Linux Access Control Policy.

Before You Begin 

Procedure 

  1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges in the Cloud Administration group under which you want to add the policy.
  2. In the top menu bar, click Cloud.
  3. Navigate to the Access Control Policies tab.
  4. Select Actions > Create Policy.

  5. In the Create Policy Wizard Details page, enter the following information:

    Field

    Description
    Name

    Enter a name for the Access Control Policy (1-256 characters). The name can include special characters and spaces.

    OS Type

    Select Windows.

    Note: You cannot change the OS Type after the policy has been saved.
    Cloud Administrator Group

    Select the Cloud Admin Group with which this policy should be associated.

    Note: You cannot change the group after the policy has been saved.

    Description

    Enter an optional description for the policy. This description is displayed in the KeyControl webGUI when a user selects the Access Control Policy to associate with the disk.
  6. When you are done, click Next.
  7. In the Rules page, click Add rule now.

  8. In the Create Rule Wizard Details page, enter the following information:

    Field

    Description
    Name

    Enter a name for the Access Control Rule (1-256 characters). The name can include special characters and spaces and it does not need to be unique.

    Description

    Enter an optional description for the rule.

    Rule Type

    Select the rule type.

    • Filesystem-level access controls who can access the files and folders on the disk. This type of rule covers the majority of users.
    • Block-level access controls who can access the blocks on the disk. Generally, only a few applications, such as backup utilities, require block-level access.
  9. When you are finished, click Next.

  10. In the Permissions page, click Add permission now.

    Note: If this is a block-level access rule, you do not have to add a user to the permission list if you do not want anyone to be able to access the data blocks on the disk. If this is a filesystem-level access rule, you must add at least one user to the permissions list.

  11. In the Create Permission dialog box, enter the following information:

    Field

    Description
    User or Group Name

    Enter a user or group name. The user or group can be local or can come from Active Directory.

    Important: If any of the local users in the permissions list are invalid, the Policy Agent issues an alert and does not apply the Access Control Policy. If access controls were already enabled for the disk, the Policy Agent continues to use the previous access control settings until the VM reboots. If the permissions list contains invalid entries when the VM reboots, the Policy Agent disables all access controls for the disk.

    We strongly recommend that you only specify AD users and groups so that the removal of a local user account cannot invalidate the entire Access Control Policy. If the Policy Agent encounters an invalid AD account entry, it simply ignores that entry and enables the rest of the Access Control Policy.

    For security reasons, we also recommend that you do not add SYSTEM as a whitelisted user.

    Domain

    You can select:

    • Local — This account is local to the Windows VM.
    • NT Service — This is a virtual account under which a Windows Service is running on the VM.
    • AD-Domain-Name — This account comes from the selected domain in the AD defined for the Cloud Admin Group associated with this policy.

    Permission

    Specify whether the user should be allowed or denied access to the data on the disk. The default permission is "Deny" for all users not explicitly allowed or not included in an explicitly-allowed group.
  12. If you want to add another user to the permissions list, click Add Another. Otherwise, click Save.

  13. If any of the entries in the permissions list are groups, make sure the order of the entries is correct.

    When the Policy Agent receives an access request, it processes the permissions list in order, from top to bottom. As soon as it finds an entry that matches the account that requested the data, it assigns that permission level to the user and stops processing the permissions list. If you have added an entry to deny a particular user access but the user is part of a group that was granted permission higher in the list, that user's request for access will be granted. For details, see Windows Access Control Rule Processing.

  14. After you have added all of the required permissions and verified the order, click Add Rule.
  15. Click Create Policy.

What to Do Next 

Associate the Access Control Policy with one or more Windows data disks as desribed in Associating an Access Control Policy with a Disk.

 

HyTrust DataControl v 4.2

Copyright © 2018 HyTrust, Inc. All Rights Reserved.

Follow us: