Windows Access Control Rule Recommendations and Considerations

• Due to security issues that can arise when using local accounts, we recommend that you only add users and groups from Active Directory (AD). If a System Administrator removes a local account that has been included in the permissions list for an Access Control Policy and reboots the VM, the Policy Agent disables access controls but leaves the encrypted disk attached. This cannot happen if all users and groups in the permissions list come from AD, because if the Policy Agent finds an invalid AD account in the permissions list it just ignores that account and implements the rest of the Access Control Policy.

• If your rule definition includes AD groups, we recommend that you:

  • Put all of the individual local and AD user permissions first. The order of the individual users does not matter as long as the entries are unique.
  • Put all of the AD group permissions after the individual users, making sure that you have the correct order of precedence so that users are not being granted permission to access data they should not access or being denied permission to access data they need.
  • Make sure you allow access to the smallest AD groups possible. For example, if you have a group that includes all the developers in your company and smaller sub-groups that are specific to each product line, try to use the product-specific groups unless everyone in development truly needs access to the data.
• If an AD account that is included in one or more permissions lists is deleted and later re-added to AD, you need to delete that account and re-add it to any relevant permissions lists as well.