Creating a Windows Access Control Policy

Windows Access Control Policies can control who can access the files and folders on a disk, who can access the data blocks on a disk, or both. The rules are independent, which means that you create one list of users who have filesystem-level access, another list who have folder-level access, and a third list who have block-level access. You can specify both local and Active Directory (AD) users and groups in the rule permission lists.

We recommend that you create a least a filesystem-level access rule and a block-level access rule in all Windows Access Control Policies so that your data disks are fully protected. We also recommend that you include only AD users and groups in your permissions lists. For more information, see Windows Access Control Rule Recommendations and Considerations.

The following procedure describes how to create a Windows Access Control Policy. For Linux, see Creating a Linux Access Control Policy.

Before You Begin

Make sure you have reviewed the requirements and recommendations described in Access Control Policies.
Make sure you know the Cloud Administration group under which you want to add the Access Control Policy. Each policy can be associated with one and only one Cloud Administration group.
If you intend to include AD users or groups, make sure an AD server has been associated with the Cloud Admin Group under which you intend to add the policy. For details, see Managing Active Directory Server Associations and Associating an AD Server with a Cloud Administration Group.
If you intend to add Active Directory groups to your permissions lists, make sure you know what order the groups should be in. For details, see Windows Access Control Rule Processing and Windows Access Control Rule Recommendations and Considerations.

Procedure

Log into the KeyControl Vault for VM Encryption webGUI on any node in the cluster using an account with Cloud Admin privileges in the Cloud Administration group under which you want to add the policy.
In the top menu bar, click Workloads.
Navigate to the Access Control Policies tab.
Select Actions > Create Policy.

In the Create Policy Wizard Details page, enter the following information:

Field	Description
Name	Enter a name for the Access Control Policy (1-256 characters). The name can include special characters and spaces.
OS Type	Select Windows. Note: You cannot change the OS Type after the policy has been saved.
Cloud Administrator Group	Select the Cloud Admin Group with which this policy should be associated. Note: You cannot change the group after the policy has been saved.
Description	Enter an optional description for the policy. This description is displayed in the KeyControl webGUI when a user selects the Access Control Policy to associate with the disk.

When you are done, click Next.
In the Rules page, click Add rule now.

In the Create Rule Wizard Details page, enter the following information:

Field	Description
Name	Enter a name for the Access Control Rule (1-256 characters). The name can include special characters and spaces and it does not need to be unique.
Description	Enter an optional description for the rule.
Rule Type	Select the rule type. Filesystem-level Access controls who can access the files and folders on the disk as long as those folders are not protected by a specific folder-level rule. This type of rule covers the majority of users. You can have one filesystem-level rule per policy. Folder-level Access controls who can see the files and subfolders in a specific folder on the disk. All subfolders in the specified folder automatically inherit the same access permissions unless they are protected by their own folder-level rule. You can have as many folder-level rules as needed. Block-level Access controls who can access the blocks on the disk. Generally, only a few applications, such as backup utilities, require block-level access. You can have one block-level rule per policy.
Folder	If the rule type is Folder-level Access, enter the path to the folder you want to protect in this field. You can enter only one folder path per rule. If the specified folder contain subfolders, those subfolders inherit the same access permissions list as the parent folder. To override the default inheritance, enter a separate rule for both the parent folder and the subfolder. For example, you could restrict the folder `\HR` to only those users who are in the HR department but you could make the subfolder `\HR\employee_public` accessible to all employees in the company.

When you are finished, click Next.
In the Permissions page, click Add permission now.

Note: If this is a block-level access rule, you do not have to add a user to the permission list if you do not want anyone to be able to access the data blocks on the disk. If this is a filesystem-level or folder-level access rule, you must add at least one user to the permissions list.

In the Create Permission dialog box, enter the following information:

Field	Description
User or Group Name	Enter a user or group name. The user or group can be local or can come from Active Directory. Important: If any of the local users in the permissions list are invalid, the Policy Agent issues an alert and does not apply the Access Control Policy. If access controls were already enabled for the disk, the Policy Agent continues to use the previous access control settings until the VM reboots. If the permissions list contains invalid entries when the VM reboots, the Policy Agent disables all access controls for the disk. We strongly recommend that you only specify AD users and groups so that the removal of a local user account cannot invalidate the entire Access Control Policy. If the Policy Agent encounters an invalid AD account entry, it simply ignores that entry and enables the rest of the Access Control Policy. For security reasons, we also recommend that you do not add SYSTEM as a whitelisted user.
Domain	You can select: Local—This account is local to the Windows VM. NT Service—This is a virtual account under which a Windows Service is running on the VM. AD-Domain-Name—This account comes from the selected domain in the AD defined for the Cloud Admin Group associated with this policy.
Permission	Specify whether the user should be allowed or denied access to the data on the disk. The default permission is "Deny" for all users not explicitly allowed or not included in an explicitly-allowed group.

Field

Description

User or Group Name

Enter a user or group name. The user or group can be local or can come from Active Directory.

Important: If any of the local users in the permissions list are invalid, the Policy Agent issues an alert and does not apply the Access Control Policy. If access controls were already enabled for the disk, the Policy Agent continues to use the previous access control settings until the VM reboots. If the permissions list contains invalid entries when the VM reboots, the Policy Agent disables all access controls for the disk.

We strongly recommend that you only specify AD users and groups so that the removal of a local user account cannot invalidate the entire Access Control Policy. If the Policy Agent encounters an invalid AD account entry, it simply ignores that entry and enables the rest of the Access Control Policy.

For security reasons, we also recommend that you do not add SYSTEM as a whitelisted user.

Domain

You can select:

Local—This account is local to the Windows VM.
NT Service—This is a virtual account under which a Windows Service is running on the VM.
AD-Domain-Name—This account comes from the selected domain in the AD defined for the Cloud Admin Group associated with this policy.

Permission

Specify whether the user should be allowed or denied access to the data on the disk. The default permission is "Deny" for all users not explicitly allowed or not included in an explicitly-allowed group.

If you want to add another user to the permissions list, click Add Another. Otherwise, click Save.
If any of the entries in the permissions list are groups, make sure the order of the entries is correct.

When the Policy Agent receives an access request, it processes the permissions list in order, from top to bottom. As soon as it finds an entry that matches the account that requested the data, it assigns that permission level to the user and stops processing the permissions list. If you have added an entry to deny a particular user access but the user is part of a group that was granted permission higher in the list, that user's request for access will be granted. For details, see Windows Access Control Rule Processing.
After you have added all of the required permissions and verified the order, click Add Rule.
If you want to add another rule, click the blue + (Plus sign) above the table and repeat the steps above.
When you have added all of the necessary rules, click Create Policy.

What to Do Next

Associate the Access Control Policy with one or more Windows data disks as described in Associating an Access Control Policy with a Disk.