10.9 Create a Security Fencing Policy

There might be some High-Value Targets on which you might not want to place the same level of restrictions as a Security Lockdown policy, but might nevertheless want to secure the access to only authorized users or roles.

Security Fencing policies let you set limits on how access permissions might change over time. Using a set of rules by creating inclusion and exclusion lists to define a “fence,” the policy specifies Active Directory containers, groups, users, and SIDs that might be given permissions to a High-Value Target in the future without an issue or should never be given rights in the future, as in restrictions specified in GDPR.

IMPORTANT:Security Fencing policies work by creating a set of rules that create a boundary around your storage against which any security will be evaluated. The security changes are then preserved or reverted based on the rules created. You should therefore create your rules carefully, potentially using tools like Micro Focus File Reporter to verify the permissions granted to subfolders of your target path.

WARNING:There is currently no path overlap protection between policies. While this is ideal for flexibility, it is not so when you have conflicting policies.

10.9.1 Creating a Security Fencing Policy

  1. In the Admin Client, click the Target Driven tab.

  2. Click Policies.

  3. Select New > Security Fencing Policy.

  4. In the Name field, give the Security Fencing policy a descriptive name.

    For example, Engineering Department Fencing Policy.

  5. Click the Browse button pertaining to the Target Path field and specify the share or folder for this policy.

  6. (Conditional) If the currently established access permissions to the specified High-Value Target are the permissions you want enforced, select the Policy Enabled check box.

    Otherwise, come back and select the check box after you have updated the access permissions to the High-Value Target.

    Once this option is selected, this becomes the baseline for comparison for all Security Scans.

  7. In the Email Recipients field, specify the email addresses of each user you want notified when access permissions to the selected folder or share take place.

    Email addresses can be separated by a comma, semicolon, or a space.

    File Dynamics only reports on the changes in permissions between one scan and the next. Therefore, if there are no changes in access permissions between scans, no notifications will be emailed.

  8. In the Security Change Events region, specify the event types for which this policy will email notifications.

  9. In the Data Cleanup region, specify how long you want scan job information to remain in the database.

    For more information, see Security Fencing Policy.

  10. In the Data Owners region, click Add to specify the users or groups that will serve as Data Owners for this policy.

    Data Owners assigned for a Security Fencing Policy will be enabled to view permitted changes in security, ownership, and group membership of folders in the High-Value Target via the Data Owner Client.

  11. Click Apply to save your settings.

  12. Click Rules.

  13. In the Included Identities and Excluded Identities regions, use the Add drop-down buttons to include and exclude groups, users, and SIDs for this Fencing policy.

    WARNING:Be sure to include any desired well known security objects such as BUILTIN\Administrators and NT Authority\SYSTEM appropriate to your environment, before you perform a Security Scan. If you do not include these objects, their access will be disabled following the initial Security Scan.

    For more information on creating rules for a Fencing policy, including adding Built-in accounts and Security Identifiers, see Rules Tab.

  14. Click the Description tab and in the Description field, specify any information you want to include pertaining to this policy.

  15. Click Schedule.

  16. In the Date field, specify the date you want the policy to be initially invoked.

  17. In the Time field, specify the time you want the policy to be initially invoked.

  18. (Conditional) If you want the policy to run on a recurrent basis, select the Recurrence check box and then select one of the options.

  19. Click Apply to save the schedule.

  20. Click OK.

  21. From the Target Policies page, highlight the Security Fencing policy and from the Execute drop-down menu, select Security Scan.

  22. In the confirmation dialog box, click Yes.

10.9.2 Editing a Security Fencing Policy and Resetting the Baseline

There might be times when you need to adjust the permissions assignments for a High-Value Target whose access permissions are managed through a Security Fencing policy.

  1. In the Admin Client, click the Target-Driven tab.

  2. Click Policies.

  3. From the list of policies, double-click the Security Fencing policy you want to edit.

  4. Deselect the Policy Enabled check box.

  5. Click OK.

    In the policy list, note the new warning icon indicating that the policy you are editing is now disabled.

  6. In the network file system, make any needed security changes.

  7. From the list of policies, double-click the Security Fencing policy you disabled previously.

  8. Click the Rules tab.

  9. Preserve the security changes made in the network file system by making any needed updates in the Included Identities and Excluded Identities lists.

  10. Click the General tab.

  11. Select the Policy Enabled check box.

  12. Click OK.

  13. From the Execute drop-down menu, select Reset Baseline.

  14. From the Execute drop-down menu, select Security Scan.

    This creates the new baseline.