10.7 Create a Security Notification Policy

Many organizations must comply with security regulations that require vigilance in user access to areas of the network containing personal data or other restricted or sensitive information. An HR folder containing employee Social Security numbers or a Legal Department share would both contain files whose access permissions would need to be regularly analyzed for access and security compliance.

Security Notification policies let you specify the shares or folders to be analyzed, the frequency of this analysis through scheduled scans, and the administrators who are to be notified when changes in access permissions take place.

Analysis is performed through scans conducted by the Phoenix Agents and stored in the SQL Server database. The baseline scan is stored in the SQL Database while the security notifications are stored in the CouchDB database.

10.7.1 How Security Notification Policy Reporting Works

Reporting on security access changes is accomplished via a Security Scan, which is performed using the following information for comparison against the previous Security Scan for notification purposes:

  • Discretionary access control list (DACL) of the security descriptor (SD) for the share through which the target path is being accessed

  • Owner field of the SD

  • Access Allowed & Access Denied (Access Control Entry) ACEs in the DACL

    Inherited ACEs in the DACL are only evaluated on the target path.

    Directly assigned ACEs are evaluated on the target path and all subordinate folders.

  • Group memberships in AD for security-enabled Domain Global Groups and Universal Groups

  • Local groups on the member server that may have members that reside in an AD domain

If there are any changes to these items, a notification is sent identifying the scope of the change.

Security Notification Policy Scan

A Security Scan will retrieve the DACL and Owner sections of the SD of folders for storage and evaluation purposes.

A Security Scan can be scheduled or executed manually. A Phoenix Agent is responsible for performing the SNPS.

Email Reporting

The email report is text based and includes the following:

  • The policy responsible for triggering the notification

  • The target path of the policy

Upgrading Old Security Notify Policies

The first iteration of what is now known as Security Notification policies was introduced in File Dynamics 6.1 as Security Notify policies. Any old Security Notify policies will need to be to be updated individually by editing the old policy, configuring the new options, and saving the policy. Once saved a new baseline scan must be taken for the updated Security Notification policy to be effective.

Additionally, the schema for the CouchDB database will need to be extended. For procedures, see Upgrading the CouchDB Schema in the File Dynamics 6.5 Installation Guide.

10.7.2 Creating a Security Notification Policy

  1. In the Admin Client, click the Target Driven tab.

  2. Click Policies.

  3. Select New > Security Notification Policy.

  4. In the Name field, give the Security Notification policy a descriptive name.

    For example, HQ Finance Notification Policy

  5. Leave the Policy Enabled check box selected.

    This check box is provided for administrators when they are editing a policy. Deselecting this check box lets you suspend all notifications scanning and notifications for this policy until the administrator has finished updating the policy or file system permissions.

  6. Click the Browse button pertaining to the Target Path field and specify the share or folder for this policy.

  7. In the Email Recipients field, specify the email addresses of each user you want notified when access permissions to the selected folder or share are changed.

    Email addresses can be separated by a comma, semicolon, or a space.

    File Dynamics only reports on the changes in permissions between one scan and the next. Therefore, if there are no changes in access permissions between scans, no notifications will be emailed.

  8. In the Security Change Events region, specify the event types for which this policy will email notifications.

  9. In the Data Cleanup region, specify how long you want scan job information to remain in the database.

    For more information, see Security Lockdown Policy.

  10. In the Data Owners region, click Add to specify the users or groups that will serve as Data Owners for this policy.

    Data Owners assigned for a Security Notification policy will be enabled to view changes in the security reports via the Data Owner Client.

  11. Click the Description tab and in the Description field, specify any information you want to include pertaining to this policy.

  12. Click Schedule.

  13. In the Date field, specify the date you want the policy to be initially invoked.

  14. In the Time field, specify the time you want the policy to be initially invoked.

  15. (Conditional) If you want the policy to run on a recurrent basis, select the Recurrence check box and then select one of the options.

  16. Click Apply to save the schedule.

  17. Click OK.

10.7.3 Editing a Security Notification Policy and Resetting the Baseline

There might be times when you need to adjust the permissions assignments for a High-Value Target that is being monitored through a Security Notification policy.

  1. In the Admin Client, click the Target-Driven tab.

  2. Click Policies.

  3. From the list of policies, double-click the Security Notification policy you want to edit.

  4. Deselect the Policy Enabled check box.

  5. Click OK.

    In the policy list, note the new warning icon indicating that the policy you are editing is now disabled.

  6. In the network file system, make any needed security changes.

  7. From the list of policies, double-click the Security Notification policy you disabled previously.

  8. Select the Policy Enabled check box.

  9. Click OK.

  10. From the Execute drop-down menu, select Reset Baseline.

  11. From the Execute drop-down menu, select Security Scan.

    This creates the new baseline.