How to setup File Protection for Change Auditor (4294805)

Change Auditor uses FSDriver.sys to capture file access events and filter them based on the File Protection Templates  configured for this location.

Pre-Requisite:

• Have the Change Auditor for Windows File Servers license installed.
• Change Auditor Agent on the system containing the folder/files to protect

Process:

• Open the Change Auditor Console
• In Administration | Protection, add New Template
• Enter a Name for the Template
• Enter a Path
  • The Path must be a local Path from the Target Agent perspective
  • ie: C:\Temp and not \\192.168.0.1\FileShare nor \\FileServer\FileShare
• Press Add

• Select the options to apply to the object 
• Add file filter if required
• Click Next (Optional)
• Select Allow or Deny to AD Objects
  • ie: Allow user to bypass protection or Deny a specific user from accessing protected objects
• Add Scheduled Protection (Optional)
• Add Location to protect from (Optional)
  • Allow to aply restriction for specific IP range clients, etc...
• Click Finish
• Right-click the Template and select Assign to Configuration
• In Configuration, make sure the Template is applied to the proper server and Enabled then click OK
• Click Refresh Configuration
  • The Refresh should be a matter of second

How to confirm that the configuration is applied:

• Open the Agent Logs
• Search for ITFA Plug-in Protection
• The following entry should be present

ID: 13458 Time: 5/30/16 19:14:44.649
Level: INFO
Thread: 4320
Logger: CAAD.Agent.CFileSystemSink
File: FileSystemSink.cpp
Function: CFileSystemSink::UpdateConfiguration
Line: 279
Message: ITFA Plug-in protection config: protect="true" allow="false" location-protection-types="0" applies-to="FD" access-types="CD">

Restrictions on File Protection:

• Supports only Local Drive not NAS
• Should not be used to replace comprehensive NTFS security/access control lists
• Should not be used on Admin Shares
• Should be used only on critical objects

How to Report on protection violation:

• In order to monitor any file/folder protection violation, an Audit Template should be created
• Please note that File Protection and Audit are separate functions.