Stormshield Data Team
DFS environment restriction
- A DFS root cannot be encrypted.
- SDS Enterprise accounts must not be stored on a DFS share.
Managing the user’s temporary folder (%TEMP%)
Do not list multiple collaborators on rules that involve the temporary folder for the Windows profile. Applications use this folder to store user-specific temporary files.
Failure to comply with this rule may cause blockages.
Managing the system’s temporary folder
System processes (services, for example) use this folder to store temporary files, and it is shared with the other users on the system.
This folder may be, for example, C:\windows\temp. The exact location depends on the installation of the operating system.
This folder must not be encrypted with Stormshield Data Team.
Moving folders available offline
The cachemov.exe utility can be used to move the - <%WINDIR%>\CSC - system folder, which contains files available offline.
In order to support this particular environment, the configuration on workstations must be modified via the registry. For more information, see section Configuring advanced settings in the registry base in the Advanced configuration guide.
Keeping performance optimal on the workstation
When Stormshield Data Team is used, users' workstations may slow down. To keep the usual levels of performance, you can change the configuration on workstations via the registry base. For further information, refer to the section Configuring advanced settings in the registry base in the Advanced configuration guide.
Moving an intra-volume folder
Intra-volume folders are not allowed to be moved when the source and destination directories do not have the same level of security.
If the action is executed in Windows Explorer, the moving operation will be replaced with Copy + Delete the source. In this case, the destination folder's security level will be applied to the “moved” folder.
Prohibiting access to encrypted files if the certificate is revoked
Stormshield Data Team prevents users from accessing encrypted files if their encryption key certificates are revoked, even when these users appear in the list of users.
In this case:
- Any operations on files secured by Stormshield Data Team (opening, creating, renaming, moving and deleting) will be denied.
These operations will fail even if the file is encrypted with an old encryption key.
- no operations can be performed on Team rules. The user interfaces are grayed out and only allow rule parameters to be read.
Stormshield Data Team uses the revocation controller configuration defined at the user level. Therefore:
- Do not allow the user to disable revocation control,
- Do not forget to correctly configure the downloading rule for the revocation lists.
Changing the dates of the last access
Some solutions, such as archive solutions, rely on the dates on which files were last accessed to run their processes. However, when Stormshield Data Team is installed on a workstation, the last access date is changed when a folder is browsed.
You can control the restoration of the last access dates on files, and then delete changes to last access dates when files were opened with Stormshield Data Team. To do so, change the configuration on workstations via the registry base. For more information, refer to the section Configuring advanced settings in the registry base in the Advanced configuration guide.
Using the cache in a network
When the cache is used in a network, changes may be made to files, folders and rules beyond the control of the user's local file system. If a change is made by a user on the network, other workstations using the share may temporarily have incorrect cache entries and therefore invalid statuses in Windows Explorer. As a result, the new statuses will not take effect immediately.
You can take the following measures to reduce these inconsistencies:
- Secure a folder from the moment it is created while it is still empty,
- Notify users so that they will avoid using the share at critical moments,
- Do not destroy a folder and then recreate it with the same name but different characteristics. If you must perform this operation, leave enough time between both operations for caches to be updated (15 minutes or restart the user's workstation to immediately apply changes),
- For major operations, perform them on a file tree (securing/desecuring) at times when no or few users are connected (e.g. during lunch break or at the end of the day).
As there is no particular issue with adding or deleting coworkers from an existing rule, no special precautions need to be taken.