Controlling access to files

This protection mode makes it possible to control specific applications’ access to files. These files are identified in rules by a path, alternate data stream, owner and/or volume type.

EXAMPLE
You can protect all your Microsoft Office files and other sensitive files so that they can be modified only by legitimate applications such as Windows Explorer, Office suite, Windows tools, etc. Other applications will be granted read-only access to these files.

An application identifier must be created beforehand for applications that are allowed to access files and for those that you want to block. For more information, refer to the section Creating application identifiers.

  1. Select the Security > Policies menu and click on your policy.
  2. Select a rule set.
  3. Click on the ACL resources > File tab.
  4. If you are in read-only mode, click on Edit in the upper banner.
  5. Click on Add a rule (Files).
    A new row appears.
  6. Click on in the area on the left to show the window where IDs of restricted access files are created.
  7. Enter the ID name.
  8. Enter a file, path or extension. The generic characters "?" and "*" are allowed in this field.
    Full paths beginning with a letter (i.e., E:\Data\Backup) are not supported if the Volume type is remote or removable.
    Stormshield highly recommends using the EsaRoots path roots provided in SES Evolution instead of drive letters (i.e., C:\...), as these letters may vary from one workstation to another.

    NOTE
    You can enter a path that contains the letter of a local hard disk or SSD drive in this field. However, if users change the letter of the drive or add one, you must restart the workstation or modify the policy that the agent applies so that the drive can be detected.

  9. Choose the type of volume on which the file or file type is located.
  10. You can specify the Windows account that owns the files in advanced settings, provided that these files are located on a local volume. You can also manually enter a Security ID (SID) to indicate a personal Windows account. This option makes it possible to allow or prevent access to files hosted on certain accounts.
  11. You can also specify an alternate data stream. A file’s alternate data stream contains metadata and makes it possible to find out the origin of the file. For example, by specifying the alternate data stream "zone.identifier", rules can be created for files originating from the Internet. The alternate data stream can also be an attack vector by harboring malicious code. The generic characters "?" and "*" are allowed in this field.
  12. Click on OK to close the ID creation window. Scroll over the name of the ID to see a summary of the settings.
  13. In Default behavior, choose the behavior of each action in a protection rule:
    • Allow to allow the action by default,
    • Block to block the action by default,
    • Block and kill to block the action by default, and shut down the process that launched the action.
    • Block, kill and quarantine to block the action by default, kill the process that triggered the action, and quarantine suspicious files. For more information, see the section Managing file quarantine.
  14. Click on + Add a specific behavior and choose the resource(s) that you want to exclude from the default behavior. Select the behavior for each case.

EXAMPLE
Block the ability to modify or delete Office files and other sensitive files by default. Allow these actions only for legitimate applications.
Example of a file access rule

  1. In the upper banner in the rule, you can:
    • Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
      Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies.
    • Indicate whether the rule must generate a context when it is applied. By default, if a rule generates Emergency or Alert logs, it will generate a context, but you can disable this feature. In case of mass generation of similar logs, the context is not generated. For more information on mass log generation, refer to the section Monitoring SES Evolution agent activity.
    • Select the log settings that this rule will send.
    • Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
    • Enter a description to explain what this rule aims to achieve.
  2. The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
  3. Click on Save at the top right of the window to save changes.