Skip to content

Windows-fs-perms-overhaul #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tay-caliguiri merged 1 commit into from
Jan 12, 2026
Merged

Windows-fs-perms-overhaul #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 38 additions & 85 deletions docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,79 +6,69 @@ sidebar_position: 10

# Windows File Server Access & Sensitive Data Auditing Configuration

Permissions required for Access Analyzer to execute Access Auditing (SPAA) and/or Sensitive Data
Discovery Auditing scans on a Windows file server are dependent upon the Scan Mode Option selected.
Permissions required for Access Analyzer to execute Access Auditing (FSAA) and/or Sensitive Data
Discovery Auditing (SEEK) scans on a Windows file server are dependent upon the Scan Mode Option selected.
See the
[File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/filesystems.md) topic
for additional information.

However, additional considerations are needed when targeting a Windows File System Clusters or DFS
Namespaces.

## Windows File System Clusters
## Windows File System (Standard)

The permissions necessary to collect file system data from a Windows File System Cluster must be set
for all nodes that comprise the cluster.
Configure the credential(s) with the following rights on the Windows host(s):

- For **Local** or **Proxy as a Service Mode** Scans:
- Group membership in both of the following local groups:
- Power Users
- Backup Operators
- For **Applet** or **Proxy with Applet Mode** Scans:
- Group membership in the following group:
- Local Administrators
- Granted the “Log on as a batch” privilege
- Remote Registry service must be enabled on the host where the applet is deployed (Applet or Proxy w/ Applet scans) to determine the system platform and where to deploy the applet.
- The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.
- Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur.
- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege
- Granted the “Backup files and directories” local policy privilege

:::note
It is necessary to target the Windows File Server Cluster (name of the cluster) of
interest when running a File System scan against a Windows File System Cluster.
In order to collect data on administrative shares and local policies (logon policies) for a Windows target, the credential must have group membership in the local Administrators group.
:::

## Windows File System Clusters

Configure credentials on all cluster nodes according to the Windows Operating Systems required
permissions for the desired scan mode with these additional considerations:

- For
[Applet Mode](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/scanoptions.md#applet-mode)
and
[Proxy Mode with Applet](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/scanoptions.md#proxy-mode-with-applet):

- Applet will be deployed to each node
- Credential used in the Connection Profile must have rights to deploy the applet to each node
The permissions necessary to collect file system data from a Windows File System Cluster must be set
for all nodes that comprise the cluster.

- For
[Proxy Mode as a Service](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/scanoptions.md#proxy-mode-as-a-service):
:::note
It is necessary to target the Windows Cluster File Server Role Server (name clients connect to) of interest when running a File System scan against a Windows File System Cluster.
:::

- Proxy Service must be installed on each node
- For Sensitive Data Discovery Auditing scans, the Sensitive Data Discovery Add-on must be
installed on each node
Configure credentials on all cluster nodes according to the Windows File System (Standard) permissions, with the following additional requirements:

Additionally, the credential used within the Connection Profile must have rights to remotely access
the registry on each individual cluster node.
* Remote Registry Service must be enabled on all nodes that comprise the cluster
* Group membership in the local Administrators group
* Granted the “Log on as a batch” privilege

:::tip
Remember, Remote Registry Service must be enabled on all nodes that comprise the cluster.
Configure the credential(s) with the following rights on all nodes:
:::
### Host List Considerations

It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster. Within the Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the `WinCluster` column in the host inventory data. This may need to be updated manually.

- Group membership in the local Administrators group
- Granted the “Log on as a batch” privilege
See the View/Edit section of the [Host Management Activities](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/hostmanagement/actions/overview) topic for additional information on host inventory.

**Host List Consideration**
- For FSAA and SDD scans, configure a custom host list to target the cluster's **Role Server**.

It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when
running a File System scan against a Windows File System Cluster. Within the Master Host Table,
there should be a host entry for the cluster as well as for each node. Additionally, each of these
host entries must have the name of the cluster in the `WinCluster` column in the host inventory
data. This may need to be updated manually.
The host targeted by the File System scans is only the host entry for the cluster. For example:

See the View/Edit section of the
[Host Management Activities](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md) topic
for additional information on host inventory.
The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the Access Analyzer Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the `WinCluster` column: `ExampleCluster1`. An additional entry containing the File Server Role Server name(s) should also be added, including the WinCluster name of the nodes. **This File Server Role Server name will be our target host.**

- For FSAA and SDD scans, configure a custom host list to target the cluster's Role Server.
- For FSAC scans, configure a custom host list to target the Windows File Server Cluster.
### Least Privilege Permission Model for Windows Clusters

The host targeted by the File System scans is only the host entry for the cluster. For example:
If a least privilege model is required by the organization, then the credential must have READ access on the following registry key:

The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named
`ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the
StealthAUDIT Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and
`ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the
`WinCluster` column: `ExampleCluster1`. Only the `ExampleCluster1` host would be in the host list
targeted by the File System scans.
* `HKEY_LOCAL_MACHINE\Cluster\Nodes`

**Sensitive Data Discovery Scans**

Expand All @@ -89,39 +79,6 @@ comprise the cluster:
- Power Users
- Backup Operators

**Activity Auditing Scans**

The Netwrix Activity Monitor must deploy an Activity Agent on all nodes that comprise the Windows
File System Cluster. The Activity Agent generates activity log files stored on each node. Access
Analyzer targets the Windows File Server Cluster (name of the cluster) of interest in order to read
the activity. See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md) topic for
additional information.

The credential used Access Analyzer to read the activity log files must have:

- Membership in the local Administrators group

The FileSystemAccess Data Collector needs to be specially configured to run the
[1-FSAC System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md)
against a Windows File System Cluster. On the
[FSAA: Activity Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md),
configure the Host Mapping option. This provides a method for mapping between the target host and
the hosts where activity logs reside. However, this feature requires **advanced SQL scripting
knowledge** to build the query.

**Membership in the local Administrators group**

### Least Privilege Permission Model for Windows Cluster

If a least privilege model is required by the organization, then the credential must have READ
access on the following registry keys:

- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters`
- `HKEY_LOCAL_MACHINE\Cluster\Nodes`

Additionally, the credential must have READ access to the path where the activity log files are
located.

## DFS Namespaces

The FileSystem > 0.Collection > 0-FSDFS System Scans Job is configured by default to target the
Expand All @@ -136,8 +93,4 @@ the FileSystem > 0.Collection Job Group unless additional file servers are also
If the DFS hosting server is part of a Windows Cluster, then the Windows File System Clusters
requirements must be included with the credential.

**DFS and Activity Auditing Consideration**

For activity monitoring, the Netwrix Activity Monitor must have a deployed Activity Agent on all DFS
servers identified by the 0-FSDFS System Scans Job and populated into the dynamic host list. See the
[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md) topic for additional information.
87 changes: 61 additions & 26 deletions ...accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,46 +6,81 @@ sidebar_position: 20

# Windows File Server Activity Auditing Configuration

In order for the Netwrix Activity Monitor to monitor Windows file server activity, an Activity Agent
must be deployed to the server. It cannot be deployed to a proxy server. However, additional
considerations are needed when targeting a Windows File System Clusters or DFS Namespaces.
In order for Netwrix Access Analyzer to collect and store Windows file server activity, an activity monitor agent for Netwrix Activity Monitor must be deployed to the server and monitoring. See the [Single Activity Agent Deployment](https://docs.netwrix.com/docs/activitymonitor/9_0/admin/agents/overview) topic for additional information.

## Windows File System (Standard)

Configure the credential(s) with the following rights on the Windows host(s):

- For **Local** or **Proxy as a Service Mode** Scans:
- Group membership in both of the following local groups:
- Power Users
- Backup Operators
- For **Applet** or **Proxy with Applet Mode** Scans:
- Group membership in the following group:
- Local Administrators
- Granted the “Log on as a batch” privilege
- Remote Registry service must be enabled on the host where the applet is deployed (Applet or Proxy w/ Applet scans) to determine the system platform and where to deploy the applet.
- The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.
- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege
- Granted the “Backup files and directories” local policy privilege
- The service account in the credential profile requires access to the admin share (e.g. `C$`) where the `sbtfilemon.ini` file exists
- READ access on the following registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters`

## Windows File System Clusters

In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all
nodes that comprise the Windows File System Cluster. The credential used to deploy the Activity
Agent must have the following permissions on the server:
In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all nodes that comprise the Windows File System Cluster.

- Membership in the local Administrators group
- READ and WRITE access to the archive location for Archiving feature only
:::note
It is necessary to target the Windows Cluster File Server Role Server (name clients connect to) when running a File System scan against a Windows File System Cluster.
:::

Configure credentials according to the Windows File System (Standard) permissions on all cluster nodes that comprise the cluster, with the following additional requirements:

It is also necessary to enable the Remote Registry Service on the Activity Agent server.
- Remote Registry Service must be enabled on all nodes that comprise the cluster
- Group membership in the local Administrators group
- Granted the “Log on as a batch” privilege

For integration between the Activity Monitor and Access Analyzer, the credential used by Access
Analyzer to read the activity log files must have also have this permission.
### Host List Considerations

After the agent has been deployed, it is necessary to modify the HOST parameter in the
`SBTFilemon.ini` file to be the name of the cluster. For integration with Netwrix Access Analyzer
(formerly Enterprise Auditor), this must be an exact match to the name of the cluster in the Master
Host Table.
It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster. Within the Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the `WinCluster` column in the host inventory data. This may need to be updated manually.

## DFS Namespaces
See the View/Edit section of the [Host Management Activities](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/hostmanagement/actions/overview) topic for additional information on host inventory.

In order to monitor activity on DFS Namespaces, an Activity Agent needs to be deployed on all DFS
servers.
- For FSAC scans, configure a custom host list to target the cluster's **Role Server**.

The host targeted by the File System scans is only the host entry for the cluster.

:::note Example:

The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the Access Analyzer Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the `WinCluster` column: `ExampleCluster1`. An additional entry containing the File Server Role Server name(s) should also be added, including the WinCluster name of the nodes. This File Server Role Server name will be our target host.
:::

### Host Mapping
:::note
The FileSystem > 0.Collection > 0-FSDFS System Scans Job in Netwrix Access Analyzer
(formerly Enterprise Auditor) can be used to identify all DFS servers.
Host Mapping is only required for multi-role cluster setups. See topic [Windows File Server Activity Auditing Configuration - Multi-Role (Advanced) Setup](https://docs.netwrix.com/docs/activitymonitor/9_0/requirements/activityagent/windowsfs-activity)
:::

1. Create new table in the Access Analyzer database to be used as the Host Mapping table. The column names are case sensitive.
1. **3 Columns:** LogLocation, HostName, Host
2. **Data Type:** nvarchar(MAX)

![Host Mapping Table Design](/images/accessanalyzer/12.0/requirements/target/config/HostMapping1.webp)

2. Configure the new host mapping table to such:
1. **LogLocation:** Name of the host/node where activity logs reside.
2. **HostName:** Name of the configured Report hostname as value in the Activity Monitor.
3. **Host:** Name of the host being targeted in the FSAC scan and Bulk Import which the activity events will be mapped to (Role Server).

![Host Mapping Table Example](/images/accessanalyzer/12.0/requirements/target/config/HostMapping2.webp)

3. Enable host mapping on the *Activity Settings* tab of the FSAC System Scan query configuraton. See topic [FSAA: Activity Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/activitysettings) for additional information.

The credential used to deploy the Activity Agent must have the following permissions on the server:
### Least Privilege Permission Model for Windows Clusters

- Membership in the local Administrators group
- READ and WRITE access to the archive location for Archiving feature only
If a least privilege model is required by the organization, then the credential must have READ access on the following registry keys:

It is also necessary to enable the Remote Registry Service on the Activity Agent server.
* `HKEY_LOCAL_MACHINE\Cluster\Nodes`
* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters`

For integration between the Activity Monitor and Access Analyzer, the credential used by Access
Analyzer to read the activity log files must have also have this permission.
Additionally, the credential must have READ access to the path where the activity log files are located.
Loading
Loading