Skip to content

Connector Overview

File Access Manager Windows FS Activity Monitor uses a Microsoft certified mini-filter driver (https://msdn.microsoft.com/en-us/library/windows/hardware/dn265170(v=vs.85).aspx).

The driver intercepts all I/O calls to determine which users have access to which files/folders, and also audits Changes to local users and groups. There is therefore no need for Windows auditing, and no performance overhead is introduced on the monitored server.

The activity monitor detects which share was used to perform each operation . Local access is a special cases, as detailed below:

Local Access - The system reports local access to a file/folder (for example, by using Remote Desktop) on the administrative share (C$), and a special field on the activity (“Is Local Access”) is set to “True.”

Capabilities

This connector enables you to use File Access Manager to access and analyze data stored in Windows File Server and do the following:

  • Analyze the structure of your stored data.
  • Monitor user activity in the resources.
  • Classify the data being stored.
  • Verify user permissions on the resources, and compare them against requirements.
  • Manage access fulfillment - automated granting and revoking of access - according to rules set in File Access Manager.
  • Identity collector – collect IAM users, groups and roles and the connections between them.

See the File Access Manager documentation for a full description.

Supported Versions

The File Access Manager Microsoft Windows Server Connector supports the following versions of MS Windows Server:

  • 2012 R2, 2016, 2019
  • 32 and 64-bit support for all versions

Note

This document describes connecting to an MS Windows server as an application containing business resources. It should not be confused with the list of supported MS Windows server versions on which we can install the File Access Manager.

Windows File Server Installation Flow Overview

To install the Windows File Server connector:

  1. Configure all the prerequisites.
  2. Add a new Windows File Server application in the Business Website.
  3. Install the relevant services:

    • Activity Monitor - This is the activity collection engine, used by all connectors that support activity monitoring.
    • Permissions Collector - If you are using EC2 login, the collector should be installed on the EC2 instance.
    • Data Classification Collector

Important

Installing the permissions collector and data classification services is optional and should only be installed by someone with a full understanding of File Access Manager deployment architecture. The File Access Manager Administrator Guide has additional information on the architecture.

Monitored Activities

  • Create File - A new file was created.
  • Create Folder - A new folder was created.
  • Create from Move - A “Create Folder” event generates this event on the newly created folder.
  • Create from Rename - A “Rename Folder” event generates this event on the newly created folder.
  • Delete File - A file was deleted.
  • Delete Folder - A folder was deleted.
  • Move File - A file was moved.
  • Move Folder - A folder was moved.
  • Permission Add File - A permission was added to a file.
  • Permission Add Folder - A permission was added to a folder.
  • Permission Remove File - A permission was removed from a file.
  • Permission Remove Folder - A permission was removed from a folder.
  • Read File - A file (its content or security properties) was read.
  • Rename File - A file was renamed.
  • Rename Folder - A folder was renamed.
  • Write File - A file was modified.
  • Add Member - A local user/domain group was added to a local group.
  • Remove Member - A local user/domain group was removed from a local group.
  • Create User - A local user was created.
  • Delete User - A local user was deleted.
  • Rename Object - A local user/group name as changed.
  • Create Group - A local group was created.
  • Delete Group - A local group was deleted.
  • Remove Audit Account Management - The Account Management Auditing was disabled in windows.

Permissions Collection Operation Principle

File Access Manager connects to the Windows file server through CIFS, collects the local users and groups, and analyzes the share and NTFS permissions on all the folders.

Path of Business Resource

The full path of the business resources is the UNC shared path, rather than the physical path of the folder. The physical paths display since they are represented by the administrative shares (c, d...) and are treated in the same way as any other share on the server.

  • Crawler - The crawler crawls through all the shares and creates business resources with the share’s full path \\server_name\share\folder.
  • Permissions Collector - The permissions collector analyzes share permissions, as well as NTFS permissions.
  • Activity Monitor - The full path of activities is the share used to access the file/folder. Section 2.2 provides a more detailed explanation.

Windows Server Failover Cluster

Windows Server Failover Cluster is an Active Passive Cluster based on Windows Server.

Basic Terminology

The following definitions apply to the Windows Server Failover Cluster:

  • Node - A physical server that is part of a Cluster. All the nodes in a cluster must be configured when the “Is Cluster”’ field in the application configuration wizard is checked.
  • Server Name - A logical layer on top of the Node layer. Shares in a Cluster belong to a Server Name, which is the name used when shares in the cluster are accessed. A Server Name (discovered automatically, as part of the crawling task) is active on only one Node at a time.
  • File Share Scoping - Shares located on a cluster node can only be through the Server Name – not through the cluster node name in which they are currently active.

The example below is used in Section Resource Tree Structure:

  • There is a cluster application in File Access Manager, called ClusterApp.
  • ClusterApp consists of node1 and node2.
  • ServerName1 is currently active in node1, while ServerName2 is currently active in node2.
  • ServerName1 has one share: Share1 \\ServerName1\Share1.
  • “Share1” is mapped to physical path E:\folder1.
  • ServerName2 consists of Share2 and Share3 \\ServerName2\Share2 and \\ServerName2\Share3.
  • “Share2” is mapped to physical path E:\folder2.
  • “Share3” is mapped to physical path E:\folder2\folder3.

Windows Failover Cluster Share Scoping

File Access Manager supports Windows Failover Cluster Share Scoping.

The Server Names and their corresponding shares are discovered as part of the crawl task, and the business resource tree is built with the Server Names at the first level.

Resource Tree Structure

File Access Manager manages Business Resources that belong to a share only a Server Name in a Windows Server Failover Cluster. Physical paths that do not belong to a share on a Server Name are not displayed in File Access Manager.

The Business Resources tree is represented as follows:

  • [Cluster Application]
  • [Admin Audit]
  • [Server Name]
    • [Share]
    • [Share]
  • [Server Name]
    • [Share]
    • [Share]

The business resource tree for the above example is:

  • ClusterApp
  • Admin Audit
  • [Server1]
    • [Share1]
    • [Share2]
  • [Server2]
    • [Share3]
  • [Share4]