Help Center
Quick Start
- Overview
- System requirements
- Minimum privileges required
- Default port configuration
- Installing DataSecurity Plus
- Uninstalling DataSecurity Plus
- Starting DataSecurity Plus
- Launching DataSecurity Plus
- Configuring your solution
- Licensing details
- Applying a license
File Auditing
- About File Auditing
- Domain configuration
- File server configuration
- Failover cluster configuration
- NetApp server configuration
- Workgroup configuration
Setting up File Audit
Dashboard
Reports
Alerts
Configuration
Storage Configuration
File Analysis
- About File Analysis
- On-Demand Reports
Setting up File Analysis
Dashboard
Reports
Alerts
Configuration
Data Risk Assessment
- About Data risk assessment
Setting up Data risk assessment
Dashboard
Reports
Ownership analysis
Configuration
Endpoint DLP
- About Endpoint DLP
Setting up Endpoint DLP
Reports
Alerts
Prevention policies
Configuration
Cloud Protection
- About Cloud Protection
- Gateway Server Configuration
- Certificate Authority Configuration
- Gateway Configuration in Endpoint
- Manage Certificate Trust Store
- Threat Analytics Database
- Manage Banned Applications
- Manage Authorized Applications
- Gateway Server Failover
- Two-way SSL configuration
- Global Insight
- Application Insight
- User Insight
- Shadow Application Insight
- Banned Application Insight
- Cloud App Discovery
- Cloud Access Reports
- Application Insights
- Shadow Cloud Application Reports
- Banned Cloud Application Reports
- File Upload & Download Reports
Setting up Cloud Protection
Dashboard
Reports
Control Policies
Storage Configuration
Administrative settings
- Technician configuration
- Notification filters
- Manage agent
- Agent settings
- SIEM integration
- Business hours configuration
- Two-factor authentication
- Workgroup configuration
- Security policy
Email configuration
General settings
- Connection
- Personalize
- DataSecurity Plus Server
- Privacy Settings
- Disk utilization
- Schedule Retention Policy
Policy Configuration
Release notes
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
Troubleshooting
- HTTP communication failure
- Dormant DataEngine
- Secure Gateway server failure
- RPC communication failure
- Known issues and limitations
- Known errors and solutions
Guides
- Agent document
- How to Migrate/Move DataSecurity Plus
- How to apply SSL certificate
- How to automate DataSecurity Plus database backup
- How to set alerts in DataSecurity Plus
- How to secure your DataSecurity Plus installation
Permissions and privileges guide
Once Domain Admin credentials are granted, DataSecurity Plus instantly starts detection, auditing, analysis, and response activities in all its licensed modules. It also allows the software to automatically install the DataSecurity Plus Agent in the target machines when they are added on the console.
However, if you don't want to provide Domain Admin credentials, follow the steps in this guide to set up a service account with the least privileges required.
Note: The minimum privileges listed below restrict DataSecurity Plus from installing the agent automatically in target computers. For information on how to install, update, or uninstall the agent manually, refer to the Agent Document.
Step 1: Create a new user for DataSecurity Plus
Log in to your Domain Controller with Domain Admin privileges. Open Active Directory Users and Computers > Right-click your domain > New > User > Name the user DataSecurity Plus.
Step 2: Assign the user with privileges common to all modules
Below are the privileges required by every edition and every module of DataSecurity Plus. These permissions should be granted first, before the permissions specific to each module are provided.
-
Grant the user Full control over the product installation folder.
DataSecurity Plus requires Full control over the product installation folder to write in the database.
- Log in to the computer where DataSecurity Plus is installed with Domain Admin privileges.
- Locate the product installation folder; right-click Properties > Security > Edit; add the DataSecurity Plus user, and provide Full control.
-
Grant the user Full control over DataSecurity Plus' archive folder
DataSecurity Plus requires Full control over the archive folder for storing and retrieving archived data from the database.
To find the location of the archive folder, open DataSecurity Plus > Admin > Configurations > Archive Configuration.
Log in to the target computer with Domain Admin privileges. Locate the folder; right-click Properties > Security > Edit; add the DataSecurity Plus user, and provide Full control permission.
-
Grant the user full control over all of DataSecurity Plus' scheduled reports folders
DataSecurity Plus requires Full control permission over the scheduled reports folder for saving scheduled reports in the specified location.
- To find the location of a Scheduled Reports folder, open DataSecurity Plus > Admin > Schedule Reports > Modify Schedule Report. You can see the location under After Execution.
- Log in to the target computer with Domain Admin privileges. Locate the folder; right-click, go to Properties > Security > Edit; add the DataSecurity Plus user, and provide Full control permission.
Repeat the steps on all destination folders for scheduled reports.
-
Grant the user Read & execute permission over DataSecurity Plus' alert scripts folder
The product requires Read & execute permission on the alert scripts folder to execute predefined scripts.
- To find the location of the alert scripts folder, open DataSecurity Plus > Configuration > Alerts > Modify Alert Profile. You can see the location under Actions.
- Log in to the target computer with Domain Admin privileges. Locate the folder, right-click, go to Properties > Security > Edit, add the DataSecurity Plus user, and provide Read & execute permission.
-
Grant the user Modify permissions over files for which Move/Delete responses are configured
- Log in to the target computer with Domain Admin privileges. Locate the file for which Move/Delete responses are configured.
- Right-click the file, go to Properties > Security > Edit, add the DataSecurity Plus user, and provide Modify permissions.
- Repeat the steps for all the files for which the specified responses are configured.
Step 3: Assign the user with the privileges required by individual modules
To function as intended, each module requires some specific privileges to be assigned to the DataSecurity Plus user. Follow the steps under the modules licensed by you to assign these privileges.
1. File Audit
The steps below detail the minimum privileges required by the File Audit module.
-
Create a new group
To create a new group, follow the below steps:
- Log in to your domain controller with Domain Admin privileges and open the Server Manager.
- Click Tools in the top-right corner.
- Go to Active Directory Users and Computers.
- Right-click your domain > New > Group.
- Set the Group name as "DataSecurity Plus Permission Group" and click OK.
- Add all the audited computers to the DataSecurity Plus Permission Group.
- Right-click the DataSecurity Plus Permission Group and select Properties.
- Select Members and click Add to add the domain controllers, Windows file servers, and workstations you want to audit.
- Click OK.
-
Create a new domain-level GPO and link it to all the audited computers
The easiest way to configure permissions in all monitored computers is by creating a domain-level GPO instead of configuring permissions in each computer.
To create a new domain-level GPO, follow the below steps:
- Log in to your domain controller with Domain Admin privileges and open the Server Manager.
- Click Tools in the top-right corner.
- Select Group Policy Management to display all the GPOs in the target domain.
- In the left panel of the Group Policy Management Window, expand the Domains folder and select your domain. Right-click and select Create a GPO in this domain, and Link it here...
- Name the new GPO "DataSecurity Plus Permission GPO" and click OK.
-
Remove the Apply group policy permission for the Authenticated users group
To remove the Apply group policy permission for the Authenticated Users group, follow the below steps:
- In the Group Policy Management window, expand the Domains folder, select your domain, and double-click the DataSecurity Plus Permission GPO.
- You'll be shown a Group Policy Management Console pop-up stating, "You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked." Click OK.
- In the right pane of the DataSecurity Plus Permission GPO window, click the Delegation tab.
- Under the groups and users listed, select Authenticated Users and click Advanced in the bottom-right corner of the window.
- In the DataSecurity Plus Permission Group Security Settings window, select Authenticated Users, and under Permissions for Authenticated Users, uncheck all the Allow permissions.
- Select Apply and click OK.
-
Add the DataSecurity Plus Permission Group to the security filter settings of the DataSecurity Plus Permission GPO
To add the DataSecurity Plus Permission Group to the security filter settings, follow the below steps:
- In the Group Policy Management window, expand the Domains folder, select your domain, and double-click the DataSecurity Plus Permission GPO.
- You'll be shown a Group Policy Management Console pop-up window stating, "You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other locations where this GPO is linked." Click OK.
- In the right pane of the DataSecurity Plus Permission GPO window, select the Delegation tab.
- Click Advanced and click Add to select users, computers, service accounts, or groups.
- Under Enter the object names to select, type "DataSecurity Plus Permission Group" and click Check Names.
- Click OK.
-
Make the user a member of the domain admins group
To make the user a member of the domain admins group, follow the below steps:
- Expand the Domains folder in the Group Policy Management window and select the DataSecurity Plus Permission GPO under your target domain.
- Right-click the DataSecurity Plus Permission GPO > Edit.
- In the Group Policy Management Editor window, select Computer Configuration > Preferences > Control Panel Settings.
- Select and right-click Local Users and Groups.
- Go to New > Local Group.
- In the New Local Group Properties wizard, click Update beside the Action tab. Select the domain admins (built-in) group under Group name.
- In the Members tab, click Add. Type "DataSecurity Plus" beside the Member Name field within the Local Group Member wizard and click OK.
-
Configuring the DCOM and WMI permissions for Windows failover clusters
Note: The DCOM and WMI permissions are required only for Windows failover cluster auditing.
To enable the DCOM permission:
- Type "Component Services" in the search bar beside the Windows icon.
- Click Computers > My Computer and right-click to select Properties.
- Select COM Security and click Edit limits under Launch and Activation Permissions.
- Under Security Limits within the Launch and Activation Permissions window, Click Add > type the username of the dedicated DataSecurity Plus user under Enter the object names to select (examples), and click OK.
- Set Allow for all permissions for the DataSecurity Plus user.
To enable the WMI permission:
- Go to Start and type the command "wmimgmt.msc."
- Right-click WMI Control (Local) in the top-left corner.
- Select Properties > Security.
- Expand the Root.
- Select CIMV2 and click Security in the bottom-right corner of the WMI Control (Local) Properties.
- Click Add > type the username of the dedicated DataSecurity Plus user under Enter the object names to select (examples), and click OK.
- Set Allow for all permissions for the DataSecurity Plus user, and click Apply > OK.
2. File Analysis
This section details the minimum privileges required by DataSecurity Plus' File Analysis module.
-
Ensure that the Local System user has Read permissions over all files to be monitored.
By default, the Local System User has Full Control permissions. For File Analysis however, only Read permissions are required. If you wish to change the default permissions, ensure that the Local System User has Read permissions over all the files to be monitored in the file server.
3. Risk Analysis
DataSecurity Plus requires a minimum of read permissions to locate sensitive data (such as PII, ePHI, and credit card details) across:
Provide read permissions for users across Windows file servers by following the steps below:
There are two ways to grant a user read permissions for the required shares:
-
Make the user a member of the local administrators group.
- Log in to any computer with domain admin privileges.
- Open the Microsoft Management Console (MMC) and go to File > Add/Remove Snap-in.
- Click Local Users and Groups > Add > Another computer.
- Select the target computer, then click Finish.
- Open Local Users and Groups.
- Select Groups.
- Right-click Administrators and click Properties > Add DataSecurity Plus user.
- Repeat the steps above for every Windows file server or cluster on which Risk Analysis is to be performed.
-
Grant the user read permissions for both shares and NTFS on every share scanned.
- Log in to any computer with domain admin privileges.
- Open MMC and go to File > Add/Remove Snap-in.
- Click Shared Folders > Add > Another computer.
- Select the target computer.
- Click Finish. This will open the list of shares from the target computer, provided the user has the necessary privileges.
- Right-click the desired share and click Properties > Security > Edit.
- Add the DataSecurity Plus user to whom you want to grant read permissions.
- Click Enter to provide read permissions for both shares and NTFS.
- Repeat the steps above for every share scanned.
Repeat the above steps for every share to be audited.
Provide read permissions for users across Microsoft SQL database servers by following the steps below:
-
Grant the SQL account used for monitoring the following roles.
- Log in to any computer with system admin privileges.
- Open the SQL Server Management Studio. If you do not have it installed, you can download it here.
- Click Logins.
- Right-click the appropriate user and click Properties.
- Click Server Roles and select public. By default, the public role should have a minimum of access and read permissions for the databases.
- Click Logins.
- Right-click the appropriate user and click Properties.
- Click User Mapping. For all databases, both the public and db_datareader roles should be assigned to the user.
4. Endpoint DLP
DataSecurity Plus requires Local Administrator credentials for all the endpoints to be monitored. To make the DataSecurity Plus user a member of the Local Administrators group:
- Log in to any computer with Domain Admin privileges. Open the MMC console > File > Add/Remove Snap-in. Select Local Users and Groups > Add > Another computer > Add target computer.
- Select the target computer, and open Local Users and Groups. Select Groups, right-click on Administrators > Properties > Add DataSecurity Plus user.
- Repeat the above steps for every endpoint to be audited.
Note: In case you want to monitor a large number of endpoints, making the DataSecurity Plus user a Local Administrator for each endpoint is a tedious task. To simplify the process, provide Domain Administrator credentials to the DataSecurity Plus user.