Skip to main content

Best Practices for Preventing Accidental Data Leakage

Applies To

Netwrix Directory Manager 10 or above

Overview

This article describes best practices for preventing accidental external and internal data leakage when using Netwrix Directory Manager, including role-based scope limits, group creation controls, membership import methods, and mail-related safeguards.

Instructions

Netwrix Directory Manager uses an RBAC model through which you can define Security Roles and delegate permissions to different users. You can set Netwrix Directory Manager search so that AD objects (for example, Groups, Users, Contacts) can only be searched within a specific OU and filtered based on Active Directory attributes.

For more information on how to set up a limit on the search scope for a particular Security Role, visit the following KB article:

Using Security Roles to Specify Specific Area Where Groups Can Be Created or Have a Fixed and Hidden Path

In Netwrix Directory Manager, you can apply policies to security roles so that role members use Netwrix Directory Manager in keeping with the policy restrictions. Netwrix Directory Manager’s New Object policy enables you to restrict role members to create new groups in a specific OU only.

For more information on how to set up a New Object policy for specific security roles, visit the following KB article:

Importing Membership via Netwrix Directory Manager Bulk Membership Import Feature for Groups

Many times, organizations create groups (Security and Distribution) in advance, i.e., before the actual usage of groups. To avoid leaking critical information, create such groups without populating membership upon creation.

Instead, you can use the bulk import membership feature of Netwrix Directory Manager to update groups with the correct memberships just before their actual usage starts. Bulk import allows for external source files like a CSV or an Excel sheet to import membership when it is needed.

In Netwrix Directory Manager, bulk import of memberships is possible using the Import Wizard available in the Netwrix Directory Manager Portal. The following KB article provides step-by-step instructions to bulk import members into a group:

Creating Smart Group Without Updating Memberships

If you create a group in advance, you can preview the query results of a Smart Group without updating its memberships until the group is ready to use.

A query-based dynamic smart group determines its membership from the supplied criteria. You can preview the results without acting on them until needed. Keeping the group out of the update schedule ensures that membership updates occur only when you manually trigger them.

User-added image

Keep Group Hidden from GAL Until It Is Ready to Be Used

Keeping a group and its membership hidden from discoverability by external tools like Outlook can also help you comply with organizational policies for ensuring secrecy.

Using the Netwrix Directory Manager Portal, if a mail-enabled group is created, you can hide the group and its membership from the Address Book and GAL in the following way:

User-added image

Selecting Appropriate Security Type for Groups

During the creation of a group via the Netwrix Directory Manager Portal, you can designate the security type as Private, Semi-Private, or Public. This classification, serving as a pseudo attribute within Netwrix Directory Manager, governs the permission levels for joining the group. Choose Private as the Security Type for sensitive groups.

  • Private – A closed group where the group owner solely determines group membership.
  • Semi-Private – The group owner approves users' requests to join or leave the group.
  • Public – An open group that anyone can join or leave.

Setting Up Delivery Restrictions on Mail-Enabled Groups

Limit the inflow of email messages received by critical groups in the production environment. Netwrix Directory Manager allows you to set Delivery Restrictions on such groups by leveraging the AuthOrig and UnAuthOrig attributes from Active Directory. Both Self-Service and Automate give Group Owners and Administrators the ability to set rules for accepting/rejecting emails from certain users for a particular group.

To set Delivery Restrictions via the Netwrix Directory Manager portal:

  1. Search for the group.
  2. Navigate to the Delivery Restriction tab in Group Properties.

User-added image

Setting Up Approver Workflows for the Creation of New Groups

One of the most efficient methods to effectively manage the number and quality of groups being created by end users is the implementation of a continuous monitoring process where admins can approve the group being created.

Netwrix Directory Manager allows you to set up customized workflow approval processes with tailored filters to cater to use-case-specific triggering. This process ensures that whenever a group is created, Netwrix Directory Manager sends an approval request to the concerned authorities.

For more information on implementing such workflows, visit the following KB article:

Setting Up Message Moderators for Mail-Enabled Groups

Another way to ensure that no unauthorized message is sent to critical groups is to set up moderator approval processes for Microsoft Exchange. You can customize Netwrix Directory Manager to provide the necessary attributes in Group Properties on the portal, letting you initiate a message approval process and assign moderators for certain critical distribution lists.

For more information on customization to the portal, visit the following KB article:

Other Best Practices to Improve Compliance

In addition to these best practices for keeping the production environment secure and compliant with company policy, visit the following KB article to learn about best practices for controlling changes to group memberships after creation: