This article explains how SSProtect manages data for specific target host Environments.
Introduction
The :Foundation Client, installed on host/ endpoint computers, manages data for SSProtect Profiles that can be used in more than one Environment. When the software is installed, it can be used by any Windows User on the target computer. SSProtect host/ endpoint configuration is sometimes managed specifically for a target host computer and/ or use by different Windows User Profiles on the host.
This article enumerates SSProtect Account/ Profile resources affected by use on more than one host computer and/ or by use with more than one Windows User Profile.
Host Environment Identifiers
SSProtect generates a host identifier, referred to as the HostUUID, using a unique 16-byte number for each host computer. This value is randomly generated without the use of frameworks or API calls (that for example generate GUIDs of a similar format). This aims to avoid coupling between the resulting identifier and unique host resources.
The :Foundation Client attempts to maintain this identifier for the lifetime of SSProtect use. Under normal circumstances, the HostUUID will survive uninstallation/ re-installation, though not always.
The resulting HostUUID is stored in the host computer's Windows Registry, as follows:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\DefiniSec\SSProtect
HostUUID (REG_SZ): <16-byte UUID>
This value is present in most (if not all) SSProtect :Assess Reports. For more information, refer to the article, Acquiring Data Access Reports.
User Environment Identifiers
SSProtect generates a user identifier, referred to as the UserUUID, using a unique 16-byte number for each Windows User Profile on a host computer. As with HostUUIDs, this number is randomly generated without the use of framework helper functions or Windows API calls specifically to avoid coupling between host-specific resources and the resulting value.
The :Foundation Client attempts to maintain this identifier for the lifetime of SSProtect use, as with the HostUUID. It is also stored in the Windows Registry though in a user-specific location:
COMPUTER\HKEY_CURRENT_USER\SOFTWARE\DefiniSec\SSProtect
UserUUID (REG_SZ): <16-byte UUID>
This value is generally not made available in :Assess Reports, or in other ways.
Environment-Specific Profile Resources
The :Foundation Client operates more effectively when certain resources are independently managed for either the target host computer or the unique combination of host computer and Windows User Profile. Resources independently managed in this fashion, visible to or impacting use of SSProtect Accounts/ Profiles and/ or Privileged Account holders, are described below.
Default/ Overflow Folder - unique to each Host
The Default/ Overflow Folder, described in the article, Managing Host Data, is managed for each unique host computer, i.e. specific to a unique HostUUID. As a result, the same SSProtect Profile, used from different Windows User Profiles on a single host computer, must use the same Default/ Overflow Folder.
For this reason, it's important to choose a Default/ Overflow Folder accessible to all intended host-local Windows Users. If for some example Windows User A can access the configured Default/ Overflow Folder for your SSProtect Account/ Profile, then you subsequently utilize the same Profile with Windows User B (on the same host computer) and User B cannot access the configured Default/ Overflow Folder, you will be prompted to choose another location. This will affect subsequent use of your Profile, on the same host computer, when returning to work within the context of Windows User A.
For this and other reasons, we do not recommend the use of a single SSProtect Account/ Profile from multiple Windows User contexts on the same host computer (unless carefully planned/ managed). Though supported, operation may diverge from expectations because the same Profile, on multiple host computers, offers unique Default/ Overflow Folder definitions.
Adaptive Filter Configuration - unique for each combination of Host/ User
The Adaptive Filter optimizes the process of monitoring, tracking, and intercepting requests to work with SSProtect-managed content. Optimization is critical to maintaining proper performance of SSProtect and related services. As a result, SSProtect independently manages internal Adaptive Filter state for each unique SSProtect Account/ Profile operating within a Windows User Profile on a specific host computer.
Stated differently, the Adaptive Filter state of an SSProtect Account/ Profile is independently maintained for every unique combination of the HostUUID and UserUUID.
Different from the use of Default/ Overflow Folders, the Adaptive Filter configuration will independently track the location and use of data items by User A and User B on the same host computer (and also on different host computers).
Catalogs - unique for each combination of Host/ User
Catalog definitions, as described in the article, Catalogs, are tracked independently for each SSProtect Account/ Profile use with unique combination of the HostUUID and UserUUID.
Consistent with the manner in which internal Adaptive Filter resources and state are managed (noted ablove), the use of a single SSProtect Account/ Profile by two Windows User Profiles on the same host results in different enumerated Catalog Detail Lists in the Bulk Configuration dialog. This affects Adaptive Filter visibility, and thus resulting managed access results.
As a result, when you utilize your SSProtect Account/ Profile with Windows User A to discover Catalogs A, B, and C, then utilize the same Profile on the same host computer with Windows User B, you will have to re-discover Catalogs A, B, and C for the independently managed Catalog Detail List (context). This, as expected, mirrors the effective end-result of using the same Profile on two separate host computers.
Additional Resources
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.
In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.
This article was updated w/ v10.5.1 of the :Foundation Client