Blocked Users List
The Blocked Users List is a global list of accounts shared among all File Sight monitors within a PA File Sight installation, including those on Satellite Monitoring Services. Its purpose is to protect the servers from accounts performing malicious activities.
There are two parts to the list:
Global Blocked User List
All accounts listed here will have be blocked from all file access to all monitored drives (at all sites covered by the installation). That means file access via network share will be blocked, and if the user is logged into a protected server (either directly or via Remote Desktop) they will not be able to access files, which usually means any programs they are running will fail.
When an account is added to the Blocked list, it is with a time duration. After the time expires, the account is automatically unblocked. However, if the account keeps trying to access files while being blocked, the blocked time is reset. This means the account needs to
stop trying to access files for the duration of the blocked period.
Global User Account White List
Any account on the White List will not be blocked under any circumstance. Be careful which accounts are added to the White List. Accounts that you might want to add are those that specific services run as, such as a database service or an anti-virus service.
When a user is removed from the Blocked User List, they are automatically added to the White List for 3 minutes (a configurable time). This gives them time to complete whatever activity initially triggered putting them on the Blocked User List.
View the Lists
You can view the lists from the File Sight > User Block List report, as shown below.
The Blocked list will normally be empty. Note that you can see how an account ended up on the list (from an action, or manually).
You can also view the lists by opening a Add to Blocked Users List action. This is also where you can add and remove accounts from the lists.
When a user that is being blocked tries to access a file, the file access will fail with error STATUS_DATA_ERROR (0xC000003E) "An error in reading or writing data occurred". This is an existing error code used by Windows,
but it is uncommon to see it so it was selected. This can be changed to a different error code if needed. The application that the user is using may or may not show this error message.
By default, and shown as the first entry in the White List above, local (non-domain) accounts are automatically added to the White List. This is to help prevent important services from being blocked.
Local accounts are not
blocked if the server is a domain server (all accounts are domain accounts in this case), or if the server is not part of a domain (domain accounts don't apply in this case).
You might see accounts in the Blocked list with TEST added to the name. This account won't actually be blocked and was added with a Testing version of the Add to Blocked Users List.
The lists are automatically synchronized by the Central Monitoring Service and any Satellite Monitoring Services that are part of the installation. If a Satellite can't contact the Central Monitoring Service, it will
keep using the last copy of the Global Blocked User List and Global User Account White List that it received.
In an emergency situation where a critical account has been blocked, it is best to remove it from the Blocked list and add it to the White list. If the list can not be synchronized to a Satellite, you can clear the blocking by stopping the PA File Sight (Satellite) service. This will disable blocking.