Planning for Dynamic Access Control • Deploying Dynamic Access Control Lesson 1: Overview of Dynamic Access Control
What Is Dynamic Access Control?
Foundation Technologies for Dynamic Access Control Dynamic Access Control vs. Alternative Permissions Technologies What Is Identity? What Is a Claim? • What Is a Central Access Policy? What Is Dynamic Access Control?
Dynamic Access Control provides:
• A safety net over all file server-based resources • Data classification • Central access control to files • Central access audition • Automatic RMS protection integration Foundation Technologies for Dynamic Access Control
Dynamic Access Control relies on many
technologies in Windows Server 2012 such as: • AD DS • Kerberos V5 • Windows Security • File classifications • Auditing • RMS Dynamic Access Control vs. Alternative Permissions Technologies
• Prior to Windows 8, NTFS permissions and ACLs
provide access control that is based on user’s SID or group membership SID • AD RMS provides greater protection for documents by controlling how applications can use them • In Windows 8, Dynamic Access Control provides access control based on expressions that can include security groups, claims and resource properties both in NTFS ACLs and central access policies What Is Identity?
Identity is an entity’s published information that
is considered authoritative because it comes from a trusted source
Domain Group Authenticated User
What Is a Claim?
Claims are statements made by AD DS about
specific users and computer objects in AD DS AD DS in Windows Server 2012 supports: • User claims • Device claims What Is a Central Access Policy? A central access policy consists of one or more central access rules. Rules define conditions. For example: Allow Read|Write User.MemberOf(IPSecurityGroup) AND (User.Department ANY_OF File.Department) AND Device.Managed = True
1. In AD DS, create claim and file
AD DS property definitions and rules, and create the central access policy Claim File Property Claim Definitions Definitions Policy 2. In Group Policy, send central access policies to the file servers 3. On file server, apply policies to the shared folder and identify information User File Server 4. On user computer, attempt access Allow/Deny Lesson 2: Planning for Dynamic Access Control
Reasons for Implementing Dynamic Access Control
Planning for Central Access Policy Planning File Classifications Planning File Access Auditing • Planning Access Denied Assistance Reasons for Implementing Dynamic Access Control
The most common reasons for implementing
Dynamic Access Control are: • An inability to achieve the desired security and compliance results with NTFS • A requirement for access control based on attributes Planning for Central Access Policy
When planning a central access policy, you
should: • Identify the business case • Identify the resources to be protected • Define the authorization policies as defined by your business requirements • Translate the authorization policies into conditional expressions • Define claim types, security groups, resource properties, and rules Planning File Classifications
When planning for file classification, you should:
• Identify the classifications • Determine the method you will use to classify the files • Define the schedule • Perform reviews Planning File Access Auditing
File access auditing:
• Tracks changes to user and machine attributes • Retrieves more information from user logon events • Provides more information from object access auditing • Tracks changes to central access policies, central access rules, and claims • Tracks changes to file attributes Planning Access Denied Assistance
When planning for Access Denied Assistance,
consider: • The message that users will view • The email text that users will use to request access • The recipients for access request email messages • The target operating systems Lesson 3: Deploying Dynamic Access Control
Prerequisites for Implementing Dynamic Access
Control Enabling Support in AD DS for Dynamic Access Control Implementing Claims and Resource Property Objects Implementing Central Access Policies and Rules Implementing File Access Auditing Implementing Access Denied Assistance Implementing File Classifications • Implementing Central Access Policy Changes Prerequisites for Implementing Dynamic Access Control
Dynamic Access Control is a feature that is
specific to Windows Server 2012 To deploy Dynamic Access Control, you must have the following technologies: • Windows Server 2012 domain controller • Windows Server 2012 file server • Windows 8 Desktop (for device claims) Enabling Support in AD DS for Dynamic Access Control To use Group Policy to enable support for Dynamic Access Control, do the following:
1. Link the GPO that contains the Dynamic Access Control
settings to the Domain Controllers OU 2. Navigate to the KDC node in the Group Policy Object Editor to access the Dynamic Access Control settings 3. Choose one of the following options: • Do not support Dynamic Access Control and Kerberos armoring • Support Dynamic Access Control and Kerberos armoring • Always provide claims and FAST RFC behavior • Also fail unarmored authentication requests Implementing Claims and Resource Property Objects
Conditional expressions can include both claims and
resource property objects • Created for users and computers • Have attributes as a source Claims • Created by using Active Directory Administrative Center or Window PowerShell • Created for resources Resource • Have properties as a source property • Created by using Active Directory objects Administrative Center or Windows PowerShell Implementing Central Access Policies and Rules
Central access policies enable you to manage
and deploy consistent authorization throughout the enterprise The main component of a central access policy is the central access rule, which specifies:
• Centrally manages and configures the Windows operating system to monitor every file and folder on the server • Integrates with Dynamic Access Control • Provides new audit policy categories in Group Policy Implementing Access Denied Assistance 1. In the file server, the administrator specifies troubleshooting text for access denied messages, and defines owners for shared folders 2. If a user is denied access, the user sees troubleshooting text, and optionally, device state troubleshooting 3. User requests access via email 4. Data owner receives the user’s request and grants access 5. If data owner cannot grant access, the data owner forwards the request to an administrator 6. The administrator views the effective permissions for the user
User File Server Data
Owner Implementing File Classifications
Classification management allows you to create
and assign classification properties to files using an automated mechanism
Classification Rule Payroll.rpt
IsConfidential Implementing Central Access Policy Changes
Dynamic Access Control allows you to test a
central access policy update by staging it Windows Server 2012 staging: • Is implemented by deploying proposed permissions • Compares the proposed permissions against the current permissions • Causes audit logs events to appear in the security log on the file server