Microsoft Official Course

Module 3

Implementing Dynamic Access

Control
Module Overview

Overview of Dynamic Access Control

Planning for Dynamic Access Control
• Deploying Dynamic Access Control
Lesson 1: Overview of Dynamic Access Control

What Is Dynamic Access Control?

Foundation Technologies for Dynamic Access
Control
Dynamic Access Control vs. Alternative Permissions
Technologies
What Is Identity?
What Is a Claim?
• What Is a Central Access Policy?
What Is Dynamic Access Control?

Dynamic Access Control provides:

• A safety net over all file server-based resources
• Data classification
• Central access control to files
• Central access audition
• Automatic RMS protection integration
Foundation Technologies for Dynamic
Access Control

Dynamic Access Control relies on many

technologies in Windows Server 2012 such as:
• AD DS
• Kerberos V5
• Windows Security
• File classifications
• Auditing
• RMS
Dynamic Access Control vs. Alternative
Permissions Technologies

• Prior to Windows 8, NTFS permissions and ACLs

provide access control that is based on user’s
SID or group membership SID
• AD RMS provides greater protection for
documents by controlling how applications can
use them
• In Windows 8, Dynamic Access Control provides
access control based on expressions that can
include security groups, claims and resource
properties both in NTFS ACLs and central access
policies
What Is Identity?

Identity is an entity’s published information that

is considered authoritative because it comes
from a trusted source

Domain Group Authenticated User

What Is a Claim?

Claims are statements made by AD DS about

specific users and computer objects in AD DS
AD DS in Windows Server 2012 supports:
• User claims
• Device claims
What Is a Central Access Policy?
A central access policy consists of one or more central access
rules. Rules define conditions. For example:
Allow Read|Write
User.MemberOf(IPSecurityGroup)
AND
(User.Department ANY_OF File.Department)
AND
Device.Managed = True

1. In AD DS, create claim and file

AD DS
property definitions and rules, and
create the central access policy Claim File Property Claim
Definitions Definitions Policy
2. In Group Policy, send central access
policies to the file servers
3. On file server, apply policies to the
shared folder and identify
information
User File Server
4. On user computer, attempt access Allow/Deny
Lesson 2: Planning for Dynamic Access Control

Reasons for Implementing Dynamic Access Control

Planning for Central Access Policy
Planning File Classifications
Planning File Access Auditing
• Planning Access Denied Assistance
Reasons for Implementing Dynamic Access Control

The most common reasons for implementing

Dynamic Access Control are:
• An inability to achieve the desired security and
compliance results with NTFS
• A requirement for access control based on
attributes
Planning for Central Access Policy

When planning a central access policy, you

should:
• Identify the business case
• Identify the resources to be protected
• Define the authorization policies as defined by
your business requirements
• Translate the authorization policies into
conditional expressions
• Define claim types, security groups, resource
properties, and rules
Planning File Classifications

When planning for file classification, you should:

• Identify the classifications
• Determine the method you will use to classify
the files
• Define the schedule
• Perform reviews
Planning File Access Auditing

File access auditing:

• Tracks changes to user and machine attributes
• Retrieves more information from user logon
events
• Provides more information from object access
auditing
• Tracks changes to central access policies, central
access rules, and claims
• Tracks changes to file attributes
Planning Access Denied Assistance

When planning for Access Denied Assistance,

consider:
• The message that users will view
• The email text that users will use to request
access
• The recipients for access request email
messages
• The target operating systems
Lesson 3: Deploying Dynamic Access Control

Prerequisites for Implementing Dynamic Access

Control
Enabling Support in AD DS for Dynamic Access
Control
Implementing Claims and Resource Property
Objects
Implementing Central Access Policies and Rules
Implementing File Access Auditing
Implementing Access Denied Assistance
Implementing File Classifications
• Implementing Central Access Policy Changes
Prerequisites for Implementing Dynamic
Access Control

Dynamic Access Control is a feature that is

specific to Windows Server 2012
To deploy Dynamic Access Control, you must
have the following technologies:
• Windows Server 2012 domain controller
• Windows Server 2012 file server
• Windows 8 Desktop (for device claims)
Enabling Support in AD DS for Dynamic
Access Control
To use Group Policy to enable support for Dynamic Access
Control, do the following:

1. Link the GPO that contains the Dynamic Access Control

settings to the Domain Controllers OU
2. Navigate to the KDC node in the Group Policy Object
Editor to access the Dynamic Access Control settings
3. Choose one of the following options:
• Do not support Dynamic Access Control and Kerberos
armoring
• Support Dynamic Access Control and Kerberos
armoring
• Always provide claims and FAST RFC behavior
• Also fail unarmored authentication requests
Implementing Claims and Resource Property Objects

Conditional expressions can include both claims and

resource property objects
• Created for users and computers
• Have attributes as a source
Claims • Created by using Active Directory
Administrative Center or Window
PowerShell
• Created for resources
Resource • Have properties as a source
property • Created by using Active Directory
objects Administrative Center or Windows
PowerShell
Implementing Central Access Policies and Rules

Central access policies enable you to manage

and deploy consistent authorization throughout
the enterprise
The main component of a central access policy is
the central access rule, which specifies:

• Target resources
• Permissions
• Conditions
Implementing File Access Auditing

The Global Object Access Auditing policy:

• Centrally manages and configures the Windows
operating system to monitor every file and
folder on the server
• Integrates with Dynamic Access Control
• Provides new audit policy categories in Group
Policy
 Implementing Access Denied Assistance
1. In the file server, the administrator specifies troubleshooting text
for access denied messages, and defines owners for shared
folders
2. If a user is denied access, the user sees troubleshooting text, and
optionally, device state troubleshooting
3. User requests access via email
4. Data owner receives the user’s request and grants access
5. If data owner cannot grant access, the data owner forwards the
request to an administrator
6. The administrator views the effective permissions for the user

User File Server Data

Owner
Implementing File Classifications

Classification management allows you to create

and assign classification properties to files using
an automated mechanism

Classification Rule Payroll.rpt

IsConfidential
Implementing Central Access Policy Changes

Dynamic Access Control allows you to test a

central access policy update by staging it
Windows Server 2012 staging:
• Is implemented by deploying proposed
permissions
• Compares the proposed permissions against
the current permissions
• Causes audit logs events to appear in the
security log on the file server