| 
Dynamic Access Control (DAC) - Data governance technology for Win2k12 & Win 7/8
- classify (tag) data, create conditional expressions to define permissions
- domain functional level must be Win2k12
- Win 8 is required for access denied assistance
- Microsoft whitepaper - Windows Server 2012 Identity and access
Claims:
- additional fields to Kerberos tokens = claims
- Kerberos armoring (Technology which allows AD DS to expand the token) - enable through GPO
= Flexible Authentication Secure Tunneling (FAST)
- claims arise from AD Schema attributes (example claim type - department, country)
- DAC uses User and Device claims
- Central Access Rules link claims with file resource
Resource properties / Property lists = tags
- Metadata tags that will appear on the Classification tab of the folder/file Properties sheet
- Windows Server 2012 includes 16 pre-defined resource properties (department names, etc.)
- Properties are added to Global Resource Property List
File Classification
- Manual: done through folder/file Properties sheet
- Automatic: done through FSRM (file server resource manager) console
» create classification rules and run them on a schedule
- Example: Use content classifier method to parse files for credit card numbers, etc. + RegEx support
- Deploy Automatic File Classification (Demonstration Steps)
- integrate with RMS (rights managemet services) to encrypt files which match RegEx expression
Configuring access policies
- Central Access Rule: Nexus between resource properties and claims
- Rules feed into Central Access Policy (CAP)
- CAP is the deployable unit to AD file servers » done through GPO
- Associate folders with deployed CAPs » manual process / PowerShell to assign policies to folders
Configuring Access Denied Assistance
- provides user-friendly method to provide denied users with assistance
- configured through FSRM console (file server resource manager)
- supports variables and e-mail submission » file path, admin e-mail, data owner e-mail
DAC Configuration - General workflow
1. ADAC - Claim types - create user and/or device claims (AD admin centre - run dsac [instead of dsa.msc])
2. GPO - Best attach to pre-existing one - specifically » Default Domain Controller policy
» (since - KDC [key distribution centre] for Kerberos is there)
» set 2 policies for Kerberos armoring
Computer Configuration > Policies > Administrative Templates > System > KDC
KDC support for claims, compound authentication and Kerberos armoring - Enable
Computer Configuration > Policies > Administrative Templates > System > Kerberos
Kerberos support for claims, compound authentication and Kerberos armoring - Enable
3. gpupdate /force
4. ADAC - Resource properties - create / enable resource properties
5. ADAC - Resource property lists - right-click global - Add resource properties...
6. from DC - winrs -r:<fileserver> powershell (using WinRS)
7. in PowerShell run Update-FsrmClassificationPropertyDefinition
8. verify shared folders properties does have a Classification tab and set values (dept, country, ...)
Note: last step needs to be repeated for each file / folder. This is a manual way.
Automatic - use FSRM (File Server Resource Manager Overview) > Classification management
9. ADAC - Central access rules - new - add a condition
10. ADAC - Central access policies - new - add rules
11. GPO - new policy - Computer Configuration > Policies > Windows Settings >
Security Settings > File System > Central Access Policy - Manage Central Access Policies
12. in the GPO Security Filtering - remove Authenticated Users, add File Server name
13. gpupdate /force
14. open Shared Folder Properties - Security - Advanced - Central Policy - assign relevant policy
15. verify / test user access in Effective Access tab (within Advanced Security Settings dialog)
16. optional: if necessary, change user's AD properties
17. optional: run klist purge (refresh user's Kerberos credentials) OR user logs off and back in
- classify (tag) data, create conditional expressions to define permissions
- domain functional level must be Win2k12
- Win 8 is required for access denied assistance
- Microsoft whitepaper - Windows Server 2012 Identity and access
Claims:
- additional fields to Kerberos tokens = claims
- Kerberos armoring (Technology which allows AD DS to expand the token) - enable through GPO
= Flexible Authentication Secure Tunneling (FAST)
- claims arise from AD Schema attributes (example claim type - department, country)
- DAC uses User and Device claims
- Central Access Rules link claims with file resource
Resource properties / Property lists = tags
- Metadata tags that will appear on the Classification tab of the folder/file Properties sheet
- Windows Server 2012 includes 16 pre-defined resource properties (department names, etc.)
- Properties are added to Global Resource Property List
File Classification
- Manual: done through folder/file Properties sheet
- Automatic: done through FSRM (file server resource manager) console
» create classification rules and run them on a schedule
- Example: Use content classifier method to parse files for credit card numbers, etc. + RegEx support
- Deploy Automatic File Classification (Demonstration Steps)
- integrate with RMS (rights managemet services) to encrypt files which match RegEx expression
Configuring access policies
- Central Access Rule: Nexus between resource properties and claims
- Rules feed into Central Access Policy (CAP)
- CAP is the deployable unit to AD file servers » done through GPO
- Associate folders with deployed CAPs » manual process / PowerShell to assign policies to folders
Configuring Access Denied Assistance
- provides user-friendly method to provide denied users with assistance
- configured through FSRM console (file server resource manager)
- supports variables and e-mail submission » file path, admin e-mail, data owner e-mail
DAC Configuration - General workflow
1. ADAC - Claim types - create user and/or device claims (AD admin centre - run dsac [instead of dsa.msc])
2. GPO - Best attach to pre-existing one - specifically » Default Domain Controller policy
» (since - KDC [key distribution centre] for Kerberos is there)
» set 2 policies for Kerberos armoring
Computer Configuration > Policies > Administrative Templates > System > KDC
KDC support for claims, compound authentication and Kerberos armoring - Enable
Computer Configuration > Policies > Administrative Templates > System > Kerberos
Kerberos support for claims, compound authentication and Kerberos armoring - Enable
3. gpupdate /force
4. ADAC - Resource properties - create / enable resource properties
5. ADAC - Resource property lists - right-click global - Add resource properties...
6. from DC - winrs -r:<fileserver> powershell (using WinRS)
7. in PowerShell run Update-FsrmClassificationPropertyDefinition
8. verify shared folders properties does have a Classification tab and set values (dept, country, ...)
Note: last step needs to be repeated for each file / folder. This is a manual way.
Automatic - use FSRM (File Server Resource Manager Overview) > Classification management
9. ADAC - Central access rules - new - add a condition
10. ADAC - Central access policies - new - add rules
11. GPO - new policy - Computer Configuration > Policies > Windows Settings >
Security Settings > File System > Central Access Policy - Manage Central Access Policies
12. in the GPO Security Filtering - remove Authenticated Users, add File Server name
13. gpupdate /force
14. open Shared Folder Properties - Security - Advanced - Central Policy - assign relevant policy
15. verify / test user access in Effective Access tab (within Advanced Security Settings dialog)
16. optional: if necessary, change user's AD properties
17. optional: run klist purge (refresh user's Kerberos credentials) OR user logs off and back in