Embed Size (px)
Citation preview
Module 3
Implementing Dynamic Access Control
Module Overview
•Overview of DAC
• Implementing DAC Components
• Implementing DAC for Access Control
• Implementing Access Denied Assistance
• Implementing and Managing Work Folders
Lesson 1: Overview of DAC
• Limitations of Current Access Management
Methods
•What Is DAC?
•What Is the Claim?
•What Is Resource Property?
•Accessing Resources with DAC
•Requirements for DAC Implementation
Limitations of Current Access Management Methods
• NTFS file system permissions and ACLs provide
access control that is based on a user’s SID or
group membership SID
• AD RMS provides greater protection for
documents by controlling how applications use
them, and also works with user or group SID
• NTFS file system permissions cannot use AND
between conditions
• In NTFS file system permissions, you cannot
build your own conditions for access control
What Is DAC?
• DAC in Windows Server 2012 is a new access
control mechanism for file system resources
• DAC uses claims in the authentication token,
resource properties on the resource, and
conditional expressions within permission and
auditing entries
• DAC is designed for four scenarios:• Central access policy for managing access to files
• Auditing for compliance and analysis
• Protecting sensitive information
• Access-denied remediation
What Is the Claim?
• A claim is something that AD DS states about a
specific object
• In the DAC infrastructure, claims are defined by
using specific attributes from a user or device
• In Windows Server 2012, the authorization
mechanism is extended to support conditional
expressions that includes claims
• In Windows Server 2012, you can create:• User claims
• Device claims
• You can deploy claims between trusted forests
User and Device Claims
• Pre-2012 Security Principals Only are:
• Restricted to making policies where decisions are based on the user’s
group memberships
• Shadow groups are often created to reflect existing attributes as groups
• Groups that have rules around who can be members of which types of
groups
• Not able to transform groups across AD trust boundaries
• Not able to control access based on characteristics of user’s device
• Windows Server 2012 considerations:
• AD DS user/computer attributes are included in the security token
• Claims can be used directly in file server permissions
• Claims are consistently issued to all users in a forest
• Claims can be transformed across trust boundaries
• Enables newer types of policies that were not possible before
What Is Resource Property?
• Resource properties define attributes of the
resource that you want to use
• Resource properties are grouped in resource
property lists
• When creating a resource property, you can
specify the property type and the allowed or
suggested values
Accessing Resources with DAC
NT access token
Contoso\Alice
User Groups:….
Claims:
Title=SDE
Kerberos Ticket
Contoso\Alice
User Groups:….
Claims:
Title=SDE
Enabledomain to
issue claims
Claim type
Display name
Source
Suggested
values
Value type
User attempts to log on
Receives a Kerberos ticket
Kerberos and a New Token
•DAC leverages Windows Kerberos
• Windows 8 Kerberos extensions
• Compound ID – binds a user to the device to be
authorized as one principal
•DC issues groups and claims
• DC enumerates user claims
• Claims delivered in Kerberos Privilege Account
Certificate
•NT Token has the following
sections:
• User & Device data
• Claims and Groups
• Tokens have same size
Pre-2012 Token
User Account
User Groups
(other data)
2012 Token
User Account
User Groups
Claims
Device Groups
Claims
(other data)
Requirements for DAC Implementation
To implement DAC, you need to have:
• Windows Server 2012 or newer with the FSRM
• Update AD DS schema, or at least one Windows Server
2012 domain controller
• Windows 8 or newer on clients to use device claims
• Enabled support for DAC in AD DS (default domain
controllers GPO)
Lesson 2: Implementing DAC Components
•Creating and Managing Claims
•Creating and Managing Resource Properties and
Resource Property Lists
•Creating and Managing Access Control Rules
•Creating and Managing Access Policies
•Demonstration: Configuring Claims, Resource
Properties, and Rules
• Implementing and Managing File Classifications
•Demonstration: Configuring Classification Rules
Creating and Managing Claims
• Use the AD CS to create attribute-based claims
• Use the Active Directory module for Windows
PowerShell to create certificate-based claims
• Claims are stored within the configuration
partition in AD DS
• Attributes are used to source values for claims
• Make sure that you configure attributes for your
computer and user accounts in AD DS with the
information that is correct for the respective user
or computer
Creating and Managing Resource Properties and Resource Property Lists
• Resource properties describe resources that you
protect with DAC
• Several resource properties are already
predefined in Windows Server 2012
• All predefined resource properties are disabled
• When creating a new resource property, you
have to set its name, and value type
• In Windows Server 2012 R2, you also can create
reference resource properties
• Resource properties are grouped in resource
property lists
Creating and Managing Access Control Rules
• A central access rule contains one or multiple
criteria that the Windows operating system uses
when evaluating access
• You create and configure central access rules in
the Active Directory Administrative Center
• To create a new central access rule, you should:
• Provide a name and description for the rule
• Configure the target resources
• Configure permissions
Conditional Expression Example
User claimsUser.Department =
Finance
User.Clearance = High
Access Rule
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department = @File.Department) AND
(@Device.Managed = True)
Device claimsDevice.Department =
Finance
Device.Managed = True
Resource propertiesResource.Department =
Finance
Resource.Impact = High
AD DS
File
ServerUser
Creating and Managing Access Policies
• Central access policies enable you to manage
and deploy consistent authorization throughout
an organization
• The main component of a central access policy is
a central access rule
• Central access policies act as a security net that
an organization applies across its servers
• Group Policy is used to deploy a central access
policy
• Manually apply the policies to all Windows
Server 2012 file servers
Demonstration: Configuring Claims, Resource Properties, and Rules
In this demonstration, you will learn how to
configure claims, resource properties, and access
rules
Implementing and Managing File Classifications
• Resource property
definitions are defined in AD
DS
• Resource property
definitions can be used
during file classifications
• File classifications can be
run automatically
Demonstration: Configuring Classification Rules
In this demonstration, you will learn how to classify
files by using a file classification mechanism
Lesson 3: Implementing DAC for Access Control
• Planning Central Access Policies for File Servers
•Demonstration: Creating and Deploying Central
Access Policies
•How Does Access Check Work When DAC Is in
Use
•Managing and Monitoring DAC
•Demonstration: Evaluating and Managing DAC
Planning Central Access Policies for File Servers
When planning deployment of central access
policies, you should:• Identify the resources that you want to protect
• Define the authorization policies
• Translate the authorization policies that you require
into expressions
• Identify attributes for access filtering
Demonstration: Creating and Deploying Central Access Policies
In this demonstration, your instructor will show you
how to create and deploy central access policy
How Does Access Check Work When DAC Is in Use
File/Folder
security descriptor
Central access policy
reference
NTFS file system
permissions
AD DS
(cached in local registry)
Cached central access policy definition
Access control decision is calculated by using following checks:
1. Access check – Share permissions if applicable
2. Access check – File permissions
3. Access check – Every matching central access rule in central access policy
Share
security descriptorShare permissions
Cached central access rule
Cached central access rule
Cached central access rule
Managing and Monitoring DAC
• DAC allows you to test a central access policy update by
staging it
• Windows Server 2012 staging:
• Is implemented by deploying proposed permissions
• Compares the proposed permissions against the current
permissions
• Causes audit-log events to appear in the security log on the file
server
Current Central Access policy for high impact data
Applies to: @File.Impact = High
Allow | Full Control | if @User.Company=Contoso
Staging policy
Applies to: @File.Impact = High
Allow | Full Control | if (@User.Company=Contoso) AND
(@User.Clearance =High)
Sample Staging Event (4818)
Demonstration: Evaluating and Managing DAC
In this demonstration, you will learn how to
evaluate and manage DAC
Lesson 4: Implementing Access Denied Assistance
•What Is Access Denied Assistance?
•Configuring Access Denied Assistance
•Demonstration: Implementing Access Denied
Assistance
What Is Access Denied Assistance?
Data Owner
User
File Server
On file server:
• Specify troubleshooting text for
access denied
• Specify owner’s email for share or
folder
Access attempt:
• User is denied access, sees
troubleshooting text or device-state
troubleshooting
• User can request access via email
Data owner or help desk:
• Owner receives user’s request
• Use effective permissions UI to
decide appropriate actions
• Can forward request to IT admin
Configuring Access Denied Assistance
•When implementing Access Denied Assistance:
• Define messages that users will receive when they
attempt to access resources
• Determine whether users should be able to send a
request for access
• Determine recipients for the access-request email
messages
• Consider target operating systems
•Use Group Policy to enable and configure Access
Denied Assistance
•Decide about the method for remediation
Demonstration: Implementing Access Denied Assistance
In this demonstration, your instructor will show you
how to configure and implement Access Denied
Assistance
Lesson 5: Implementing and Managing Work Folders
•What Are Work Folders?
•Configuring Work Folders
•Demonstration: Implementing Work Folders
What Are Work Folders?
•Work Folders enable users to access business data
securely at any location and on any device
•Work Folders are managed by administrators
•Currently supported on Windows 8.1 devices, and
support also is planned for iOS-based devices
Configuring Work Folders
To use Work Folders, you should:
• Have at least one Windows Server 2012 R2 file server
• Have at least one Windows Server 2012 R2 domain
controller
• Install Work Folders functionality on file server
• Provision a share where users’ data will be stored
• Run New Sync Share Wizard to create Work Folders
structure
• Configure clients to use Work Folders by using Group
Policy or manually
Demonstration: Implementing Work Folders
In this demonstration, you will learn how to
implement Work Folders
Lab: Implementing Secure Data Access
• Exercise 1: Preparing for DAC Deployment
• Exercise 2: Implementing DAC
• Exercise 3: Validating and Remediating DAC
• Exercise 4: Implementing Work Folders
Logon InformationVirtual machines: 20412C-LON-DC1,
20412C-LON-SVR1,
20412C-LON-SVR2,
20412C-LON-CL1,
20412C-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 110 minutes
Lab Scenario
You are working as an administrator at A. Datum
Corporation. The company has a wide and complex file
server infrastructure. It manages access control to folder
shares by using NTFS file system ACLs, but in some cases,
that approach does not provide the desired results.
Most of the files used by departments are stored in shared
folders dedicated to specific departments, but confidential
documents sometimes appear in other shared folders.
Only members of the Research team should be able to
access Research team folders, and only Executive
department managers should be able to access highly
confidential documents.
Lab Scenario
The Support department reports that a high number of calls
are generated by users who cannot access resources. You
must implement a feature that helps users understand error
messages better and will enable them to request access
automatically.
Many users use personal devices such as tablets and
laptops to work from home and while at work. You have to
provide them with an efficient way to synchronize business
data on all the devices that they use.
Lab Review
•How do file classifications enhance the usage of
DAC?
•Can you implement DAC without central access
policy?
