As you all must be aware about that Microsoft is working on 2012 and launched a version of server 2012
Today I will share one of the nice feature of server 2012 i.e. Dynamic Access Control
What is Dynamic Access Control
It is a new security feature that uses a file-system authorization mechanism that gives you the ability to define centrally managed file-access policies at the domain level which apply to every file server in the domain.
It doesn’t replace the existing NTFS permissions though. .
This security feature is claim based security feature.Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature.
To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts.
1. Claim Type
2. Resource properties for files
3. Resource property lists ( add resource property to global)
4. Create new central access rule
5. Create central access policy
Below is the screen shot of all the above mentioned steps.
What is the need
Added two values in Department (Finance and ITSupport)
Added two values in Country (Norway and USA)
Today I will share one of the nice feature of server 2012 i.e. Dynamic Access Control
What is Dynamic Access Control
It is a new security feature that uses a file-system authorization mechanism that gives you the ability to define centrally managed file-access policies at the domain level which apply to every file server in the domain.
It doesn’t replace the existing NTFS permissions though. .
This security feature is claim based security feature.Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature.
To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts.
1. Claim Type
2. Resource properties for files
3. Resource property lists ( add resource property to global)
4. Create new central access rule
5. Create central access policy
Below is the screen shot of all the above mentioned steps.
What is the need
1. Create simpler authorization models for file based resource
2. Stop creating 1000s of groups to control access
3. Classify files
4. Control access to file based on AD attributes
5. Deploy the access model
Let's deploy this DAP to have a better understanding of it.
I have promoted a server to a domain controller (not mentioned how to
promote a server to a domain controller here) and the server name is
server12.com
Configure Claim type for Users: In this step, you will add
existing Active Directory attributes to the list of attributes which
can be used when evaluating dynamic access control. The user’s
department value will be part of the calculation that determines if they
have access to specific files.
After login to the DC , you can just open the Active Directory
Administrative Center to start configuring the Dynamic Access Policy
(DAP).
Click on Claim type and then click on create new and here I am selecting Department and Country
and the classes here I selected is for User (You can create new one as well)
Configure Resource properties for files :In this step, you
will configure the properties which will be downloaded by file servers
and used to classify files. Further dynamic access control rules will
compare user attribute values with resource properties. You can enable
existing properties or create new ones.
Click on resource property and here you can select the existing resource
properties or also you can create the new ones, I have selected Country
and Department.
Added two values in Department (Finance and ITSupport)
Added two values in Country (Norway and USA)
Add resource properties to global list :Each resource
property must be added to at least one resource property list before it
is downloaded by file servers. The global resource property list is
downloaded by all file servers.
Add both Country and Department here.
Create a new Central access rule :- In this step, you
will create a new central access rule. This is similar to an access
control list (ACL) in that it describes which conditions must be met in
order for file access to be granted.
First of all mention the name of the rule and then
In the Target resource option under Central access rule , you can add
different conditions as mentioned below. (like department exists or
country exists)
In Permissions, select "Use the following permissions as current permissions".
NOTE: This setting enforces dynamic access control. The default setting will only create audit log entry.
Then you need to select Edit button then click Add ,click Select a
principal, and then type Authenticated. click OK, In Permissions, check
the Full Control check box.
Click on Add condition
Here I have selected :
User department Equals to Resource deprtment
User Country Equals to Resource Country
Create a Central Access Policy:-In this step, you will
create a central access policy. A central access policy is a group of
rules that are enforced as a unit. A file or folder can have only one
central access policy applied to it.
Just click on CAP and then click on new and then on Add to add the Central access rule.
add the user-resource match rule here
Publish the central access policy with GPO:-In this step, You need to
create a new group policy to publish the central access policy.
Go to GPMC and then select your domain and then create new GPO and named it as "Dynamic Access"
In Security Filtering, click Authenticated Users, click Remove, and then
click OK. and then click on add and add the file server where you want
to implement this Policy.
Right-click Dynamic Access Policy, and then click Edit. Navigate to Computer
Configuration/Policies/Windows Settings/Security Settings/File System,
and then click Central Access Policy. On the Action menu, click Manage
Central Access Policies and click on CAP (the policy you created) and
then close the GPMC.
Enable Kerberos Armoring for domain controllers :-In this
step, you will enable Kerberos Armoring for domain controllers, which
ensures that Kerberos tickets contain the required claims information
which can then be evaluated by file servers.
To do this click on Default Domain policy and then click on edit and then Navigate to
Computer Configuration/Policies/Administrative Templates/System/KDC.
Note:- To update the policy you can run gpupdate /force
Configure classification data to the file share:In this step, you will classify the files in the file share by adding and configuring the resource properties.
Here i have created share folder name as "Shares".Right clik on it and then select properties, then classification,
Then you can select the appropriate Country and department entries that must be matched with the user's
attributes in the AD and after getting the successful match, it will allow user to access this folder.
After that go to securtiy permissions>>Advanced tab and then go to
Central Policy and select the policy you want to implement on the
folder as shown below
After that you can apply and close all the boxes by pressing OK.
Now your DAP is implemented successfully on that folder and now all the
users who will match the condition mention will have access to this
folder , rest will not have access to this folder.
If you want to test the effective permission on a user you can just
right click the folder and go to securtiy permissions>>Advanced
tab and then goto Effective permissions tab as shown below and then
search for the user for which you want to check the permissions.
Here you can see Rahul is the user that has matched with the defined
condition and can access the folder and you can see the permissions with
green.
No comments:
Post a Comment