32 implementing dynamic access control ppt
TRANSCRIPT
![Page 1: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/1.jpg)
Microsoft® Jump Start
M10: Implementing Dynamic Access Control
Rick Claus | Technical Evangelist | Microsoft
Ed Liberman | Technical Trainer | Train Signal
![Page 2: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/2.jpg)
Jump Start Target Agenda | Day One
Day 1 Day 2
Module 1: Installing and Configuring
Servers Based on Windows Server
2012
Module 7: Implementing Failover
Clustering
Module 2: Monitoring and
Maintaining Windows Server 2012
Module 8: Implementing Hyper-V
Module 3: Managing Windows Server
2012 by Using PowerShell 3.0
Module 9: Implementing Failover
Clustering with Hyper-V
- MEAL BREAK - - MEAL BREAK -
Module 4: Managing Storage for
Windows Server 2012
Module 10: Implementing Dynamic
Access Control
Module 5: Implementing Network
Services
Module 11: Implementing Active
Directory Domain Services
Module 6: Implementing Direct Access Module 12: Implementing Active
Directory Federation Services
![Page 3: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/3.jpg)
Module Overview
•Overview of Dynamic Access Control
• Planning for a Dynamic Access Control
Implementation
• Implementing And Configuring Dynamic Access
Control
![Page 4: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/4.jpg)
What Is Dynamic Access Control?
•Helps provide secure file server-based resources
over all file server based resources
•Dynamic Access Control provides: – Data Identification
– Access Control to files
– Auditing of access to files
– Optional RMS protection integration
![Page 5: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/5.jpg)
Foundation Technologies for Dynamic Access Control
•Network protocols
•DNS
•AD DS
• Kerberos
•Windows Security
• File Classifications
•Auditing
![Page 6: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/6.jpg)
Dynamic Access Control Versus Alternative Technologies
•NTFS permissions and ACLs provide access control
based on user’s SID or group membership SID
•AD RMS provides deeper protection for
documents by controlling how applications can
use them
•Dynamic Access control provides access control
based on claims – values of specific attributes
![Page 7: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/7.jpg)
What Is an Identity?
Domain Group
Authenticated User
![Page 8: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/8.jpg)
What Is a Claim?
•Claims are statements made by AD DS about
specific user of computer object in AD DS
•AD DS in Windows Server 2012 supports: – User claims
– Device claims
![Page 9: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/9.jpg)
What is a Central Access Policy?
Central Access Policies consist of one or more central access rules.
Rules define conditions.
Allow Read|Write User.MemberOf(IPSecurityGroup) AND (User.Department ANY_OF File.Department) AND Device.Managed = True
Active Directory
Claim
Definitions File Property
Definitions
Claim
Policy
File Server
Allow/Deny
User
1. In AD DS, create claim and file property definitions, rules and create the central access policy
2. In Group Policy, send central access policies to the file servers
3. On file server, apply policies to the shared folder and identify information
4. On user computer, attempt access
![Page 10: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/10.jpg)
Reasons for Implementing Dynamic Access Control
•Most common reasons for implementing Dynamic
Access Control: – Inability to achieve desired results with NTFS
– Requirement for access control based on attributes
![Page 11: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/11.jpg)
Planning for Central Access Policy
• Identify business case
• Identify resources to be protected
•Understand business requirements
• Translate business requirements to conditional
expressions
•Define claim types, resource properties, and rules
![Page 12: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/12.jpg)
Planning File Classifications
• Identify classifications
•Determine method for classification
•Determine schedule
• Perform review
![Page 13: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/13.jpg)
Planning File Access Auditing
• Track changes to user and machine attributes
•Get more information from user logon events
• Provide more information from object access
auditing
• Track changes to Central Access Policies, Central
Access Rules and Claims
• Track changes to file attributes
![Page 14: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/14.jpg)
Planning Access Denied Assistance
•Message that users see
• Text of email that users use to request access
•Recipients for request access emails
• Target operating systems
![Page 15: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/15.jpg)
Planning Policy Changes
•Dynamic Access Control enables you to stage
changes
• Staging is implemented with Proposed
Permissions
• Permissions are compared to current permissions
• Every attempt to access resource is logged in
Security log of file server
![Page 16: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/16.jpg)
Prerequisites for Implementing Dynamic Access Control
Dynamic Access Control is a technology specific to
Windows Server 2012
To deploy Dynamic Access Control, you must have these
technologies:
• Domain controller running on Windows Server 2012
• File server running Windows Server 2012
• Windows 8 desktop (for device claims)
![Page 17: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/17.jpg)
Enabling Support in AD DS for Dynamic Access Control
• Dynamic Access Control support in AD DS is enabled by using Group Policy
• GPO that contain Dynamic Access Control Settings must be linked to the OU of the domain controller
• Dynamic Access Control setting is available in Computer Configuration\Policies\Administrative Templates\System\KDC node in GPO Object Editor
• Settings Support Dynamic Access Control can be configured as: – Do not support Dynamic Access Control and Kerberos
armoring
– Support Dynamic Access Control and Kerberos armoring
– Always provide claims and FAST RFC behavior
– Also fail unarmored authentication requests
![Page 18: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/18.jpg)
Implementing Claims and Resource Property Objects
•Claims:
– Created for users and computers
– Have attributes as source
– Created in AD AC or Windows PowerShell
•Resource Property Objects: – Created for resources
– Have properties as a source
– Create in AD AC or Windows PowerShell
• Both Claims and RPOs are used in conditional
expressions
![Page 19: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/19.jpg)
Implementing Central Access Rules and Policy
Central Access enables you manage and deploy consistent
authorization throughout the enterprise
Central Access Policy main component is Central Access
Rule
Central Access Rule specify:
• Targeted resource
• Permissions
• Conditions
![Page 20: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/20.jpg)
Implementing File Access Auditing
• Global Object Access Auditing centrally manages and
configures Windows to monitor every file and folder on
the server
• Can be integrated with Dynamic Access Control
• New Audit policy categories in Group Policy
![Page 21: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/21.jpg)
Implementing Access Denied Assistance
On File Server:
• Specify troubleshooting text for
access denied
• Specify business owners email
for Share/Folder
Access Time:
• User is denied access, sees
troubleshooting text, and
optionally device state
troubleshooting
• User can request access via email
Data Owner/Helpdesk:
• Owner receives user’s request
• User effective permissions UI to
decide appropriate actions
• Can forward request to IT admin
Data Owner
User
File Server
![Page 22: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/22.jpg)
Implementing File Classifications
Classification Management allows you create and assign classification properties to files using an automated mechanism
Payroll.rpt
Classification Rule
IsConfidential
![Page 23: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/23.jpg)
DEMO: Implementing Central Access Rules & Policies
In this demonstration, you will see how to create Central
Access Rules and Policies.
![Page 24: 32 implementing dynamic access control ppt](https://reader031.vdocument.in/reader031/viewer/2022021416/588134dc1a28ab00438b775d/html5/thumbnails/24.jpg)