Microsoft® Official Course

Module 11

Implementing Secure Shared File Access

Module Overview

Overview of DAC

Implementing DAC Components

Implementing DAC for Access Control

Implementing Access Denied Assistance

Implementing and Managing Work Folders• Implementing Workplace Join

Lesson 1: Overview of DAC

Limitations of Current Access Management Methods

What Is DAC?

What Are Claims?

What Are Resource Properties?

Accessing Resources with DAC•Requirements for DAC Implementation

Limitations of Current Access Management Methods

•NTFS file system permissions and ACLs provide access control that is based on a user’s SID or group membership SID•AD RMS provides greater protection for documents by controlling how applications use them, and also works with user or group SID•NTFS file system permissions cannot use AND between conditions• In NTFS file system permissions, you cannot build your own conditions for access control

What Is DAC?

•DAC in Windows Server 2012 is a new access control mechanism for file system resources.•DAC uses claims in the authentication token, resource properties on the resource, and conditional expressions within permission and auditing entries•DAC is designed for four scenarios:

• Central access policy for managing access to files

• Auditing for compliance and analysis• Protecting sensitive information• Access-denied remediation

What Are Claims?

•The claim is something that AD DS states about a specific object • In the DAC infrastructure, claims are defined by using specific attributes from a user or device • In Windows Server 2012, the authorization mechanism is extended to support conditional expressions that include claims• In Windows Server 2012, you can create:

• User claims• Device claims

What Are Resource Properties?

•Resource Properties define attributes of the resource that you want to use•Resource Properties are grouped in Resource Property lists•When creating a Resource Property, you can specify the property type and the allowed or suggested values

Accessing Resources with DAC

NT access token

Contoso\Alice

User

Groups:….

Claims: Title=SDE

Kerberos Ticket

Contoso\Alice

User Groups:….

Claims: Title=SDE

File Server

User

AD DS

AD DS Admin

Enable domain to issue claims

Claim type

Display name

Source

Suggested values

Value type

User attempts to logon

Receives a Kerberos ticket

Requirements for DAC Implementation

To implement DAC, you need to have:•Windows Server 2012 or newer with the FSRM•Update AD DS schema, or at least one Windows Server 2012 domain controller•Windows 8 or newer later on clients to use device claims•Enabled support for DAC in AD DS (default domain controllers GPO)

Lesson 2: Implementing DAC Components

Creating and Managing Claims

Creating and Managing Resource Properties and Resource Property Lists

Creating and Managing Access Control Rules

Creating and Managing Access Policies

Demonstration: Configuring Claims, Resource Properties, and Rules

Implementing and Managing File Classifications•Demonstration: Configuring Classification Rules

Creating and Managing Claims

•Use the Active Directory Administrative Center to create attribute-based claims•Use the Active Directory module for Windows PowerShell to create certificate-based claims•Claims are stored within the configuration partition in AD DS•Attributes are used to source values for claims•Make sure that you configure attributes for your computer and user accounts in AD DS with the information that is correct for respective user or computer

Creating and Managing Resource Properties and Resource Property Lists

•Resource Properties describe resources that you protect with DAC•Several Resource Properties are already predefined in Windows Server 2012•All predefined Resource Properties are disabled•When creating a new Resource Property, you have to set its name, and value type• In Windows Server 2012 R2, you also can create Reference Resource Properties•Resource Properties are grouped in Resource Property Lists

Creating and Managing Access Control Rules

•A Central Access Rule, contains one or multiple criteria that the Windows operating system uses when evaluating access•You create and configure central access rules in the Active Directory Administrative Center•To create a new central access rule you should:• Provide a name and description for the rule • Configure the target resources• Configure permissions

Creating and Managing Access Policies

•Central access policies enable you to manage and deploy consistent authorization throughout an organization •The main component of a central access policy is a central access rule•Central access policies act as a security net that an organization applies across its servers•Group Policy is used to deploy a central access policy•Manually apply the policies to all Windows Server 2012 file servers

Demonstration: Configuring Claims, Resource Properties, and Rules

In this demonstration, you will learn how to configure claims, resource properties, and access rules

Implementing and Managing File Classifications

•Resource Property definitions are defined in AD DS•Resource Property definitions can be used during file classifications•File classifications can be run automatically

Demonstration: Configuring Classification Rules

In this demonstration, you will learn how to classify files by using a file classification mechanism

Lesson 3: Implementing DAC for Access Control

Planning Central Access Policies for File Servers

Demonstration: Creating and Deploying Central Access Policies

How Does Access Check Work When DAC Is in Use?

Managing and Monitoring DAC•Demonstration: Evaluating and Managing DAC

Planning Central Access Policies for File Servers

When planning deployment of central access policies, you should:• Identify the resources that you want to protect•Define the authorization policies• Translate the authorization policies that you require into expressions• Identify attributes for access filtering

Demonstration: Creating and Deploying Central Access Policies

In this demonstration, your instructor will show you how to create and deploy central access policy

How Does Access Check Work When DAC Is in Use?

File/Foldersecurity descriptor

Central access policy referenceNTFS file system

permissions

Active Directory (cached in local registry)

Cached central access policy definition

Access control decision1. Access check – Share permissions if applicable2. Access check – File permissions3. Access check – Every matching central access rule in central access

policy

Sharesecurity descriptor

Share permissions

Cached central access rule

Cached central access rule

Cached central access rule

Managing and Monitoring DAC

• DAC allows you to test a central access policy update by staging it• Windows Server 2012 staging:• Is implemented by deploying proposed permissions• Compares the proposed permissions against the current

permissions• Causes audit-log events to appear in the security log on the

file serverCurrent Central Access policy for high impact data

Applies to: @File.Impact = HighAllow | Full Control | if @User.Company=Contoso

Staging policyApplies to: @File.Impact = High

Allow | Full Control | if (@User.Company=Contoso) AND (@User.Clearance =High)

Demonstration: Evaluating and Managing DAC

In this demonstration, you will learn how to evaluate and manage DAC

Lesson 4: Implementing Access Denied Assistance

What Is Access Denied Assistance?

Configuring Access Denied Assistance•Demonstration: Implementing Access Denied Assistance

What Is Access Denied Assistance?

Data Owner

User

File Server

On file server:

• Specify troubleshooting text for access denied

• Specify owner’s email for share or folder

Access attempt:

• User is denied access, sees troubleshooting text or device-state troubleshooting

• User can request access via email

Data owner or helpdesk:

• Owner receives user’s request

• Use effective permissions UI to decide appropriate actions

• Can forward request to IT admin

Configuring Access Denied Assistance

•When implementing Access Denied Assistance:• Define messages that users will receive when they attempt to access resources • Determine whether users should be able to send a request for access• Determine recipients for the access-request email messages• Consider target operating systems

•Use Group Policy to enable and configure Access Denied Assistance•Decide about the method for remediation

Demonstration: Implementing Access Denied Assistance

In this demonstration, your instructor will show you how to configure and implement Access Denied Assistance

Lesson 5: Implementing and Managing Work Folders

What Are Work Folders?

Configuring Work Folders•Demonstration: Implementing Work Folders

What Are Work Folders?

•Work Folders enable users to access business data securely at any location and on any device•Work Folders are managed by administrators•Currently supported on Windows 8.1 devices, and support also is planned for iOS-based devices

Configuring Work Folders

To use Work Folders, you should:• Have at least one Windows Server 2012 R2 file server• Have at least one Windows Server 2012 R2 domain controller• Install Work Folders functionality on file server • Provision a share where users’ data will be stored• Run New Sync Share Wizard to create Work Folders structure• Configure clients to use Work Folders by using Group Policy or manually

Demonstration: Implementing Work Folders

In this demonstration, you will learn how to implement Work Folders

Lesson 6: Implementing Workplace Join

Scenarios for Using Workplace Join

How Workplace Join Works

Configuring Workplace Join•Registering and Enrolling Devices

Scenarios for Using Workplace Join

•BYOD concept allows users to use their private devices to do their work•Connecting non-domain, non-managed devices to company networks and resources can pose a security risk•Technology is needed to provide users with flexibility while maintaining security•Windows Server 2012 R2 provides Workplace Join technology

How Workplace Join Works

• Workplace Joined devices become known devices to AD DS• Known devices store a subset of their attributes in AD DS• Device Registration Service provisions a device object in AD DS and issues a certificate to known devices• Users on known devices have an SSO experience• Windows Server 2012 R2 with AD FS role service is needed• Windows 8.1 client operating system or iOS-based devices are supported• DRS can be published externally by using Web Application Proxy

Configuring Workplace Join

To enable Workplace Join, you need to:• Create the appropriate Group Managed Service account• Install and configure the AD FS role service • Enable DRS• Enable device authentication in AD FS• Install an SSL certificate on the federation server• Create the appropriate records in your DNS

Registering and Enrolling Devices

•To enroll a device in the Workplace-Join process, ensure following:• The device trusts the certificate on the federation server• The device can access at least one certificate revocation list distribution point• Record enterpriseregistration is accessible by the device being Workplace-Joined

•On Windows 8.1, use the Workplace option•On iOS-based devices, use web-based enrollment with profile installation

Lab: Implementing Secure File Access

Exercise 1: Preparing for DAC Deployment

Exercise 2: Implementing DAC

Exercise 3: Validating and Remediating DAC•Exercise 4: Implementing Work FoldersLogon Information

Virtual machines: 10969A-LON-DC110969A-LON-DC210969A-LON-SVR110969A-LON-SVR210969A-LON-CL110969A-LON-CL2

User name: Adatum\AdministratorPassword: Pa$$w0rd

Estimated Time: 110 minutes

Lab Scenario

You are working as an administrator at A. Datum Corporation. The company has a wide and complex file server infrastructure. It manages access control to folder shares by using NTFS file system ACLs, but in some cases, that approach does not provide the desired results.

Most of the files used by departments are stored in shared folders dedicated to specific departments, but confidential documents sometimes appear in other shared folders. Only members of the Research team should be able to access Research team folders, and only Executive department managers should be able to access highly confidential documents.

The Security department also is concerned that managers are accessing files by using their home computers, which might not be highly secure. Therefore, you must create a plan for securing documents regardless of where they are located, and you must ensure that documents can be accessed from authorized computers only. Authorized computers for managers are members of the security group ManagersWks.

The Support department reports that a high number of calls are generated by users who cannot access resources. You must implement a feature that helps users understand error messages better and will enable them to request access automatically.

Quite a few users use personal devices such as tablets and laptops to work from home and at work. You have to provide them with an efficient way to synchronize business data on all the devices that they use.

Lab Review

How do file classifications enhance the usage of DAC?•Can you implement DAC without Central Access Policy?

Module Review and Takeaways

Review Questions

Tools

Best Practice•Common Issues and Troubleshooting Tips