Microsoft Canada ITPro - #canitpro
Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.
Anthony Bartolo Twitter | LinkedIn
Pierre Roman Twitter | LinkedIn
There is a lot of new stuff in Windows Server 2012 Active Directory.
In this post we will concentrate on Dynamic Access Control (DAC). DAC allows administrators to create and manage central access and audit policies in Active Directory, which can be managed through the AD Administrative Console to help organizations reach data compliance.
**NOTE: DAC is the amalgamation of different features working together. It leverage AD, GPO, File Servers … It is one the more involved Labs we have tackled so far.
Microsoft has focused on the following areas:
You can now create and managed Central Access and Audit Policies in Active Directory through the ADAC . These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control:
Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: "User is from the Finance department" and "User's security clearance is High"
Here is a sample usage of DAC
Organization-wide authorization policy
Departmental authorization policy
Specific data-management policy
You king find different scenarios of DAC usage here.
What we will do in this post is setup DAC and create a rule to show the flexibility and the value you can get from this technology.
DAC is a claim based security feature.
Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature.
To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts.
First, we logged on our domain controller ITCamp-DC1 and created some accounts for this lab.
It's now time to enable Dynamic Access Control for ITCamp.Local
In this step we will configure Claim type for Users. We will add existing Active Directory attributes to the list of attributes that we can use when evaluating dynamic access control. In our case, the user's department and his country
1- After login to the DC , you can just open the Active Directory Administrative Center to start configuring the Dynamic Access Policy (DAP).
2- In the Claim Type Section, click "New" and "Claim Type" in the task pane,
3- Select the attribute you want to use, in our case "c" and in the suggested value section define the countries you want to define. In our Lab we will look for Canada and United States.
4- Repeat for the department attribute with the following suggested value. (HR, Finance, Operations)
1- In this step, we will configure the properties which will be downloaded by file servers and used to classify files or directories or shares. The DAC rules will compare user attribute values with resource properties. You can enable existing properties or create new ones.
2- Click on resource property and here you can select the existing resource properties or also you can create the new ones, I have selected Country and Department.
1- Each resource property must be added to at least one resource property list. It will then be downloaded by file servers in your environment. The global resource property list is downloaded by all file servers.
Our properties are already part of the global list.
This is when we create a Rule that uses the properties we have defined earlier. This describes which conditions must be met in order for file access to be granted.
1- In the Central Access Rule section, click "New" and "Central Access Rule"
2- Give it a name in the Create Central Access Rule form.
3- In the Permission section, click "Use Following Permissions" and click "Edit"
4- Click "Add" and in the following "permission Entry for Permissions" select The "Authenticated User" as the principal and set the following conditions.
5- Click "OK" you are back to the DAC configuration screen.
This part is very straight forward.
1- In the Central Access Policy, click "New" and "Central Access Policy" and give the new policy a name in the "Create Central Access Policy" form. We named our CAP. You also need to Add the Central Access Rule you created earlier to the policy.
2- Once that is created we need to tell AD about the policy. In the "Group Policy Management Console" we edited the "Default domain policy" but you can apply a different policy as you see fit. And in the Computer ManagementàPoliciesàWindows SettingsàSecurity settingsàFile SystemàCentral Access Policy, right-click the right pane and select manage Central Access Policy.
3- Add the Policy you created to the Applicable Central Access Policies.
We are done configuring the DAC… well… not quite. We still need to configure our shares and share properties.
To configure the shares the File Server Resource Manager must be installed on the server that will be used as the files server. In our case the file server we are using is VMHost10B.itcamp.local.
On the VMHost10B machine we created 2 SMB Shares-Advanced shares. (HR, Finance) select all defaults to complete this part.
Once the shares have been created, we need to go the location where the directory has been created and modify the properties of each folders.
To include the classification of these folders.
And in the advanced Security Settings, in the Central Policy Tab, change the "No central Access Policy" to "CAP" the policy we defined.
You can test to see if everything worked well by using the effective Access tab.
That is that start of the value that DAC can bring. But we just skimmed the surface.
So try it for yourself. It's well worth the effort.
You can deploy this in you lab and take advantage of the flexibility this technology can provide. Try it for yourself by downloading Windows Server 2012?
Pierre Roman, MCITP, ITIL | Technology Evangelist Twitter | Facebook | LinkedIn
TechNet manual : http://technet.microsoft.com/en-us/library/hh831717.aspx Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data) Dynamic Access Control at MMS 2012: http://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview
Please helpme Config DirectAccess Dynamic Access Control Rights Management