New features in Active Directory Domain Services in Windows Server 2012, Part 20: Dynamic Access Control (DAC)
For the last years, we’ve been modeling the business into group memberships and their associated access control lists. For some organizations this has even led to changing the way they performed business from before they automated their business processes. For other organizations, this has resulted in token bloat. It’s time someone changed that and introduced business logic for file and folder access.
Microsoft did exactly that by introducing Dynamic Access Control (DAC).
Dynamic Access Control can best be described as a Claims-based Access Control (CBAC) solution, where claims are placed in tokens. In contrast, Active Directory Federation Services (AD FS), also uses claims, but uses SAML as its protocol for markup and transport. Dynamic Access Control claims are stored in the Ticket Granting Ticket (TGT).
To use Dynamic Access Control you don’t need to install or configure Active Directory Federation Services.
Claims within Dynamic Access Control can be based on any attribute of a user account, Claims can also be based on attributes for computer accounts, but this requires Kerberos Armoring (FAST). When user claims and device claims are combined, this forms the Compound Identity (Compound ID).
Dynamic Access Control information is stored in Active Directory in CN=Claims Configuration,CN=Services,CN=Configuration,DC=domain,DC=tld and is replicated throughout the Active Directory forest.
To use Dynamic Access Control claims to authorize access to files, two methods can be used:
- You can define authorization rules and authorization policies within Active Directory, where you can define the proposed and/or enforced rights on files and folders and the scope of the rules. Authorization rules also extend to file classification infrastructure (FCI) this way, so you can even base access rights on user-picked tags for files and folders on a scoped number of File Servers.
- The second method is to incorporate claims within access control entries (ACEs) straight into access control lists (ACLs). This is useful for file storage locations that are based on the Resilient File System (ReFS), since this new file system does not support authorization policies (yet).
Arguably, using claims adds complexity when added to an access strategy based on group memberships. Another new feature in Windows Server 2012 helps keep track of access denied. The feature, called Access-denied remediation, enables users, when faced with an Access Denied error, to specify why they think they should be allowed access. This fully customizable message, together with the reason why access was denied is then sent to the Admin responsible for the file server (as defined in File Server Resource Manager). Access Denied Remediation is only available when using SMB 3.0, so, this feature is only available when Windows 8 clients and Windows Server 2012 member servers access Windows Server 2012 File Servers.
In this example we’ll use File Classification with Dynamic Access Control to authorize the Engineering department to read files and folders of their department. Their managers can modify these files, but only when they try this from computers, designated as computers in the Engineering department.
First, we start by creating File Classifications. We perform this action in the Active Directory Administrative Center (ADAC), since these classifications are stored in Active Directory. In the Active Directory Administrative Center, file classifications can be found in the Dynamic Access Control node on the left pane. The screenshot below shows the Dynamic Access Control (DAC) node in Folder View in the Active Directory Administrative Center:
Define Resource Properties
Our first step is to define Resource Properties. For this, open the Resource Properties node underneath the Dynamic Access Control node. You’ll notice Microsoft has equipped us with a lot of pre-defined resource properties, so let’s use the Department one. Right-click it and select Enable from the context menu:
You can enable multiple pre-defined resource properties and even create your own. A perfect example would be Country, which is not pre-defined.
Add Resource Properties to the Property List
When you’ve enabled the resource properties you’d want to use, add them to a Resource Property list. In the left pane of the Active Directory Administrative Center right-click Resource Property Lists underneath the Dynamic Access Control node and select New and then Resource Property List from the context menu.
For our example environment we will name this Resource Property List Engineering and we add the Department resource property to it by using the Add… button. OK saves our settings.
Update the Resource Property Lists on the file servers
On the Windows Server 2012-based File Servers, run the Update-FSRMClassificationPropertyDefinition PowerShell command.
Classify files and folders
Now, in the File Explorer on the File Servers classify folders and files. Use the Classification tab to specify Classification. In our example we’ll classify the Engineering folder as Engineering data. Navigate towards the folder you’d want to classify, right-click it and then select Properties from the context menu. Go to the Classification tab:
Since the Department Resource Property is the only enabled Resource Property it will be the only Resource Property available to the File Server(s). To use it, click it. Then, in the Value box, select Engineering. Press OK when done.
Now that we’ve put the built-in File Classification Infrastructure (FCI) to good use, it’s time to define our authorization decisions based on the classifications.
Define Central Access Rules
Back into the Active Directory Administrative Center (ADAC), we now open the Central Access Rules node underneath the Dynamic Access Control node in the left pane. By default, this node is empty, so we’re making our own Central Access Rule.
Right-click Central Access Rules, select New and then select Central Access Rule from the context-menu:
We’ll call the Access Rule Engineering Access. As targets we’ll target all files classified with the Engineering department through the Edit… button in the Target Resources area. As Permissions we choose to Use following permissions as current permissions. We then add Permissions with the Edit… button in the Permissions area. While in the Advanced Security Settings for Permissions screen, click Add.
In the Permission Entry for Permissions screen, at the top, we select the Authenticated Users as the Security Principal filter. Then, we create a condition with the business logic behind the access for Engineers. Members of the Engineers group get read access to Files and Folders (resources), classified as Engineering. The above screenshot shows these choices.
Of course, for the members of the Engineering Managers group, we build a second Central Access Rule, where we grant them Modify rights, based on their Engineering Managers group membership and based on the department of their device.
Since we’re basing authorization decisions on computer objects with the Engineering department attribute, make sure the right computers have this attribute configured.
Add Rules to a Central Access Policy
With the rule set in place, we can now create the Central Access Policy (CAP) that will utilize the rule set to make authorization decisions with a defined scope.
In the Active Directory Administrative Center (ADAC), we now open the Central Access Policies node underneath the Dynamic Access Control node in the left pane. By default, this node is empty, so we’re making our own Central Access Policy. Right-click the Central Access Policies node, select New and then Central Access Policy from the context menu.
In our example environment, we’ll name the Central Access Policy Engineering AuthZ and with the Add… button in the Member Central Access Rules area we add the Engineering Access Central Access Rule.
Deploy the CAP to File Servers using Group Policy
Using Group Policy we will now be scoping the Central Access Policy. Open the Group Policy Management Console (GPMC) and navigate to the Organization Unit (OU) containing the File Servers with Engineering data on them. Right-click the Organizational Unit and choose Create a GPO in this domain and Link it here…. In our example environment, we’ll name the new Group Policy Engineering Access. Now, right-click the newly created Group Policy and select Edit… from the context menu.
In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, File System and then right-click Central Access Policy to select Manage Central Access Policies… from the context menu.
Select the Engineering AuthZ Central Access Policy from the list on the left and click the Add > button to make it appear in the list on the right. When done, click OK.
Now you can close the Group Policy Management Editor. To update the Group Policies on the File Server, either wait for the Group Policy Background Refresh Interval, run gpupdate.exe on the console of the File Server, or force a Group Policy Refresh from the Group Policy Management Console.
Remote Group Policy Refresh is a new feature in the Group Policy Management Console (GPMC) that is part of Windows Server 2012 and part of the Remote Server Administration Tools (RSAT) for Windows 8.
Select the CAP to apply
When the Group Policy has applied, you can apply the Central Access Policy to the Engineering folder. Right-click the Engineering folder and select Properties. Click on the Security tab and then click on Advanced. In the Advanced Security Settings for Engineering screen, navigate to the Central Policy tab. On this tab, select the Engineering AuthZ as the Central Access Policy to apply. Click OK three times.
Windows Server 2012-based Domain Controllers
Dynamic Access Control requires at least one Windows Server 2012-based Domain Controller. File Servers, where you want to use claims-based access control, also need to be running Windows Server 2012.
Certain Storage Area Network (SAN) manufacturers are working closely with Microsoft to enable their equipment for claims-based access control and Dynamic Access Control.
Make sure sufficient Windows Server 2012-based Domain Controllers are present to process client requests.
When Compound ID is used, Windows 8-based clients will only communicate with Windows Server 2012-based Domain Controllers. Compound ID is only available in Windows 8, not in previous versions of Windows.
Forest Functional Level
The Forest Functional Level needs to be Windows Server 2003.
Windows Server 2012-based File Servers
File Servers, where you want to use claims-based access control, also need to be running Windows Server 2012. On these servers the File Server Resource Manager Server Role needs to be installed. The following PowerShell one-liner can be used for this purpose:
Since Dynamic Access Control uses Group Policies to manage File Servers it’s a good idea to create a separate Organization Unit (OU) for File Servers as part of your Windows Server 2012 Active Directory design.
Dynamic Access Control works with previous versions of Windows as DAC clients. Windows 7 and Windows Server 2008 R2 have been thoroughly tested.
Dynamic Access Control allows for rich authorization stories, based on not just group membership, but also attributes of the user account and computer account, applied to files and folders, but also applicable through classification. This way, even when a file is copied to an inappropriate location, it will still only be available for the right users within the environment.
With Dynamic Access Control, Active Directory Admins can work together with File Server admins to, finally, make authorization work as part of the business (instead of the other way around).
Active Directory and the Resilient File System (ReFS)
New features in ADDS in Windows Server 2012, Part 11: Kerberos Armoring (FAST)
An Overview of Dynamic Access Control
Dynamic Access Control Deep Dive
Dynamic Access control Best Practices and Microsoft IT Case Studies
Keeping your Data Safe, and Introduction to Information Protection Technology
Using classification for access control and compliance
The Dynamic Access Control Knowledge Base
Introduction to Windows Server 2012 Dynamic Access Control
First Look at Dynamic Access Control in Windows Server 2012
Windows Server 2012 Dynamic Access Control – The power of “And…”
Dynamic Access Control: Scenario Overview
Dynamic Access Control intro on Windows Server blog
New in Windows Server 2012 – Part 3: Security
Dynamic Access Control in Windows Server 2012 demo
Diving deeper into Windows Server 2012 Dynamic Access Control