Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

New features in Active Directory Domain Services in Windows Server 2012, Part 20: Dynamic Access Control (DAC)

For the last years, we’ve been modeling the business into group memberships and their associated access control lists. For some organizations this has even led to changing the way they performed business from before they automated their business processes. For other organizations, this has resulted in token bloat. It’s time someone changed that and introduced business logic for file and folder access.

     

What’s New

Microsoft did exactly that by introducing Dynamic Access Control (DAC).

Dynamic Access Control can best be described as a Claims-based Access Control (CBAC) solution, where claims are placed in tokens. In contrast, Active Directory Federation Services (AD FS), also uses claims, but uses SAML as its protocol for markup and transport. Dynamic Access Control claims are stored in the Ticket Granting Ticket (TGT).

Note:
To use Dynamic Access Control you don’t need to install or configure Active Directory Federation Services.

Claims within Dynamic Access Control can be based on any attribute of a user account, Claims can also be based on attributes for computer accounts, but this requires Kerberos Armoring (FAST). When user claims and device claims are combined, this forms the Compound Identity (Compound ID).

Dynamic Access Control information is stored in Active Directory in CN=Claims Configuration,CN=Services,CN=Configuration,DC=domain,DC=tld and is replicated throughout the Active Directory forest.

To use Dynamic Access Control claims to authorize access to files, two methods can be used:

  1. You can define authorization rules and authorization policies within Active Directory, where you can define the proposed and/or enforced rights on files and folders and the scope of the rules. Authorization rules also extend to file classification infrastructure (FCI) this way, so you can even base access rights on user-picked tags for files and folders on a scoped number of File Servers.
  2. The second method is to incorporate claims within access control entries (ACEs) straight into access control lists (ACLs). This is useful for file storage locations that are based on the Resilient File System (ReFS), since this new file system does not support authorization policies (yet).

Arguably, using claims adds complexity when added to an access strategy based on group memberships. Another new feature in Windows Server 2012 helps keep track of access denied. The feature, called Access-denied remediation, enables users, when faced with an Access Denied error, to specify why they think they should be allowed access. This fully customizable message, together with the reason why access was denied is then sent to the Admin responsible for the file server (as defined in File Server Resource Manager). Access Denied Remediation is only available when using SMB 3.0, so, this feature is only available when Windows 8 clients and Windows Server 2012 member servers access Windows Server 2012 File Servers.

   

Configuring DAC

InformationalExample case

In this example we’ll use File Classification with Dynamic Access Control to authorize the Engineering department to read files and folders of their department. Their managers can modify these files, but only when they try this from computers, designated as computers in the Engineering department.

Step 1

First, we start by creating File Classifications. We perform this action in the Active Directory Administrative Center (ADAC), since these classifications are stored in Active Directory. In the Active Directory Administrative Center, file classifications can be found in the Dynamic Access Control node on the left pane. The screenshot below shows the Dynamic Access Control (DAC) node in Folder View in the Active Directory Administrative Center:

The Dynamic Access Control (DAC) node in Folder View in the Active Directory Administrative Center (click for larger screenshot)

Define Resource Properties

Our first step is to define Resource Properties. For this, open the Resource Properties node underneath the Dynamic Access Control node. You’ll notice Microsoft has equipped us with a lot of pre-defined resource properties, so let’s use the Department one. Right-click it and select Enable from the context menu:

Enabling the Department resource property in Active Directory Administrative Center (click for larger screenshot)

Tip!
You can enable multiple pre-defined resource properties and even create your own. A perfect example would be Country, which is not pre-defined.

Add Resource Properties to the Property List

When you’ve enabled the resource properties you’d want to use, add them to a Resource Property list. In the left pane of the Active Directory Administrative Center right-click Resource Property Lists underneath the Dynamic Access Control node and select New and then Resource Property List from the context menu.

Creating a Resource Property List for Dynamic Access Control (click for larger screenshot)

For our example environment we will name this Resource Property List Engineering and we add the Department resource property to it by using the Add… button. OK saves our settings.

Update the Resource Property Lists on the file servers

On the Windows Server 2012-based File Servers, run the Update-FSRMClassificationPropertyDefinition PowerShell command.

Classify files and folders

Now, in the File Explorer on the File Servers classify folders and files. Use the Classification tab to specify Classification. In our example we’ll classify the Engineering folder as Engineering data. Navigate towards the folder you’d want to classify, right-click it and then select Properties from the context menu. Go to the Classification tab:

Classifying files and folders on the Classification tab (original screenshot)

Since the Department Resource Property is the only enabled Resource Property it will be the only Resource Property available to the File Server(s). To use it, click it. Then, in the Value box, select Engineering. Press OK when done.

Step 2

Now that we’ve put the built-in File Classification Infrastructure (FCI) to good use, it’s time to define our authorization decisions based on the classifications.

Define Central Access Rules

Back into the Active Directory Administrative Center (ADAC), we now open the Central Access Rules node underneath the Dynamic Access Control node in the left pane. By default, this node is empty, so we’re making our own Central Access Rule.

Right-click Central Access Rules, select New and then select Central Access Rule from the context-menu:

Create a Central Access Rule in Active Directory Administrative Center (click for larger screenshot)

We’ll call the Access Rule Engineering Access. As targets we’ll target all files classified with the Engineering department through the Edit… button in the Target Resources area. As Permissions we choose to Use following permissions as current permissions. We then add Permissions with the Edit… button in the Permissions area. While in the Advanced Security Settings for Permissions screen, click Add.

Creating a Permission entry for Permissions (click for larger screenshot)

In the Permission Entry for Permissions screen, at the top, we select the Authenticated Users as the Security Principal filter. Then, we create a condition with the business logic behind the access for Engineers. Members of the Engineers group get read access to Files and Folders (resources), classified as Engineering. The above screenshot shows these choices.

Of course, for the members of the Engineering Managers group, we build a second Central Access Rule, where we grant them Modify rights, based on their Engineering Managers group membership and based on the department of their device.

Note:
Since we’re basing authorization decisions on computer objects with the Engineering department attribute, make sure the right computers have this attribute configured.

Add Rules to a Central Access Policy

With the rule set in place, we can now create the Central Access Policy (CAP) that will utilize the rule set to make authorization decisions with a defined scope.

In the Active Directory Administrative Center (ADAC), we now open the Central Access Policies node underneath the Dynamic Access Control node in the left pane. By default, this node is empty, so we’re making our own Central Access Policy. Right-click the Central Access Policies node, select New and then Central Access Policy from the context menu.

In our example environment, we’ll name the Central Access Policy Engineering AuthZ and with the Add… button in the Member Central Access Rules area we add the Engineering Access Central Access Rule.

Deploy the CAP to File Servers using Group Policy

Using Group Policy we will now be scoping the Central Access Policy. Open the Group Policy Management Console (GPMC) and navigate to the Organization Unit (OU) containing the File Servers with Engineering data on them. Right-click the Organizational Unit and choose Create a GPO in this domain and Link it here…. In our example environment, we’ll name the new Group Policy Engineering Access. Now, right-click the newly created Group Policy and select Edit… from the context menu.

Scoping Central Access Policies with Group Policy (click for larger screenshot)

In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, File System and then right-click Central Access Policy to select Manage Central Access Policies… from the context menu.

Select the Engineering AuthZ Central Access Policy from the list on the left and click the Add > button to make it appear in the list on the right. When done, click OK.

Now you can close the Group Policy Management Editor. To update the Group Policies on the File Server, either wait for the Group Policy Background Refresh Interval, run gpupdate.exe on the console of the File Server, or force a Group Policy Refresh from the Group Policy Management Console.

Tip!
Remote Group Policy Refresh is a new feature in the Group Policy Management Console (GPMC) that is part of Windows Server 2012 and part of the Remote Server Administration Tools (RSAT) for Windows 8.

Select the CAP to apply

When the Group Policy has applied, you can apply the Central Access Policy to the Engineering folder. Right-click the Engineering folder and select Properties. Click on the Security tab and then click on Advanced. In the Advanced Security Settings for Engineering screen, navigate to the Central Policy tab. On this tab, select the Engineering AuthZ as the Central Access Policy to apply. Click OK three times.

 

      

Requirements

Windows Server 2012-based Domain Controllers

Dynamic Access Control requires at least one Windows Server 2012-based Domain Controller. File Servers, where you want to use claims-based access control, also need to be running Windows Server 2012.

Tip! 
Certain Storage Area Network (SAN) manufacturers are working closely with Microsoft to enable their equipment for claims-based access control and Dynamic Access Control.

Make sure sufficient Windows Server 2012-based Domain Controllers are present to process client requests.

Note:
When Compound ID is used, Windows 8-based clients will only communicate with Windows Server 2012-based Domain Controllers. Compound ID is only available in Windows 8, not in previous versions of Windows.
    

Forest Functional Level

The Forest Functional Level needs to be Windows Server 2003.

Windows Server 2012-based File Servers

File Servers, where you want to use claims-based access control, also need to be running Windows Server 2012. On these servers the File Server Resource Manager Server Role needs to be installed. The following PowerShell one-liner can be used for this purpose:

Install-WindowsFeature FS-Resource-Manager
-IncludeManagementTools

Since Dynamic Access Control uses Group Policies to manage File Servers it’s a good idea to create a separate Organization Unit (OU) for File Servers as part of your Windows Server 2012 Active Directory design.

Backward compatibility

Dynamic Access Control works with previous versions of Windows as DAC clients. Windows 7 and Windows Server 2008 R2 have been thoroughly tested.

        

Concluding

Dynamic Access Control allows for rich authorization stories, based on not just group membership, but also attributes of the user account and computer account, applied to files and folders, but also applicable through classification. This way, even when a file is copied to an inappropriate location, it will still only be available for the right users within the environment.

With Dynamic Access Control, Active Directory Admins can work together with File Server admins to, finally, make authorization work as part of the business (instead of the other way around).

Related Posts

Active Directory and the Resilient File System (ReFS)   
New features in ADDS in Windows Server 2012, Part 11: Kerberos Armoring (FAST) 

Videos

An Overview of Dynamic Access Control   
Dynamic Access Control Deep Dive  
Dynamic Access control Best Practices and Microsoft IT Case Studies 
Keeping your Data Safe, and Introduction to Information Protection Technology  
Using classification for access control and compliance

Further reading

The Dynamic Access Control Knowledge Base  
Introduction to Windows Server 2012 Dynamic Access Control 
First Look at Dynamic Access Control in Windows Server 2012 
Windows Server 2012 Dynamic Access Control – The power of “And…”    
Dynamic Access Control: Scenario Overview 
Dynamic Access Control intro on Windows Server blog 
New in Windows Server 2012 – Part 3: Security 
Dynamic Access Control in Windows Server 2012 demo 
Diving deeper into Windows Server 2012 Dynamic Access Control

Posted: Monday, September 24, 2012 8:30 AM by Sander Berkouwer

Comments

No Comments

Anonymous comments are disabled