Module 3

Implementing Dynamic Access

Control
Module Overview

• Overview of DAC
• Implementing DAC Components
• Implementing DAC for Access Control
• Implementing Access Denied Assistance
• Implementing and Managing Work Folders
Lesson 1: Overview of DAC

• Limitations of Current Access Management

Methods
• What Is DAC?
• What Is the Claim?
• What Is Resource Property?
• Accessing Resources with DAC
• Requirements for DAC Implementation
Limitations of Current Access Management
Methods

• NTFS file system permissions and ACLs provide

access control that is based on a user’s SID or
group membership SID

• AD RMS provides greater protection for

documents by controlling how applications use
them, and also works with user or group SID

• NTFS file system permissions cannot use AND

between conditions

• In NTFS file system permissions, you cannot

build your own conditions for access control
What Is DAC?

• DAC in Windows Server 2012 is a new access

control mechanism for file system resources

• DAC uses claims in the authentication token,

resource properties on the resource, and
conditional expressions within permission and
auditing entries

• DAC is designed for four scenarios:

• Central access policy for managing access to files
• Auditing for compliance and analysis
• Protecting sensitive information
• Access-denied remediation
What Is the Claim?

• A claim is something that AD DS states about a

specific object

• In the DAC infrastructure, claims are defined by

using specific attributes from a user or device

• In Windows Server 2012, the authorization

mechanism is extended to support conditional
expressions that includes claims

• In Windows Server 2012, you can create:

• User claims
• Device claims
• You can deploy claims between trusted forests
 User and Device Claims

• Pre-2012 Security Principals Only are:

• Restricted to making policies where decisions are based on the user’s
group memberships
• Shadow groups are often created to reflect existing attributes as groups
• Groups that have rules around who can be members of which types of
groups
• Not able to transform groups across AD trust boundaries
• Not able to control access based on characteristics of user’s device

• Windows Server 2012 considerations:

• AD DS user/computer attributes are included in the security token
• Claims can be used directly in file server permissions
• Claims are consistently issued to all users in a forest
• Claims can be transformed across trust boundaries
• Enables newer types of policies that were not possible before
What Is Resource Property?

• Resource properties define attributes of the

resource that you want to use
• Resource properties are grouped in resource
property lists
• When creating a resource property, you can
specify the property type and the allowed or
suggested values
Accessing Resources with DAC
Claim type
Display name
Source
NT access token
Suggested
Contoso\Alice values
User Groups:…. Value type
Claims:
Title=SDE
Enable
domain to
issue claims
User attempts to log on

Kerberos Ticket
Contoso\Alice
Receives a Kerberos ticket
User Groups:….
Claims:
Title=SDE
 Kerberos and a New Token

• DAC leverages Windows Kerberos

• Windows 8 Kerberos extensions
• Compound ID – binds a user to the device to be
authorized as one principal
• DC issues groups and claims
• DC enumerates user claims
• Claims delivered in Kerberos Privilege Account
Certificate 2012 Token
• NT Token has the following User Account

sections: User Groups

Pre-2012 Token Claims
• User & Device data User Account Device Groups
• Claims and Groups User Groups Claims
• Tokens have same size (other data) (other data)
Requirements for DAC Implementation

To implement DAC, you need to have:

• Windows Server 2012 or newer with the FSRM
• Update AD DS schema, or at least one Windows Server
2012 domain controller
• Windows 8 or newer on clients to use device claims
• Enabled support for DAC in AD DS (default domain
controllers GPO)
Lesson 2: Implementing DAC Components

• Creating and Managing Claims

• Creating and Managing Resource Properties and
Resource Property Lists
• Creating and Managing Access Control Rules
• Creating and Managing Access Policies
• Demonstration: Configuring Claims, Resource
Properties, and Rules
• Implementing and Managing File Classifications
• Demonstration: Configuring Classification Rules
Creating and Managing Claims

• Use the AD CS to create attribute-based claims

• Use the Active Directory module for Windows
PowerShell to create certificate-based claims
• Claims are stored within the configuration
partition in AD DS
• Attributes are used to source values for claims
• Make sure that you configure attributes for your
computer and user accounts in AD DS with the
information that is correct for the respective user
or computer
Creating and Managing Resource Properties and
Resource Property Lists

• Resource properties describe resources that you

protect with DAC
• Several resource properties are already
predefined in Windows Server 2012
• All predefined resource properties are disabled
• When creating a new resource property, you
have to set its name, and value type
• In Windows Server 2012 R2, you also can create
reference resource properties
• Resource properties are grouped in resource
property lists
Creating and Managing Access Control Rules

• A central access rule contains one or multiple

criteria that the Windows operating system uses
when evaluating access

• You create and configure central access rules in

the Active Directory Administrative Center

• To create a new central access rule, you should:

• Provide a name and description for the rule
• Configure the target resources
• Configure permissions
 Conditional Expression Example

User File
AD DS Server

User claims Device claims Resource properties

User.Department = Device.Department = Resource.Department =
Finance Finance Finance
User.Clearance = High Device.Managed = True Resource.Impact = High

Access Rule
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department = @File.Department) AND
(@Device.Managed = True)
Creating and Managing Access Policies

• Central access policies enable you to manage

and deploy consistent authorization throughout
an organization
• The main component of a central access policy is
a central access rule
• Central access policies act as a security net that
an organization applies across its servers
• Group Policy is used to deploy a central access
policy
• Manually apply the policies to all Windows
Server 2012 file servers
Demonstration: Configuring Claims, Resource
Properties, and Rules

In this demonstration, you will learn how to

configure claims, resource properties, and access
rules
Implementing and Managing File Classifications

• Resource property
definitions are defined in AD
DS

• Resource property
definitions can be used
during file classifications

• File classifications can be

run automatically
Demonstration: Configuring Classification Rules

In this demonstration, you will learn how to classify

files by using a file classification mechanism
Lesson 3: Implementing DAC for Access Control

• Planning Central Access Policies for File Servers

• Demonstration: Creating and Deploying Central
Access Policies
• How Does Access Check Work When DAC Is in
Use
• Managing and Monitoring DAC
• Demonstration: Evaluating and Managing DAC
Planning Central Access Policies for File Servers

When planning deployment of central access

policies, you should:
• Identify the resources that you want to protect
• Define the authorization policies
• Translate the authorization policies that you require
into expressions
• Identify attributes for access filtering
Demonstration: Creating and Deploying Central
Access Policies

In this demonstration, your instructor will show you

how to create and deploy central access policy
 How Does Access Check Work When DAC Is in
Use
Share
security descriptor
Share permissions
AD DS
(cached in local registry)
File/Folder
security descriptor Cached central access policy definition
Central access policy Cached central access rule
reference
Cached central access rule
NTFS file system
permissions Cached central access rule

Access control decision is calculated by using following

checks:
1. Access check – Share permissions if applicable
2. Access check – File permissions
3. Access check – Every matching central access rule in central access policy
Managing and Monitoring DAC

• DAC allows you to test a central access policy update by

staging it
• Windows Server 2012 staging:
• Is implemented by deploying proposed permissions
• Compares the proposed permissions against the current
permissions
• Causes audit-log events to appear in the security log on the file
server
Current Central Access policy for high impact data
Applies to: @File.Impact = High
Allow | Full Control | if @User.Company=Contoso

Staging policy
Applies to: @File.Impact = High
Allow | Full Control | if (@User.Company=Contoso) AND
(@User.Clearance =High)
Sample Staging Event (4818)
Demonstration: Evaluating and Managing DAC

In this demonstration, you will learn how to

evaluate and manage DAC
Lesson 4: Implementing Access Denied
Assistance

• What Is Access Denied Assistance?

• Configuring Access Denied Assistance
• Demonstration: Implementing Access Denied
Assistance
What Is Access Denied Assistance?
On file server:
• Specify troubleshooting text for
access denied Data Owner
• Specify owner’s email for share or
folder User

Access attempt:
• User is denied access, sees
troubleshooting text or device-state
troubleshooting
• User can request access via email

Data owner or help desk:

File Server
• Owner receives user’s request
• Use effective permissions UI to
decide appropriate actions
• Can forward request to IT admin
Configuring Access Denied Assistance

• When implementing Access Denied Assistance:

• Define messages that users will receive when they
attempt to access resources
• Determine whether users should be able to send a
request for access
• Determine recipients for the access-request email
messages
• Consider target operating systems

• Use Group Policy to enable and configure Access

Denied Assistance

• Decide about the method for remediation

Demonstration: Implementing Access Denied
Assistance

In this demonstration, your instructor will show you

how to configure and implement Access Denied
Assistance
Lesson 5: Implementing and Managing Work
Folders

• What Are Work Folders?

• Configuring Work Folders
• Demonstration: Implementing Work Folders
What Are Work Folders?

• Work Folders enable users to access business data

securely at any location and on any device
• Work Folders are managed by administrators

• Currently supported on Windows 8.1 devices, and

support also is planned for iOS-based devices
Configuring Work Folders

To use Work Folders, you should:

• Have at least one Windows Server 2012 R2 file server
• Have at least one Windows Server 2012 R2 domain
controller
• Install Work Folders functionality on file server
• Provision a share where users’ data will be stored
• Run New Sync Share Wizard to create Work Folders
structure
• Configure clients to use Work Folders by using Group
Policy or manually
Demonstration: Implementing Work Folders

In this demonstration, you will learn how to

implement Work Folders
Lab: Implementing Secure Data Access

• Exercise 1: Preparing for DAC Deployment

• Exercise 2: Implementing DAC
• Exercise 3: Validating and Remediating DAC
• Exercise 4: Implementing Work Folders

Logon Information
Virtual machines: 20412C-LON-DC1,
20412C-LON-SVR1,
20412C-LON-SVR2,
20412C-LON-CL1,
20412C-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 110 minutes
Lab Scenario

You are working as an administrator at A. Datum

Corporation. The company has a wide and complex file
server infrastructure. It manages access control to folder
shares by using NTFS file system ACLs, but in some cases,
that approach does not provide the desired results.
Most of the files used by departments are stored in shared
folders dedicated to specific departments, but confidential
documents sometimes appear in other shared folders.
Only members of the Research team should be able to
access Research team folders, and only Executive
department managers should be able to access highly
confidential documents.
Lab Scenario

The Support department reports that a high number of calls

are generated by users who cannot access resources. You
must implement a feature that helps users understand error
messages better and will enable them to request access
automatically.
Many users use personal devices such as tablets and
laptops to work from home and while at work. You have to
provide them with an efficient way to synchronize business
data on all the devices that they use.
Lab Review

• How do file classifications enhance the usage of

DAC?
• Can you implement DAC without central access
policy?