iSCSI Storage

What is Dynamic Access Control

Active Directory Administrative Center

Dynamic Access Control

The other day I wrote about Powershell as one of the basic tools that the administration of any supported Microsoft platform rises to highest level of automation and configuration. I can not emphasize enough how important it is for Windows Server administrators to begin to learn Powershell, I think everyone slowly but surely will realize that.
In addition I want to devote attention on two "new" tools for administering Server 2008R2 an Server 2012. One Active Directory Administrative Center, which runs completely on Powershell and Server Manger which is an entirely integrated into PS.

In Windows Server 2003 and Windows Server 2008 operating systems, administrators can manage and to disclose information in their Active Directory environment by using Active Directory snap-ins linke AD Users and Computers Microsoft Management Console ( MMC ) snap -in . Beginning in Windows Server 2008 R2, now and in the Server 2012 ( and in all other subsequent ) in favor of using the Active Directory Users and Computers, administrators can manage their directories by using the new Active Directory Administrative Center.

As i said earlier, tool that works "on top" of PS, it actually means that each click or each operation via the graphical interface is powershell command that is executed in the background, quite transparently for the user. The same we have already saw in Exchange Server 2010 with the Exchange console.

The version of the Active Directory Administrative Center in Windows Server 2012 has additional improvements, including PowerShell Windows History Viewer that will help you learn the Active Directory cmdlets.
You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:

Creating new users (Users) or managing existing ones.
Create a new group (Group) or management  of existing. Create new computer (account) or managing existing ones.
Creating new computer (account) or managing existing ones.
Creating new organizational units (OUs) and containers or manage existing OU.
Connecting to one or several (domain) or (domain controllers) simultaneously to view or manage the desired Active Directory (AD DS).
Filter AD DS and search the database (query).

In addition, you can use the GUI and modify it according to your needs and desires,meaning you can use a (custom) administrative center . This can help to improve your productivity and efficiency .

Active Directory Administrative includes features that are described in the following chapters . The following illustration shows the graphical user interface (GUI) and the administrative center and how it is organized

On the navigation panel you can see your available domain, global search and the option "dynamic access control" which is native to the Server 2012. "Dynamic Access Control" in the "Windows Server 2012" offers a new way of controlling access to resources.
In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources.At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.

                                                       “ Dynamic Access Control: An Active Directory Game Changer “   

On the navigation panel you can see your available domain, global search and the option "dynamic access control" which is native to the Server 2012. "Dynamic Access Control" in the "Windows Server 2012" offers a new way of controlling access to resources.

In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources. At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.

Dynamic Access Control provides:

Data classification - You can use automatic and manual classification of files to tag data in file servers across the organization.

Access control to files - Central access policies enable organizations to define who can access particular data.

Auditing of access to files. Central audit policies facilitate compliance reporting and forensic analysis.

In previous versions of Windows Server, the basic mechanism for file and folder access control was NTFS permissions. By using NTFS permissions and

their ACLs, administrators can control access to

resources, based on user name or group membership, and the level of access, such as Read-only, Change, or Full Control. However, once you

provide someone with Read-only access to a document, you cannot prevent that person from copying the content of that document into a new document or printing the document. Yes you coud do that with RMS but the main thing of DAC is that for the first time you can set conditional access to files.Example, you can set permissions in a way that users could access a document if they were a

member of a specific group A and another group B or had the attribute EmployeeType set to "Full Time Employee". Or, you might want to set permissions so that only users that have a department attribute populated with the

same value as the department attribute for the resource can access the content.

"Dynamic Access Control" will allow you to identify data using auto or manual file classification (classification rules). For example, you can through tagged data files to any servers (file servers) in the organization of a rule base.

Also allows control of access to files by using the (safety-net policies) that use (central access policies). 

http://technet.microsoft.com/en-us/library/hh831425.aspx

Provides access Audit (Audit) to files using the (central access) policies for compliance reporting (compliance) and forensic analysis. For example, you can determine which access to highly sensitive information in the company and therefore the security of the data to rise to a much higher level.

You can even integrate and DAC and RMS (Rights Management Services) protection using automatic RMS encryption on sensitive documents.For example, you can configure RMS to auto encrypt all documents containing personal or health insurance information.

Dynamic Access Control "Dynamic Access Control" in Windows Server 2012 can help improve authentication and authorization. Definitely new and great way that will help protect primary data across the company regardless of which server is located.

In this blog for those who already are working with administrative center in Server 2008R2 but still have not worked in Server 2012 and those who are already at an advanced level i will focus more on Dynamic Access Control, because I believe that is one of the most important improvements in server 2012 and that you need to pay attention.

 Imagine the following scenario.

 

Department of finance and operations has a need for central policy to protect sensitive archived financial data stored on file servers . Archived finance information from each country can be accessed as read-only by the finance staff from the same country . A central financial (admin) group can access finance information from all countries .

So financial documents should be read only by members of the finance department . Members of the finance department only need to access documents in their own country . Only Finance Administrators need to have Write access. Exceptions will be allowed for members of FinanceException group. This group will have read access .

 

You start by creating a "Claim" type of ( proof)  that the user that is requesting access is who he claim he is. This Claim will later be used in "Central Access Rules", but remember Server 2008 Domain Controller under default does not support authentication Claim and you will have to enable it. You can do that with GPO:

Group Policy Management -  Domain Controllers - Default Domain Controllers Policy -  Edit

Group Policy Management Editor - Computer Configuration – Policies - Administrative Templates  - System – KDC

KDC Support for claims, compound authentication and Kerberos armoring -  Options -

Enabled - Supported 

Next create new Claim Type from Dynamic Access Control tasks panel.

UI

 

Source Attribute – department - Display name – department – ок

Source Attribute - Country-Name - Display name – country

Suggested Values - The following values are suggested -  Add

Value and Display name fields – US – ок

Suggested Values - The following values are suggested -  Add

Value and Display name fields – ЈP – ок

This would be much more simpler with powershell J

 

New-ADClaimType country -SourceAttribute c -SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US","US","")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP","JP","")))

New-ADClaimType department -SourceAttribute department

Next step is to create the "resource properties" which is auto-added to the Global Resource Properties list located on the domain controller and is available to all file servers in the company is involved. "Resource Properties" are properties (such as labels) that describe a file and are assigned to files by using automatic classification or manual classification. Examples include: Sensitivity, Project, and Retention period.

UI

Tasks - New - Reference Resource Property

Select a claim type to share its suggested values list – country

Display name - country – OK

Resource Properties - Department - Еnable.

PS

New-ADResourceProperty Country -IsSecured $true -ResourcePropertyValueType MS-DS-MultivaluedChoice -SharesValuesWith country

Set-ADResourceProperty Department_MS -Enabled $true

Add-ADResourcePropertyListMember "Global Resource Property List" -Members Country

Add-ADResourcePropertyListMember "Global Resource Property List" -Members Department_MS

Next is to create a  "Central Access Rules" with which you will determine who on will have access to specific data based on  previously created claim.

Central Access Rules is a rule that includes a condition and an access expression.

 

UI

 

Central Access Rules – New -  Central Access Rule

Name - Finance Documents Rule

Target Resources -  Edit - Central Access Rule - Add a condition  -  [Resource] [Department] [Equals] [Value] [Finance - OK

Permissions section, - select Use following permissions as current permissions -  Edit -  Advanced Security Settings for Permissions - Add

Permission entry for Permissions dialog box, - Select a principal, type Authenticated Users – OK

Permission Entry for Permissions dialog box - Add a condition -  [User] [country] [Any of] [Resource] [country] 
[User] [Department] [Any of] [Resource] [Department]. Set the Permissions to Read.

 

PS

 

$countryClaimType = Get-ADClaimType country

$departmentClaimType = Get-ADClaimType department

$countryResourceProperty = Get-ADResourceProperty Country

$departmentResourceProperty = Get-ADResourceProperty Department

$currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;S-1-5-21-1787166779-1215870801-2157059049-1113)(A;;0x1301bf;;;S-1-5-21-1787166779-1215870801-2157059049-1112)(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER." + $countryClaimType.Name + " Any_of @RESOURCE." + $countryResourceProperty.Name + ") && (@USER." + $departmentClaimType.Name + " Any_of @RESOURCE." + $departmentResourceProperty.Name + ")))"

$resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})"

New-ADCentralAccessRule "Finance Documents Rule" -CurrentAcl $currentAcl -ResourceCondition

$resourceCondition

Note that in the above scripted command SID of the group should be replaced with your group SID (S-1-5-21-1787166779 to 1215870801-2157059049-1113)

 

To find SID the User or Group object in your AD DS you can use the PS command

 

$objGroup = New-Object System.Security.Principal.NTAccount("adatum", "IT")

$strSID = $objGroup.Translate([System.Security.Principal.SecurityIdentifier])

$strSID.Value

$objUser = New-Object System.Security.Principal.NTAccount("adatum", "IT")

With previous command I have created a new rule for central access Central Access Rule.
Next step will be to add this rule (Central Access Rule) in the central access policy (Central Access Policies).

UI

Tasks – New – Policy

Create Central Access Policy - Name - Finance Policy 

Member central access rules -  Add - Add the following central access rules - Finance Documents Rule – ok

PS

New-ADCentralAccessPolicy "Finance Policy"

Add-ADCentralAccessPolicyMember -Identity "Finance Policy" -Member "Finance Documents Rule"

Next step will be to apply this policy Central Access Policies across all file servers in the company via GPO. In 2012 Server there is a new type of policy that we can use. 

This would be roughly how the Dynamic Access Control with respect to the Central Access Policies, technology, I am confident you will pay a lot of attention.

How to use Powershell History?

Before I finish with the administrative center I can not but mention another option that is new. Windows Powershell History is an option that i don't believe anyone can leave indifferent, i was happy like little boy when i saw it :) I said every click and each operation AC is PS command that you can simply view, copy, and later as such, or modified as part of the script you can use :). Who said you need to know all (more than 2600 cmdlet's) :)

 

 

 

 

 

PowerShell Remote

Definitely the most powerful tool in the command line with associated scripting language built on the basis of NET Framework. Allows each administrator to perform administrative operations on the local and (remote) level, in any computer the domain, forest, trusted domain and certainly directly in cloud from local computer.

What are the system requirements to enable Remote Powershell?

Powershell 3.0
Windows PowerShell 3.0
The Microsoft .NET Framework 4.0 >
Windows Remote Management 3.0


Powershell 2.0
Windows PowerShell 2.0 >
The Microsoft .NET Framework 2.0 >
Windows Remote Management 2.0 >

Remote session between PS 2.0 and 3.0 is supported but options that are native to 3.0 like reconnection of existing session in powershell are not supported. Of course you need administrative privileges on the system that you are remotely connecting via Powershell.
Powershell 3.0 as I said lets (remote) session on the server and clients in (private, domain, public) networks.

In 'private' and 'domain' networks, 'Enable-PSRemoting' command creates a 'firewall' rules that allow unlimited remote access. 'Enable-PSRemoting', also creates a 'firewall' rule for 'public' network that allows access only from computers in the same local 'subnet'
From client computer run 'Enable-PSRemoting' with parameter SkipNetworkProfileCheck in the 'public' profile to enable access only between computers on the same local 'subnet'

If you want to bypass all restrictions on the level of local (subnet) in (public) profile which are here just for security then (Set-NetFirewallRule) with the parameter name rule + (RemoteAddress Any ) will enable you just that

Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any








Administrative privileges are required to establish remote session..To review default permission


Get-PSSessionConfiguration | Format-List -Property Name, Permission


If you want to assign permissions to other users to establish a default or any other (remote) session

• Review session on the local computer: 

dir wsman:\localhost\plugin\microsoft*

• Review session on the remote computer:

connect-wsman server01.(domain name).com

• Adding permissions to users for PS session is done with (Set-PSSessionConfiguration) and adding (Execute) permission for desired users

set-pssessionConfiguration -name Microsoft.PowerShell -showSecurityDescriptorUI

• To disable specific powershell session

disable-pssessionConfiguration -name Microsoft.PowerShell

• To disable all powershell session

disable-psremoting



Creating a new session on the local computer can be done with (Register-PSSessionConfiguration) command.
Creating a new session as identical to the standard PS session with limit to the data that is received, (the default value is 50mb) looks like this:

register-psSessionConfiguration -name NewConfig MaximumReceivedDataSizePerCommandMB 20

• Delete session from a local computer

unregister-psSessionConfiguration -name (New Name)

Get-PSSession | Remove-PSSession


PS is capable to accomplished session or perform operation on a greater number of computers simultaneously and thus significantly reduce administration. Invoke-Command will you allow it


invoke-command -computername Server01, Server02 {get-UICulture}

invoke-command -computername Server01, Server02 -filepath c:\Scripts\DiskCollect.ps1




In Windows Server 2008 and Windows 8 PS is included with the installation with one difference, the client WinRm is "locked". In it,and on the older systems you will need to execute the command Enable-PSRemoting or in interactive you can run Enable-PSRemoting-Force. In addition with Test-WSMan you can check to see if WinRm has problems.

From experience I know that often problems associated with firewall and complications when it is necessary to change starting configurations in order to avoid exposure to attacks. 


PS Remote uses "modified" starting (default) ports that communicate through firewall.



TCP/5985 = HTTP

TCP/5986 = HTTPS



This is the same port used by WinRm. Although some will say that this would be desirable there are scenarios where you or your security team will want all of this to change, often administrators use 80 for HTTP and port 443 for HTTPS. In order to change default ports run:



Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value true

Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpsListener -Value true








You can choose any other port with the command:


Set-Item wsman:\localhost\listener\listener*\port –value <Port>



Additionally all this can be set via group policy (Group Policy)




Иднината = Ps J