Pages

Wednesday, April 10, 2013

What is Dynamic Access Control



Active Directory Administrative Center

The other day I wrote about Powershell as one of the basic tools that the administration of any supported Microsoft platform rises to highest level of automation and configuration. I can not emphasize enough how important it is for Windows Server administrators to begin to learn Powershell, I think everyone slowly but surely will realize that.
In addition I want to devote attention on two "new" tools for administering Server 2008R2 an Server 2012. One Active Directory Administrative Center, which runs completely on Powershell and Server Manger which is an entirely integrated into PS.

In Windows Server 2003 and Windows Server 2008 operating systems, administrators can manage and to disclose information in their Active Directory environment by using Active Directory snap-ins linke AD Users and Computers Microsoft Management Console ( MMC ) snap -in . Beginning in Windows Server 2008 R2, now and in the Server 2012 ( and in all other subsequent ) in favor of using the Active Directory Users and Computers, administrators can manage their directories by using the new Active Directory Administrative Center.

As i said earlier, tool that works "on top" of PS, it actually means that each click or each operation via the graphical interface is powershell command that is executed in the background, quite transparently for the user. The same we have already saw in Exchange Server 2010 with the Exchange console.

The version of the Active Directory Administrative Center in Windows Server 2012 has additional improvements, including PowerShell Windows History Viewer that will help you learn the Active Directory cmdlets.
You can use Active Directory Administrative Center to perform the following Active Directory administrative tasks:

Creating new users (Users) or managing existing ones.
Create a new group (Group) or management  of existing. Create new computer (account) or managing existing ones.
Creating new computer (account) or managing existing ones.
Creating new organizational units (OUs) and containers or manage existing OU.
Connecting to one or several (domain) or (domain controllers) simultaneously to view or manage the desired Active Directory (AD DS).
Filter AD DS and search the database (query).

In addition, you can use the GUI and modify it according to your needs and desires,meaning you can use a (custom) administrative center . This can help to improve your productivity and efficiency .

Active Directory Administrative includes features that are described in the following chapters . The following illustration shows the graphical user interface (GUI) and the administrative center and how it is organized







On the navigation panel you can see your available domain, global search and the option "dynamic access control" which is native to the Server 2012. "Dynamic Access Control" in the "Windows Server 2012" offers a new way of controlling access to resources.
In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources.At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.





                                                        Dynamic Access Control: An Active Directory Game Changer    



On the navigation panel you can see your available domain, global search and the option "dynamic access control" which is native to the Server 2012. "Dynamic Access Control" in the "Windows Server 2012" offers a new way of controlling access to resources.

In most cases data in an organization is stored on file servers, administrators must provide security and access control to file server resources. At the end DAC is a new access control mechanism for file-system resources. It will enable administrators to use a mechanism with which they can apply "central file-access policies" to every file server in the organization.


Dynamic Access Control provides:


Data classification - You can use automatic and manual classification of files to tag data in file servers across the organization.


Access control to files - Central access policies enable organizations to define who can access particular data.


Auditing of access to files. Central audit policies facilitate compliance reporting and forensic analysis.


In previous versions of Windows Server, the basic mechanism for file and folder access control was NTFS permissions. By using NTFS permissions and

their ACLs, administrators can control access to

resources, based on user name or group membership, and the level of access, such as Read-only, Change, or Full Control. However, once you

provide someone with Read-only access to a document, you cannot prevent that person from copying the content of that document into a new document or printing the document. Yes you coud do that with RMS but the main thing of DAC is that for the first time you can set conditional access to files.Example, you can set permissions in a way that users could access a document if they were a

member of a specific group A and another group B or had the attribute EmployeeType set to "Full Time Employee". Or, you might want to set permissions so that only users that have a department attribute populated with the

same value as the department attribute for the resource can access the content.


"Dynamic Access Control" will allow you to identify data using auto or manual file classification (classification rules). For example, you can through tagged data files to any servers (file servers) in the organization of a rule base.


Also allows control of access to files by using the (safety-net policies) that use (central access policies). 

http://technet.microsoft.com/en-us/library/hh831425.aspx


Provides access Audit (Audit) to files using the (central access) policies for compliance reporting (compliance) and forensic analysis. For example, you can determine which access to highly sensitive information in the company and therefore the security of the data to rise to a much higher level.

You can even integrate and DAC and RMS (Rights Management Services) protection using automatic RMS encryption on sensitive documents.For example, you can configure RMS to auto encrypt all documents containing personal or health insurance information.

Dynamic Access Control "Dynamic Access Control" in Windows Server 2012 can help improve authentication and authorization. Definitely new and great way that will help protect primary data across the company regardless of which server is located.


In this blog for those who already are working with administrative center in Server 2008R2 but still have not worked in Server 2012 and those who are already at an advanced level i will focus more on Dynamic Access Control, because I believe that is one of the most important improvements in server 2012 and that you need to pay attention.


 Imagine the following scenario.

 

Department of finance and operations has a need for central policy to protect sensitive archived financial data stored on file servers . Archived finance information from each country can be accessed as read-only by the finance staff from the same country . A central financial (admin) group can access finance information from all countries .

So financial documents should be read only by members of the finance department . Members of the finance department only need to access documents in their own country . Only Finance Administrators need to have Write access. Exceptions will be allowed for members of FinanceException group. This group will have read access .

 

You start by creating a "Claim" type of ( proof)  that the user that is requesting access is who he claim he is. This Claim will later be used in "Central Access Rules", but remember Server 2008 Domain Controller under default does not support authentication Claim and you will have to enable it. You can do that with GPO:


Group Policy Management -  Domain Controllers - Default Domain Controllers Policy -  Edit

Group Policy Management Editor - Computer Configuration – Policies - Administrative Templates  - System – KDC

KDC Support for claims, compound authentication and Kerberos armoring -  Options -

Enabled - Supported 


Next create new Claim Type from Dynamic Access Control tasks panel.


UI

 

Source Attribute – department - Display name – department – ок

Source Attribute - Country-Name - Display name – country

Suggested Values - The following values are suggested -  Add

Value and Display name fields – US – ок

Suggested Values - The following values are suggested -  Add

Value and Display name fields – ЈP – ок


This would be much more simpler with powershell J

 

New-ADClaimType country -SourceAttribute c -SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("US","US","")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("JP","JP","")))

New-ADClaimType department -SourceAttribute department







Next step is to create the "resource properties" which is auto-added to the Global Resource Properties list located on the domain controller and is available to all file servers in the company is involved. "Resource Properties" are properties (such as labels) that describe a file and are assigned to files by using automatic classification or manual classification. Examples include: Sensitivity, Project, and Retention period.

UI

Tasks - New - Reference Resource Property
Select a claim type to share its suggested values list country
Display name - country  OK
Resource Properties - Department - Еnable.

PS

New-ADResourceProperty Country -IsSecured $true -ResourcePropertyValueType MS-DS-MultivaluedChoice -SharesValuesWith country

Set-ADResourceProperty Department_MS -Enabled $true

Add-ADResourcePropertyListMember "Global Resource Property List" -Members Country

Add-ADResourcePropertyListMember "Global Resource Property List" -Members Department_MS










Next is to create a  "Central Access Rules" with which you will determine who on will have access to specific data based on  previously created claim.

Central Access Rules is a rule that includes a condition and an access expression.


 

UI

 

Central Access RulesNew -  Central Access Rule

Name - Finance Documents Rule

Target Resources -  Edit - Central Access Rule - Add a condition  -  [Resource] [Department] [Equals] [Value] [Finance - OK

Permissions section, - select Use following permissions as current permissions -  Edit -  Advanced Security Settings for Permissions - Add

Permission entry for Permissions dialog box, - Select a principal, type Authenticated Users OK

Permission Entry for Permissions dialog box - Add a condition -  [User] [country] [Any of] [Resource] [country] 
[
User] [Department] [Any of] [Resource] [Department]. Set the Permissions to Read.

 

PS

 

$countryClaimType = Get-ADClaimType country

$departmentClaimType = Get-ADClaimType department

$countryResourceProperty = Get-ADResourceProperty Country

$departmentResourceProperty = Get-ADResourceProperty Department

$currentAcl = "O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;0x1200a9;;;S-1-5-21-1787166779-1215870801-2157059049-1113)(A;;0x1301bf;;;S-1-5-21-1787166779-1215870801-2157059049-1112)(A;;FA;;;SY)(XA;;0x1200a9;;;AU;((@USER." + $countryClaimType.Name + " Any_of @RESOURCE." + $countryResourceProperty.Name + ") && (@USER." + $departmentClaimType.Name + " Any_of @RESOURCE." + $departmentResourceProperty.Name + ")))"

$resourceCondition = "(@RESOURCE." + $departmentResourceProperty.Name + " Contains {`"Finance`"})"

New-ADCentralAccessRule "Finance Documents Rule" -CurrentAcl $currentAcl -ResourceCondition

$resourceCondition






Note that in the above scripted command SID of the group should be replaced with your group SID (S-1-5-21-1787166779 to 1215870801-2157059049-1113)

 

To find SID the User or Group object in your AD DS you can use the PS command

 

$objGroup = New-Object System.Security.Principal.NTAccount("adatum", "IT")
$strSID = $objGroup.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value

$objUser = New-Object System.Security.Principal.NTAccount("adatum", "IT")







With previous command I have created a new rule for central access Central Access Rule.
Next step will be to add this rule (Central Access Rule) in the central access policy (Central Access Policies).

UI

Tasks  New Policy

Create Central Access Policy - Name - Finance Policy 

Member central access rules -  Add - Add the following central access rules - Finance Documents Rule – ok

PS

New-ADCentralAccessPolicy "Finance Policy"

Add-ADCentralAccessPolicyMember -Identity "Finance Policy" -Member "Finance Documents Rule"








Next step will be to apply this policy Central Access Policies across all file servers in the company via GPO. In 2012 Server there is a new type of policy that we can use. 







This would be roughly how the Dynamic Access Control with respect to the Central Access Policies, technology, I am confident you will pay a lot of attention.

How to use Powershell History?

Before I finish with the administrative center I can not but mention another option that is new. Windows Powershell History is an option that i don't believe anyone can leave indifferent, i was happy like little boy when i saw it :) I said every click and each operation AC is PS command that you can simply view, copy, and later as such, or modified as part of the script you can use :). Who said you need to know all (more than 2600 cmdlet's) :)






 

 

 

 

 

No comments:

Post a Comment