Microsoft Official Course

Module 3

Implementing Dynamic Access

Control
Module Overview

• Overview of DAC
• Implementing DAC Components
• Implementing DAC for Access Control
• Implementing Access Denied Assistance
• Implementing and Managing Work Folders
Lesson 1: Overview of DAC

• Limitations of Current Access Management Methods

• What Is DAC?
• What Is the Claim?
• What Is Resource Property?
• Accessing Resources with DAC
• Requirements for DAC Implementation
Limitations of Current Access Management Methods

• NTFS file system permissions and ACLs provide access

control that is based on a user’s SID or group
membership SID
• Active Directory Rights Management Services (AD RMS)
provides greater protection for documents by
controlling how applications use them, and also works
with user or group SID
• NTFS file system permissions cannot use AND between
conditions
• In NTFS file system permissions, you cannot build your
own conditions for access control
What Is DAC?

• DAC in Windows Server 2012 is a new access control

mechanism for file system resources
• DAC uses claims in the authentication token, resource
properties on the resource, and conditional expressions
within permission and auditing entries
• DAC is designed for four scenarios:
• Central access policy for managing access to files
• Auditing for compliance and analysis
• Protecting sensitive information
• Access-denied remediation
What Is the Claim?

• A claim is something that AD DS states about a specific

object. A claim provides information from the trusted
source about an entity.
• In the DAC infrastructure, claims are statements made
about users and devices in AD DS.
• These statements are defined by using specific attributes from a
user or device.
• You actually tell AD DS, which attributes can be used in conditional
expressions that DAC uses.
• In Windows Server 2012, the authorization mechanism is
extended to support conditional expressions that includes
claims.
• In Windows Server 2012, you can create:
• User claims
• Device claims
• You can deploy claims between trusted forests
User and Device Claims

• Pre-2012 Security Principals Only are:

• Restricted to making policies where decisions are based on the
user’s group memberships
• Shadow groups are often created to reflect existing attributes as
groups
• Groups that have rules around who can be members of which types
of groups
• Not able to transform groups across AD trust boundaries
• Not able to control access based on characteristics of user’s device
• Windows Server 2012 considerations:
• AD DS user/computer attributes are included in the security token
• Claims can be used directly in file server permissions
• Claims are consistently issued to all users in a forest
• Claims can be transformed across trust boundaries
• Enables newer types of policies that were not possible before
What Is Resource Property?

• Resource properties, also known as resource property

objects, define attributes of the resource that you want to
use or that can be assigned to files and folders.
• Resource properties are grouped in resource property lists
• When creating a resource property, you can specify the
property type and the allowed or suggested values
Accessing Resources with DAC

• A user’s access token should have information about the

user’s claims and information about claims from the device
that the user is using to access the resource.
• Claim relies upon Kerberos and armoring
• Kerberos protocol are required to transport the claims
within a Kerberos ticket and to use compound identity.
• Kerberos armoring is an implementation of Flexible
Authentication Secure Tunneling, which provides a
protected channel between the Kerberos client and the
Key Distribution Center (KDC).
Accessing Resources with DAC
Claim type
Display name
Source
NT access token
Suggested
Contoso\Alice values
User Groups:…. Value type
Claims:
Title=SDE
Enable
domain to
issue claims
User attempts to log on

Kerberos Ticket
Contoso\Alice
Receives a Kerberos ticket
User Groups:….
Claims:
Title=SDE
 Kerberos and a New Token

• DAC leverages Windows Kerberos

• Windows 8 Kerberos extensions
• Compound ID – binds a user to the device to be authorized as one
principal
• DC issues groups and claims
• DC enumerates user claims
• Claims delivered in Kerberos Privilege Account Certificate
• NT Token has the following sections:
• User & Device data 2012 Token
• Claims and Groups User Account
• Tokens have same size User Groups
Pre-2012 Token Claims
User Account Device Groups
User Groups Claims
(other data) (other data)
Requirements for DAC Implementation

To implement DAC, you need to have:

• Windows Server 2012 or newer with the File Server Resource
Manager (FSRM)
• Update AD DS schema, or at least one Windows Server 2012
domain controller
• Windows 8 or newer on clients to use device claims
• Enabled support for DAC in AD DS (default domain controllers
GPO)
Lesson 2: Implementing DAC Components

• Creating and Managing Claims

• Creating and Managing Resource Properties and Resource
Property Lists
• Creating and Managing Access Control Rules
• Creating and Managing Access Policies
• Demonstration: Configuring Claims, Resource Properties,
and Rules
• Implementing and Managing File Classifications
• Demonstration: Configuring Classification Rules
Creating and Managing Claims

• Use the Active Directory Administrative Center (AD CS) to

create attribute-based claims
• Use the Active Directory module for Windows PowerShell
to create certificate-based claims
• Claims are stored within the configuration partition in AD
DS
• Attributes are used to source values for claims
• Make sure that you configure attributes for your computer
and user accounts in AD DS with the information that is
correct for the respective user or computer
Creating and Managing Resource Properties and
Resource Property Lists

• Resource properties describe resources that you protect

with DAC
• You create and manage resource properties by using the
Active Directory Administrative Center (AD AS).
• Several resource properties are already predefined in
Windows Server 2012
• All predefined resource properties are disabled
• When creating a new resource property, you have to set its
name, and value type
Creating and Managing Resource Properties and
Resource Property Lists

• Resource Property value types can be:

Date/Time Multi-valued Choice

Multi-valued Text Number
Ordered List Single-valued Choice
Text Yes/No

• In Windows Server 2012 R2, you also can create reference

resource properties. A reference resource property is a
resource property that uses an existing claim type that you
created before for its suggested value
• Resource properties are grouped in resource property lists
Creating and Managing Access Control Rules

• A central access rule contains one or multiple criteria that

the Windows operating system uses when evaluating
access
• You create and configure central access rules in the Active
Directory Administrative Center (AD AC)
• To create a new central access rule, you should:
• Provide a name and description for the rule
• Configure the target resources
• Configure permissions
 Conditional Expression Example

User File
AD DS Server

User claims Device claims Resource properties

User.Department = Device.Department = Resource.Department =
Finance Finance Finance
User.Clearance = High Device.Managed = True Resource.Impact = High

Access Rule
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department = @File.Department) AND
(@Device.Managed = True)
Creating and Managing Access Policies

• Central access policies enable you to manage and deploy

consistent authorization throughout an organization by
using central access rules and central access policy objects
• The main component of a central access policy is a central
access rule
• Central access policies act as a security net that an
organization applies across its servers
• Group Policy is used to deploy a central access policy
• Manually apply the policies to all Windows Server 2012 file
servers
Implementing and Managing File Classifications

• Classification and resource property

definitions are defined in AD DS
• Resource property definitions can
be used during file classifications
• File classifications can be run
automatically
• you can use automatic classification
rules to scan files automatically and
then classify them according to the
contents of the file
Lesson 3: Implementing DAC for Access Control

• Planning Central Access Policies for File Servers

• Demonstration: Creating and Deploying Central Access
Policies
• How Does Access Check Work When DAC Is in Use
• Managing and Monitoring DAC
• Demonstration: Evaluating and Managing DAC
Planning Central Access Policies for File Servers

When planning deployment of central access

policies, you should:
• Identify the resources that you want to protect
• Define the authorization policies
• Translate the authorization policies that you require into
expressions
• Identify attributes for access filtering
• Breaking down the expressions that you have created to
determine what claim types, security groups, resource
properties, and device claims you must create to deploy your
policies
 How Does Access Check Work When DAC Is in Use

Share
security descriptor
Share permissions
AD DS
(cached in local registry)
File/Folder
security descriptor Cached central access policy definition
Central access policy Cached central access rule
reference
Cached central access rule
NTFS file system
permissions Cached central access rule

Access control decision is calculated by using following

checks:
1. Access check – Share permissions if applicable
2. Access check – File permissions
3. Access check – Every matching central access rule in central access policy
Managing and Monitoring DAC

• DAC allows you to test a central access policy update by

staging it
• Windows Server 2012 staging:
• Is implemented by deploying proposed permissions
• Compares the proposed permissions against the current
permissions
• Causes audit-log events to appear in the security log on the file
server
Current Central Access policy for high impact data
Applies to: @File.Impact = High
Allow | Full Control | if @User.Company=Contoso

Staging policy
Applies to: @File.Impact = High
Allow | Full Control | if (@User.Company=Contoso) AND
(@User.Clearance =High)
Sample Staging Event (4818)
Lesson 4: Implementing Access Denied
Assistance
• What Is Access Denied Assistance?
• Configuring Access Denied Assistance
• Demonstration: Implementing Access Denied Assistance
What Is Access Denied Assistance?

• Users try to access a file or folder on a remote file server

and they receives an access-denied error.
• In Windows Server 2012, Access Denied Assistance feature
helps users respond to access-denied issues without
involving IT staff. It does this by providing information to
users about the problem, and by directing them to the
proper person.
• In Windows 8 operating system, Access Denied Assistance
helps users to notify administrators when they are unable
to access a resource. It allows an IT staff to properly
diagnose a problem, and then to implement a resolution
What Is Access Denied Assistance?
On file server:
• Specify troubleshooting text for access
denied Data
• Specify owner’s email for share or folder Owner
User
Access attempt:
• User is denied access, sees troubleshooting
text or device-state troubleshooting
• User can request access via email
Data owner or help desk:
• Owner receives user’s request
• Use effective permissions UI to decide
appropriate actions
• Can forward request to IT admin
File Server
Configuring Access Denied Assistance

• When implementing Access Denied Assistance:

• Define messages that users will receive when they attempt to access
resources
• Determine whether users should be able to send a request for
access
• Determine recipients for the access-request email messages
• Consider target operating systems
• Use Group Policy to enable and configure Access Denied
Assistance
• Decide about the method for remediation
Lesson 5: Implementing and Managing Work Folders

• What Are Work Folders?

• Configuring Work Folders
• Demonstration: Implementing Work Folders
What Are Work Folders?

• Work Folders enable users to access business data securely

at any location and on any device
• Work Folders are managed by administrators
• Currently supported on Windows 8.1 devices, and support
also is planned for iOS-based devices
• Administrators can manage data and a user’s connections
to Work Folders.
• The administrator can enforce the encryption of Work
Folders and can control which users can use this
functionality.
• The administrator also can enforce some security settings
on the device that uses Work Folders, even if it is not a
domain member
Configuring Work Folders

To use Work Folders, you should:

• Have at least one Windows Server 2012 R2 file server
• Have at least one Windows Server 2012 R2 domain
controller
• Install Work Folders functionality on file server
• Provision a share where users’ data will be stored
• Run New Sync Share Wizard to create Work Folders
structure
• Configure clients to use Work Folders by using Group
Policy or manually