Microsoft Official Course
®
Module 11
Implementing Secure Shared File
Access
Module Overview
• Overview of DAC
• Implementing DAC Components
• Implementing DAC for Access Control
• Implementing Access Denied Assistance
• Implementing and Managing Work Folders
• Implementing Workplace Join
Lesson 1: Overview of DAC
• Limitations of Current Access Management
Methods
• What Is DAC?
• What Are Claims?
• What Are Resource Properties?
• Accessing Resources with DAC
• Requirements for DAC Implementation
Limitations of Current Access Management Methods
• NTFS file system permissions and ACLs provide
access control that is based on a user’s SID or
group membership SID
• AD RMS provides greater protection for
documents by controlling how applications use
them, and also works with user or group SID
• NTFS file system permissions cannot use AND
between conditions
• In NTFS file system permissions, you cannot build
your own conditions for access control
What Is DAC?
• DAC in Windows Server 2012 is a new access
control mechanism for file system resources.
• DAC uses claims in the authentication token,
resource properties on the resource, and
conditional expressions within permission and
auditing entries
• DAC is designed for four scenarios:
•
Central access policy for managing access to files
•
Auditing for compliance and analysis
•
Protecting sensitive information
•
Access-denied remediation
What Are Claims?
• The claim is something that AD DS states about a
specific object
• In the DAC infrastructure, claims are defined by
using specific attributes from a user or device
• In Windows Server 2012, the authorization
mechanism is extended to support conditional
expressions that include claims
• In Windows Server 2012, you can create:
•
•
User claims
Device claims
What Are Resource Properties?
• Resource Properties define attributes of the
resource that you want to use
• Resource Properties are grouped in Resource
Property lists
• When creating a Resource Property, you can
specify the property type and the allowed or
suggested values
Accessing Resources with DAC
Claim type
Display name
Source
NT access token
Suggested
values
Contoso\Alice
User
Groups:….
Value type
Claims:
Title=SDE
Enable domain
to issue claims
User attempts to logon
Kerberos Ticket
Receives a Kerberos ticket
Contoso\Alice
User
Groups:….
Claims: Title=SDE
Requirements for DAC Implementation
To implement DAC, you need to have:
• Windows Server 2012 or newer with the FSRM
• Update AD DS schema, or at least one Windows
Server 2012 domain controller
• Windows 8 or newer later on clients to use device
claims
• Enabled support for DAC in AD DS (default domain
controllers GPO)
Lesson 2: Implementing DAC Components
• Creating and Managing Claims
• Creating and Managing Resource Properties and
Resource Property Lists
• Creating and Managing Access Control Rules
• Creating and Managing Access Policies
• Demonstration: Configuring Claims, Resource
Properties, and Rules
• Implementing and Managing File Classifications
• Demonstration: Configuring Classification Rules
Creating and Managing Claims
• Use the Active Directory Administrative Center to
create attribute-based claims
• Use the Active Directory module for Windows
PowerShell to create certificate-based claims
• Claims are stored within the configuration
partition in AD DS
• Attributes are used to source values for claims
• Make sure that you configure attributes for your
computer and user accounts in AD DS with the
information that is correct for respective user or
computer
Creating and Managing Resource Properties and
Resource Property Lists
• Resource Properties describe resources that you
protect with DAC
• Several Resource Properties are already predefined
in Windows Server 2012
• All predefined Resource Properties are disabled
• When creating a new Resource Property, you have
to set its name, and value type
• In Windows Server 2012 R2, you also can create
Reference Resource Properties
• Resource Properties are grouped in Resource
Property Lists
Creating and Managing Access Control Rules
• A Central Access Rule, contains one or multiple
criteria that the Windows operating system uses
when evaluating access
• You create and configure central access rules in
the Active Directory Administrative Center
• To create a new central access rule you should:
•
Provide a name and description for the rule
•
Configure the target resources
•
Configure permissions
Creating and Managing Access Policies
• Central access policies enable you to manage and
deploy consistent authorization throughout an
organization
• The main component of a central access policy is
a central access rule
• Central access policies act as a security net that an
organization applies across its servers
• Group Policy is used to deploy a central access
policy
• Manually apply the policies to all Windows Server
2012 file servers
Demonstration: Configuring Claims, Resource
Properties, and Rules
In this demonstration, you will learn how to
configure claims, resource properties, and access
rules
Implementing and Managing File Classifications
• Resource Property
definitions are defined in
AD DS
• Resource Property
definitions can be used
during file classifications
• File classifications can be
run automatically
Demonstration: Configuring Classification Rules
In this demonstration, you will learn how to classify
files by using a file classification mechanism
Lesson 3: Implementing DAC for Access Control
• Planning Central Access Policies for File Servers
• Demonstration: Creating and Deploying Central
Access Policies
• How Does Access Check Work When DAC Is in
Use?
• Managing and Monitoring DAC
• Demonstration: Evaluating and Managing DAC
Planning Central Access Policies for File Servers
When planning deployment of central access
policies, you should:
• Identify the resources that you want to protect
• Define the authorization policies
• Translate the authorization policies that you require
into expressions
• Identify attributes for access filtering
Demonstration: Creating and Deploying Central
Access Policies
In this demonstration, your instructor will show you
how to create and deploy central access policy
How Does Access Check Work When DAC Is in Use?
Share
security descriptor
Share permissions
File/Folder
security descriptor
Central access policy
reference
NTFS file system
permissions
Active Directory
(cached in local registry)
Cached central access policy definition
Cached central access rule
Cached central access rule
Cached central access rule
Access control decision
1. Access check – Share permissions if applicable
2. Access check – File permissions
3. Access check – Every matching central access rule in central access policy
Managing and Monitoring DAC
• DAC allows you to test a central access policy update by
staging it
• Windows Server 2012 staging:
•
•
•
Is implemented by deploying proposed permissions
Compares the proposed permissions against the current
permissions
Causes audit-log events to appear in the security log on the file
server
Current Central Access policy for high impact data
Applies to: @File.Impact = High
Allow | Full Control | if @User.Company=Contoso
Staging policy
Applies to: @File.Impact = High
Allow | Full Control | if (@User.Company=Contoso) AND
(@User.Clearance =High)
Demonstration: Evaluating and Managing DAC
In this demonstration, you will learn how to
evaluate and manage DAC
Lesson 4: Implementing Access Denied Assistance
• What Is Access Denied Assistance?
• Configuring Access Denied Assistance
• Demonstration: Implementing Access Denied
Assistance
What Is Access Denied Assistance?
On file server:
• Specify troubleshooting text for
access denied
• Specify owner’s email for share or
folder
Data Owner
User
Access attempt:
• User is denied access, sees
troubleshooting text or devicestate troubleshooting
• User can request access via email
Data owner or helpdesk:
• Owner receives user’s request
• Use effective permissions UI to
decide appropriate actions
• Can forward request to IT admin
File Server
Configuring Access Denied Assistance
• When implementing Access Denied Assistance:
• Define messages that users will receive when they
attempt to access resources
• Determine whether users should be able to send a
request for access
• Determine recipients for the access-request email
messages
• Consider target operating systems
• Use Group Policy to enable and configure Access
Denied Assistance
• Decide about the method for remediation
Demonstration: Implementing Access Denied
Assistance
In this demonstration, your instructor will show you
how to configure and implement Access Denied
Assistance
Lesson 5: Implementing and Managing Work Folders
• What Are Work Folders?
• Configuring Work Folders
• Demonstration: Implementing Work Folders
What Are Work Folders?
• Work Folders enable users to access business data
securely at any location and on any device
• Work Folders are managed by administrators
• Currently supported on Windows 8.1 devices, and
support also is planned for iOS-based devices
Configuring Work Folders
To use Work Folders, you should:
•
Have at least one Windows Server 2012 R2 file server
•
Have at least one Windows Server 2012 R2 domain
controller
•
Install Work Folders functionality on file server
•
Provision a share where users’ data will be stored
•
Run New Sync Share Wizard to create Work Folders
structure
•
Configure clients to use Work Folders by using Group
Policy or manually
Demonstration: Implementing Work Folders
In this demonstration, you will learn how to
implement Work Folders
Lesson 6: Implementing Workplace Join
• Scenarios for Using Workplace Join
• How Workplace Join Works
• Configuring Workplace Join
• Registering and Enrolling Devices
Scenarios for Using Workplace Join
• BYOD concept allows users to use their private
devices to do their work
• Connecting non-domain, non-managed devices to
company networks and resources can pose a
security risk
• Technology is needed to provide users with
flexibility while maintaining security
• Windows Server 2012 R2 provides Workplace Join
technology
How Workplace Join Works
• Workplace Joined devices become known devices to
AD DS
• Known devices store a subset of their attributes in AD DS
• Device Registration Service provisions a device object in
AD DS and issues a certificate to known devices
• Users on known devices have an SSO experience
• Windows Server 2012 R2 with AD FS role service is needed
• Windows 8.1 client operating system or iOS-based devices
are supported
• DRS can be published externally by using Web Application
Proxy
Configuring Workplace Join
To enable Workplace Join, you need to:
•
Create the appropriate Group Managed Service account
•
Install and configure the AD FS role service
•
Enable DRS
•
Enable device authentication in AD FS
•
Install an SSL certificate on the federation server
•
Create the appropriate records in your DNS
Registering and Enrolling Devices
• To enroll a device in the Workplace-Join process,
ensure following:
•
The device trusts the certificate on the federation server
•
The device can access at least one certificate revocation
list distribution point
•
Record enterpriseregistration is accessible by the device
being Workplace-Joined
• On Windows 8.1, use the Workplace option
• On iOS-based devices, use web-based enrollment
with profile installation
Lab: Implementing Secure File Access
• Exercise 1: Preparing for DAC Deployment
• Exercise 2: Implementing DAC
• Exercise 3: Validating and Remediating DAC
• Exercise 4: Implementing Work Folders
Logon Information
Virtual machines:
User name:
Password:
10969A-LON-DC1
10969A-LON-DC2
10969A-LON-SVR1
10969A-LON-SVR2
10969A-LON-CL1
10969A-LON-CL2
Adatum\Administrator
Pa$$w0rd
Estimated Time: 110 minutes
Lab Scenario
You are working as an administrator at A. Datum Corporation. The company has a wide
and complex file server infrastructure. It manages access control to folder shares by
using NTFS file system ACLs, but in some cases, that approach does not provide the
desired results.
Most of the files used by departments are stored in shared folders dedicated to specific
departments, but confidential documents sometimes appear in other shared folders.
Only members of the Research team should be able to access Research team folders,
and only Executive department managers should be able to access highly confidential
documents.
The Security department also is concerned that managers are accessing files by using
their home computers, which might not be highly secure. Therefore, you must create a
plan for securing documents regardless of where they are located, and you must ensure
that documents can be accessed from authorized computers only. Authorized computers
for managers are members of the security group ManagersWks.
The Support department reports that a high number of calls are generated by users who
cannot access resources. You must implement a feature that helps users understand
error messages better and will enable them to request access automatically.
Quite a few users use personal devices such as tablets and laptops to work from home
and at work. You have to provide them with an efficient way to synchronize business
data on all the devices that they use.
Lab Review
• How do file classifications enhance the usage of
DAC?
• Can you implement DAC without Central Access
Policy?
Module Review and Takeaways
• Review Questions
• Tools
• Best Practice
• Common Issues and Troubleshooting Tips