The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz
I am so excited about the new Windows Server 2012, a lot of nice features and a lot of enhancement but one particular enhancement I am so interested in was around file servers.
for years, File Servers have been the same, a normal share that resides on the server and accessed by users, that is what they are and what they do, nothing new to introduce.
But with the recent increase of security demand, and huge need for DLP (Data leak prevention) and with the believe that most of leaks happens from employees not from hackers or intruders, companies kept looking to enhance their file servers.
The question now days is not about who is accessing the files, but it is about auditing that access, continuously enforcing that access, controlling the access and additionally knowing what is on that share and what sort of data inside and from where it is accessed.
let us take a normal example, a file share is located on corporate network, in the old days the control was only enforced by the File share and NTFS permissions, but there are some catches:
- if the user has permissions to access the file share, he can access it from everywhere, he can access it from a kiosk on the hotel, from his IPAD or tablet device without any control, as long as he has access to data using permissions he can do access it from anywhere (provided that there is a remote access).
- if he got access to the share, does that mean that he is allowed to access the data within the share, for example a share that is created for the R&D team contains all the R&D files, but not all R&D team members ]have the same level of access, now if a confidential file has been mistakenly placed on the share, all of the users who have access to the share can see the confidential data. although users should be aware about data confidentiality, but the company must be able to continuously control the data access on the data files themselves without warring about human mistakes which happens, and this is a big portion of the DLP controls.
- Controlling Access properties using groups are really tricky, and more often groups are created to reflect access criteria, so we have a group for Egypt’s Accountants, and another group for Qatar’s Accountants, and a third groups for Egypt’s Accountants with confidential data…etc and group counts can grow and grow to thousands and thousands of groups to reflect the needed level of access.
Windows Server 2012 comes with a lot of handy features that we will explore in this blog series, talking about Access Conditions, Data Classification, Dynamic Access Controls and Rights Management enforcement.
In Part1, we will explore the new security permissions wizard and the new device permissions in Windows Server 2012.
(My lab setup contains only 1 Domain Controller and 1 file Server both running Windows Server 2012 ENT Edition).
NTFS permissions and the new Device Rules:
I have now a normal file share that is shared with the finance admin group:
This is a normal group that has been created in AD and contains one user account (Finance User) who is a finance admin, he has read only access permissions, this is what we have been doing for the past 20 years.
Now, the company wants him to access the share only from specific group of computers (for the sake of this blog we will use normal blog, in part 3 we will talk about claims based authentication where we will explore claims authentication and we will be able to query the device claims on the fly for more properties and control and access dynamically).
Now I created a Group and Placed Finance User1 computer in it (in this case the File Server), this means that if he logs from the DC on that file share he will not be able to access it. let us see how:
If we go to the Security properties and the advanced share permissions, we can see the FinanceAdmin read and execute permissions, if we click Edit:
We Will see the new security permission wizard:
The above wizard has been enhanced to reflect more usability and control over the process, and also a new section called conditions, let us explore this condition section.
If you click Add a Condition , you will get a new line of condition to control the access:
now we can place some conditions on the user how is accessing, the resource he is trying to access or the device he is accessing from, now let us create a condition to give the user access from a specific device, the device can only be queried about its group membership in later blog post we will see how to query for more properties using claims, now we can select if it is a member of any or each or not member of specific groups, I will control using any and specific my group:
My rule will control the access based on the AllowedFinancePCs which contains the computers from where the financeadmin group can use to access the files, they can login to any device in the corporate by only access the files if they use specific devices to access it “Sweeeeeeeet” 
:
Now, The final Security permissions will be like:
Now let us try it:
I logged on locally to the Fileserver, when I try to access the file I can’t although I have the permission and login locally but I am not using the authorized machine to do that:
if we examine the permissions using the effective permissions. if the user tries to login from the 2008DC machine he will have no permissions:
But if he tries from another machine from the allowedFinancePC group, he will have read permissions:
Note: During my lab I have tried the above setup and didn’t work, although conditions worked correctly for users, it looks like something that needs to be enabled or configured in specific way, I am pinging Microsoft folks and when I reach a solution I will update this blog.
In this lab we have explored the new options for setting access permissions, this is very powerful controlling who and from where can access the data.
In the next blog we will see the power of data classification in Windows Server 2012, Stay Tuned.
Leave a Reply
My Book: XenDesktop Starter
Symantec Backup Exec BExpert No. 20
Linked In
the New Experts-Exchange.com
Share This Blog
Recent Visitors Traffic
Dear Busbar,
Please help I could not see the Tab Central policy in shared folders right click properties -> Security -> Advanced. How can i see this tab ? is there any changes i need to do in my file server ?
Can you post a snapshot, also are you you sure that you installed the file server features and roles.
Hi Busbar,
I look for a way to set the conditions with powershell. I know it is possible to use “set-acl” to set acl’s. But how can I place a condition?
Kind regards
Denis
Interesting question, let me check it and get back to you