The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz
I am so excited about the new Windows Server 2012, a lot of nice features and a lot of enhancement but one particular enhancement I am so interested in was around file servers.
for years, File Servers have been the same, a normal share that resides on the server and accessed by users, that is what they are and what they do, nothing new to introduce.
But with the recent increase of security demand, and huge need for DLP (Data leak prevention) and with the believe that most of leaks happens from employees not from hackers or intruders, companies kept looking to enhance their file servers.
The question now days is not about who is accessing the files, but it is about auditing that access, continuously enforcing that access, controlling the access and additionally knowing what is on that share and what sort of data inside and from where it is accessed.
let us take a normal example, a file share is located on corporate network, in the old days the control was only enforced by the File share and NTFS permissions, but there are some catches:
- if the user has permissions to access the file share, he can access it from everywhere, he can access it from a kiosk on the hotel, from his IPAD or tablet device without any control, as long as he has access to data using permissions he can do access it from anywhere (provided that there is a remote access).
- if he got access to the share, does that mean that he is allowed to access the data within the share, for example a share that is created for the R&D team contains all the R&D files, but not all R&D team members ]have the same level of access, now if a confidential file has been mistakenly placed on the share, all of the users who have access to the share can see the confidential data. although users should be aware about data confidentiality, but the company must be able to continuously control the data access on the data files themselves without warring about human mistakes which happens, and this is a big portion of the DLP controls.
- Controlling Access properties using groups are really tricky, and more often groups are created to reflect access criteria, so we have a group for Egypt’s Accountants, and another group for Qatar’s Accountants, and a third groups for Egypt’s Accountants with confidential data…etc and group counts can grow and grow to thousands and thousands of groups to reflect the needed level of access.
Windows Server 2012 comes with a lot of handy features that we will explore in this blog series, talking about Access Conditions, Data Classification, Dynamic Access Controls and Rights Management enforcement.
In Part1, we will explore the new security permissions wizard and the new device permissions in Windows Server 2012.
(My lab setup contains only 1 Domain Controller and 1 file Server both running Windows Server 2012 ENT Edition).
NTFS permissions and the new Device Rules:
I have now a normal file share that is shared with the finance admin group:
This is a normal group that has been created in AD and contains one user account (Finance User) who is a finance admin, he has read only access permissions, this is what we have been doing for the past 20 years.
Now, the company wants him to access the share only from specific group of computers (for the sake of this blog we will use normal blog, in part 3 we will talk about claims based authentication where we will explore claims authentication and we will be able to query the device claims on the fly for more properties and control and access dynamically).
Now I created a Group and Placed Finance User1 computer in it (in this case the File Server), this means that if he logs from the DC on that file share he will not be able to access it. let us see how:
If we go to the Security properties and the advanced share permissions, we can see the FinanceAdmin read and execute permissions, if we click Edit:
We Will see the new security permission wizard:
The above wizard has been enhanced to reflect more usability and control over the process, and also a new section called conditions, let us explore this condition section.
now we can place some conditions on the user how is accessing, the resource he is trying to access or the device he is accessing from, now let us create a condition to give the user access from a specific device, the device can only be queried about its group membership in later blog post we will see how to query for more properties using claims, now we can select if it is a member of any or each or not member of specific groups, I will control using any and specific my group:
My rule will control the access based on the AllowedFinancePCs which contains the computers from where the financeadmin group can use to access the files, they can login to any device in the corporate by only access the files if they use specific devices to access it “Sweeeeeeeet” :
Now, The final Security permissions will be like:
Now let us try it:
I logged on locally to the Fileserver, when I try to access the file I can’t although I have the permission and login locally but I am not using the authorized machine to do that:
if we examine the permissions using the effective permissions. if the user tries to login from the 2008DC machine he will have no permissions:
But if he tries from another machine from the allowedFinancePC group, he will have read permissions:
Note: During my lab I have tried the above setup and didn’t work, although conditions worked correctly for users, it looks like something that needs to be enabled or configured in specific way, I am pinging Microsoft folks and when I reach a solution I will update this blog.
In this lab we have explored the new options for setting access permissions, this is very powerful controlling who and from where can access the data.
In the next blog we will see the power of data classification in Windows Server 2012, Stay Tuned.
Leave a Reply Cancel reply
Symantec Backup Exec BExpert No. 20
Follow me on Twitter
- 232,815 Visits
- Active Directory
- bla bla bla
- Book Reviewes
- Career Development
- Deep in Active Directory
- Exchange 2010
- Exchange 2010 AKA E14
- Exchange and UC
- Exchange Server 2013
- IPility Training Offerings
- IT Events
- Lync 2010
- OCS 2007 R2/CS14
- OCS2007 R2
- Office 365
- Security related
- Social Media
- Storage and Networking
- System Center
- Unified Communications
- كلام في السياسة
- Windows Server 2012
- Wirless related
- حقائق غير تاريخية
- Thoughts on DLP in modern business…
- Dude, What are the 5 elements I must consider in my virtual machine backups?
- Boosting your career and knowledge in Active Directory
- Announcement: Exchange 2013 sp1 will support running from removable media such as “flash drives”
- Using Redirect with OWA breaks RSA SecureID authentication
- May 2013 (1)
- April 2013 (3)
- March 2013 (4)
- February 2013 (1)
- January 2013 (3)
- December 2012 (4)
- November 2012 (1)
- October 2012 (5)
- September 2012 (19)
- August 2012 (4)
- July 2012 (5)
- June 2012 (9)
- March 2012 (6)
- February 2012 (1)
- January 2012 (1)
- December 2011 (4)
- November 2011 (1)
- October 2011 (3)
- September 2011 (4)
- August 2011 (1)
- June 2011 (1)
- April 2011 (7)
- February 2011 (5)
- January 2011 (6)
- December 2010 (4)
- November 2010 (5)
- October 2010 (14)
- September 2010 (4)
- August 2010 (9)
- July 2010 (17)
- June 2010 (23)
- May 2010 (23)
- April 2010 (7)
- March 2010 (9)
- February 2010 (5)
- January 2010 (1)
- December 2009 (7)
- November 2009 (4)
- September 2009 (5)
- August 2009 (13)
- May 2009 (2)
- April 2009 (3)
- January 2009 (2)
- December 2008 (5)
- November 2008 (4)
- October 2008 (7)
- July 2008 (2)
- June 2008 (2)
- May 2008 (2)
- April 2008 (30)
- March 2008 (60)
- February 2008 (1)
- How to talk like a CIO bit.ly/12lIPYV 10 hours ago
- @3abkarin0: @_busbar do u know someone willing to work in UAE as pre sale for share point with wipro. looping @AymanElHattab @marwantarek 15 hours ago
- #VMware launches dual persona feature for Verizon smartphones - bit.ly/15Ya9De 15 hours ago
- Telefonica deploys #Office 365 across 130,000 strong #cloud - bit.ly/12lHPUD #microsoft #office365 15 hours ago
- BlueCloud - IT Services | Custom Development | Infrastructure |... lnkd.in/cYV4YG 15 hours ago