Configuring Dynamic Access Controls and File Classification-Part4-#winservr 2012 #DAC #microsoft #mvpbuzz
In previous parts we have walked through the new file server features and permissions wizard, Data Classification, AD RMS installation and File Classification and AD RMS integration, in the final part of this series we will take about how to implement a new feature of Active Directory called claim based authentication and utilize it for something called Dynamic Access Control.
but wait a minute, what is the claim based authentication, from this reference: http://www.windowsecurity.com/articles/First-Look-Dynamic-Access-Control-Windows-Server-2012.html
Claims-based authentication relies on a trusted identity provider. The identity provider authenticates the user, rather than every application doing so. The identity provider issues a token to the user, which the user then presents to the application as proof of identity. Identity is based on a set of information that, taken together, identifies a particular entity (such as a user or computer). Each piece of information is referred to as a claim. These claims are contained in the token. The token as a whole has the digital signature of the identity provider to verify the authenticity of the information it contains.
Windows Server 2012 turns claims into Active Directory attributes. These claims can be assigned to users or devices, using the Active Directory Administrative Center (ADAC). The identity provider is the Security Token Service (STS). The claims are stored inside the Kerberos ticket along with the user’s security identifier (SID) and group memberships.
Once the data has been identified and tagged – either automatically, manually or by the application – and the claims tokens have been issued, the centralized policies that you’ve created come into play.
Now you can turn user’s attribute whatever they are, into security controls, now we have the power to control the access to files and set the permissions to files using attributes, we no longer controlled by group permissions only.
With that in mind, you can set the permissions on the files based on department attributes, connecting machine, location or any other attribute in Active Directory and you don’t have to create specific groups for that, also the permissions will be set on the fly, not only that, but you can set the permissions not based on the user’s properties but also based on the device the user is using, you can set the permissions to full control from corporate devices, but readonly from kiosk or non-corporate devices.
Not only that, but you can also include the attributes of the resources that is being accessed in the permissions equation, so you want “on the fly” to examine the resource classification and allow only specific users with specific attributes to access the resource (so files classified of country classification “Egypt” will be accessed by only users who are in country “Egypt” for example).
Dynamic Access Control (DAC) is a new era for permissions, I am blown by the power of DAC and how flexible it is, mixed with AD RMS you can have ultimate control on data within your corporate.
We will use the steps described here in this TechNet article: http://technet.microsoft.com/en-us/library/hh846167.aspx#BKMK_1_3 , the steps here are illustration of the steps, and prior parts of the blog series (part 1 to 3) are used as foundation to demonstrate the final environment:
the first ting to configure is the claim type, claim types represents what are the data queried in the user/device/resource attribute and then used in the permission evaluation, you want to query about the country, you create a claim type for that, you want to use department you create a claim type for that.
In our Lab we will create a claim type of Department and Country:
to create a claim type open the AD Administrative Center and go to Claim Types, and from the menu select new:
Create a new claim for Department :
and for Country :
In the Country, Supply suggested values (to specify values for the claims as Egypt and Qatar):
Note: By defaults claims are issues to users, if you want to issue it for computers you must select that on the claim
Create a new reference resource property for Claim Country:
Now got to Resource Properties and enable the department claim;
Now let us create a Central Access Rule, This rule will include the template permissions that will be applied when the claims are matched with the rules defined in the CAR:
In the rule, specify the security principle you want to use, in this demo we will grant access to Finance Admins full control and Finance Execs read only access, and this will be applied to all files “resources” that is classified in the Finance Department, we can also go with devices claims and specify the country of this device or any other property that we can to query about the device:
The Final rules will be :
Now create a Central Access Policy that will be applied using GPO to all file servers and the Administrator can select and apply them on individual folders:
In the CAP, include the finance data rule:
No you need to apply this CAP using GPO and make it available to file servers, now create a GPO and link it to the file servers OU:
In the Group Policy Management Editor window, navigate to Computer Configuration, expand Policies, expand Windows Settings, and click Security Settings.
Expand File System, right-click Central Access Policy, and then click Manage Central access policies.
In the Central Access Policies Configuration dialog box, add Finance Data, and then click OK.
You need now to allow the Domain Controllers to issue the Claims to the users, this is done by editing the domain controllers GPO and specify the claims settings:
Open Group Policy Management, click your domain, and then click Domain Controllers.
Right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-clickAdministrative Templates, double-click System, and then double-click KDC.
Double-click KDC Support for claims, compound authentication and Kerberos armoring. In the KDC Support for claims, compound authentication and Kerberos armoring dialog box, click Enabled and select Supported from the Options drop-down list. (You need to enable this setting to use user claims in central access policies.)
Close Group Policy Management.
Open a command prompt and type
Testing the Configuration:
Going to the file server, and clicking on our finance data file, we can now find the data classification that we specific in the Claims:
Now let us classify the data as Finance Department.
Note: In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then DAC will overwrite it, if the user doesn’t have NTFS permissions he will be denied access even if DAC grants him access.
Now checking the permissions on the folder:
going to the Central Policy tab and applying the Finance Data Policy:
now let us examine the effective permissions:
for the Finance Admins:
If the user has no claims (so he is a member of the group but not in the finance department and is not located in Egypt) he will be denied access:
Now, let us specify that he is from Finance Department, no luck, Why?!
This is because he must access the data from a device that has claim type country Egypt:
Now test the Finance Execs Permissions and confirm it is working.
You can test applying this rule also when the following condition is set, and wee what happens:
Note: the above rule will grant use access when his department matches the file classification department, so you can have a giant share from mix of departments and permissions will be granted to files based on users’ departments.
Mixing DAC with AD RMS and file classification is a powerful mix that helps organizations with the DLP dilemma, and with Windows Server 2012 organization has total control for the first time on the files and data within the files. please try the lab and let me know your feedback
and intersting not for those who might miss it
Install Exchange 2010 in an Existing Exchange 2003 Organization: Exchange 2010 Help: “Exchange 2010 now creates system address lists in a new container. Recipients created or modified using Exchange 2003 or Exchange 2007 management tools won’t be stamped with these system address lists. As a result, they won’t be seen by the Get-Recipient cmdlet.
To fix this issue, you must enable Active Directory virtual list view (VLV). After you have completed the upgrade of an existing Exchange 2003 organization to Exchange 2010 and have decommissioned your Exchange 2003 servers, you must enable Active Directory VLV. To enable VLV for Exchange 2010, run the Enable-AddressListPaging cmdlet. For more information, see Enable-AddressListPaging.”
Blog Post: you cannot use GFI Endpoint security due to Remote HW/Registry locdown policy by Windows Vista SP1
I have been working with GFI support team for that last couple of weeks to diagnose a problem that looks so hard in the first place but it was so easy to spot once we identified the cause, I have several Windows Vista SP1 laptops since all of them comes shipped with it, we wanted to deploy GFI Endppoint security and we were testing the product, everything works fine on XP SP3 machines, but on windows Vista SP1 it didn’t work, the problem that we couldn’t detect the drivers on the machine that runs Vista Sp1, the error was “Failed to enumerate devices on the machine”; if we try to deploy the agent manually it yells at us saying that you don’t have permissions to install this product so what the heck going on?
After several hours of regmon and filemon, I found that the agent access the machine using remote registry, so you have to:
- Start the remote registry service.
- On Vista SP1 machines, you need to allow the access for HKLM hive totally remotely.
- The GFI agent service needs to run as domain admin!!!
1.Go to Computer Configuration \ Administrative Templates \ System \ Device Installation
2.Double click on "Allow Remote Access to the PnP interface" and enable the policy
Finally it works, now we need to test it out, please read more about the security lockdown settings of windows Vista and the new registry access restrictions for windows Vista.
Here is a nice tip.
We had a lot of issues where customer is losing the parent/child trust, this is caused by a lot of reasons, either a corrupted TDO object, faulty AD or an admin who is playing with the wrong tools, so here is 2 things to do:
- Search the TDO about similar accounts with the same name that may cause the trust to be lost and remove them:
o Use the ldifde -r (saMAccountName=domainname*)
o Check the ldifde dump for the accounts that has the same SAMACCOUNTNAME of the domain and might be conflicting with the TDO object “don’t ask what causes that”
- Now delete the trust from the parent domain and from the child domain. You might need to delete the TDO object, those are here:
- Make sure that changes has been replicated.
- For the parent domain do the folloing command : netdom trust childdomain.parentdomain.com /domain:ttsl.com UserD:parent_admin /PasswordD:*
/UserO:child_admin /PasswordO:* /add
- Make sure that changes has been replicated.
- Not sure from the restart requirement, in my case I had to reboot the PDC
برغم انه المفروض انه بلوجي يكون محترم لاني اسعى لدرجة ال MVP فالمفروض انه اضفي صيغة علمية على البلوج و احترم نفسي بس للاسف انا مش عارف احترم حد لانه حد مش بيحترم نفسه مع احترامي لكل حد و اتنين و خميس
امس كنت في احد الشركات الكبيرة اوي عند صديق لي طلب مساندتي في تركيب exchange 2003 و روحت و بم اني بركب اكستشينج على كلاستر مرتين في الاسبوع على الاقل فالموضوع كان كيكة سهلة (انا كنت متصور كده) يا لسذاجتي
المهم روحت حطيت الاسطوانة و اشغل ال setup الخاص بال forestprep السيت اب يختفي و يروح ميرجعشي
غيرنا السي دي درايف
غيرنا السي دي
جبنا دي في دي
و طبعا في عباقرة في الخلف (العيب في الدرايفرات) و (العيب في الويندوز) واحد افتى انه العيب في الماذر بورد ردوا انتوا انا مش حرد
المهم من خبرتي انا حسيت انه الاكتيف دايرمكتوري ملعوب فيه ، لانه الاكستشينج حساس جدا ليه، ففتحت الاكتيف دايركتور و ال evet viewer لقيته متخربق احمر يا مرسي
ابص الاقي انه الدومين كونتروللر dc1 مش عارف يعمل replication مع الدومين التاني home (واحد ذكي حيقوللي طب الدومين الكونترولر الاولاني اسمه dc1 يبقا التاني المفروض اسمه dc2 حقوله يعني هو السيت اب باظ علشان عيب في المازر بورد)
المهم انه اكتشف انه الدومين كونترولر معملشي ريبليكشيت بقاله 3 شهور (حد يقول اي حاجة) قولتله هو فين الدومين كونرولر التاني) قاللي هو ليه لزمة قولتله انت عملت فيه ايه فرمته ؟؟؟ قاللي لاء بس طفيته لانه ملوش لزمة
واحد يقوللي انا لو مكاني اعمل ايه
قضيت وقت لطيف وانا بصلح في الدنيا (طبعا الاكتيف دايركتوري وقف الريبليكشين بين الاتنين دومين كونترولر لانه في objects على السيرفر الجديد تم مسحها و تحديثها و السيرفر القديم لا زال محتفظ بيها لذا تجنبا للعك تم وقف الريبليكشين)
جبت السيرفر المطفي اون لاين
و مشيت كما في المقالة دي
قمات كل حاجة اشتغلت زي الفل و تم عمل ال replication و الدنيا قامت و اشتغل السيت اب
طالما انتوا مش قد افلام الرعب بتتفرجوا على تشانل تو ليه
مع اعتذاري لصاحبي و عزيزي
الاكسبلورر كعادته وقف و حرن و قرر عدم العمل يعني اما كنت بختار لينك و اقوله openlink in new window مكانشي بيفتحها
و بم اني خبيرطلعت العدة و اديلوا ركبت الجافا و شيلتها الفيرتشوال ماشين و حطيتها و كل حاجة و برضوا حرنان
الى ان قمت بعمل ديفراجمنت النهاردة للجهاز لقيته اشتغل زي القرد
غريبة دي مش كده