Configuring Dynamic Access Controls and File Classification-Part4-#winservr 2012 #DAC #microsoft #mvpbuzz
Part1: The Windows Server 2012 new File Server–part 1- Access Condition http://goo.gl/9miY1
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS http://goo.gl/dRHro
Part3: The new file server part3 using file classification & AD RMS: http://goo.gl/A4JlC
In previous parts we have walked through the new file server features and permissions wizard, Data Classification, AD RMS installation and File Classification and AD RMS integration, in the final part of this series we will take about how to implement a new feature of Active Directory called claim based authentication and utilize it for something called Dynamic Access Control.
but wait a minute, what is the claim based authentication, from this reference: http://www.windowsecurity.com/articles/First-Look-Dynamic-Access-Control-Windows-Server-2012.html
Claims-based authentication relies on a trusted identity provider. The identity provider authenticates the user, rather than every application doing so. The identity provider issues a token to the user, which the user then presents to the application as proof of identity. Identity is based on a set of information that, taken together, identifies a particular entity (such as a user or computer). Each piece of information is referred to as a claim. These claims are contained in the token. The token as a whole has the digital signature of the identity provider to verify the authenticity of the information it contains.
Windows Server 2012 turns claims into Active Directory attributes. These claims can be assigned to users or devices, using the Active Directory Administrative Center (ADAC). The identity provider is the Security Token Service (STS). The claims are stored inside the Kerberos ticket along with the user’s security identifier (SID) and group memberships.
Once the data has been identified and tagged – either automatically, manually or by the application – and the claims tokens have been issued, the centralized policies that you’ve created come into play.
Now you can turn user’s attribute whatever they are, into security controls, now we have the power to control the access to files and set the permissions to files using attributes, we no longer controlled by group permissions only.
With that in mind, you can set the permissions on the files based on department attributes, connecting machine, location or any other attribute in Active Directory and you don’t have to create specific groups for that, also the permissions will be set on the fly, not only that, but you can set the permissions not based on the user’s properties but also based on the device the user is using, you can set the permissions to full control from corporate devices, but readonly from kiosk or non-corporate devices.
Not only that, but you can also include the attributes of the resources that is being accessed in the permissions equation, so you want “on the fly” to examine the resource classification and allow only specific users with specific attributes to access the resource (so files classified of country classification “Egypt” will be accessed by only users who are in country “Egypt” for example).
Dynamic Access Control (DAC) is a new era for permissions, I am blown by the power of DAC and how flexible it is, mixed with AD RMS you can have ultimate control on data within your corporate.
Lab Setup:
We will use the steps described here in this TechNet article: http://technet.microsoft.com/en-us/library/hh846167.aspx#BKMK_1_3 , the steps here are illustration of the steps, and prior parts of the blog series (part 1 to 3) are used as foundation to demonstrate the final environment:
Implementation steps:
the first ting to configure is the claim type, claim types represents what are the data queried in the user/device/resource attribute and then used in the permission evaluation, you want to query about the country, you create a claim type for that, you want to use department you create a claim type for that.
In our Lab we will create a claim type of Department and Country:
to create a claim type open the AD Administrative Center and go to Claim Types, and from the menu select new:
Create a new claim for Department :
and for Country :
In the Country, Supply suggested values (to specify values for the claims as Egypt and Qatar):
Note: By defaults claims are issues to users, if you want to issue it for computers you must select that on the claim
Create a new reference resource property for Claim Country:
Now got to Resource Properties and enable the department claim;
Now let us create a Central Access Rule, This rule will include the template permissions that will be applied when the claims are matched with the rules defined in the CAR:
In the rule, specify the security principle you want to use, in this demo we will grant access to Finance Admins full control and Finance Execs read only access, and this will be applied to all files “resources” that is classified in the Finance Department, we can also go with devices claims and specify the country of this device or any other property that we can to query about the device:
The Final rules will be :
Now create a Central Access Policy that will be applied using GPO to all file servers and the Administrator can select and apply them on individual folders:
In the CAP, include the finance data rule:
No you need to apply this CAP using GPO and make it available to file servers, now create a GPO and link it to the file servers OU:
In the Group Policy Management Editor window, navigate to Computer Configuration, expand Policies, expand Windows Settings, and click Security Settings.
Expand File System, right-click Central Access Policy, and then click Manage Central access policies.
In the Central Access Policies Configuration dialog box, add Finance Data, and then click OK.
You need now to allow the Domain Controllers to issue the Claims to the users, this is done by editing the domain controllers GPO and specify the claims settings:
Open Group Policy Management, click your domain, and then click Domain Controllers.
Right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-clickAdministrative Templates, double-click System, and then double-click KDC.
Double-click KDC Support for claims, compound authentication and Kerberos armoring. In the KDC Support for claims, compound authentication and Kerberos armoring dialog box, click Enabled and select Supported from the Options drop-down list. (You need to enable this setting to use user claims in central access policies.)
Close Group Policy Management.
Open a command prompt and type gpupdate /force
.
Testing the Configuration:
Going to the file server, and clicking on our finance data file, we can now find the data classification that we specific in the Claims:
Now let us classify the data as Finance Department.
Note: In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then DAC will overwrite it, if the user doesn’t have NTFS permissions he will be denied access even if DAC grants him access.
Now checking the permissions on the folder:
going to the Central Policy tab and applying the Finance Data Policy:
now let us examine the effective permissions:
for the Finance Admins:
If the user has no claims (so he is a member of the group but not in the finance department and is not located in Egypt) he will be denied access:
Now, let us specify that he is from Finance Department, no luck, Why?!
This is because he must access the data from a device that has claim type country Egypt:
Now test the Finance Execs Permissions and confirm it is working.
You can test applying this rule also when the following condition is set, and wee what happens:
Note: the above rule will grant use access when his department matches the file classification department, so you can have a giant share from mix of departments and permissions will be granted to files based on users’ departments.
Conclusion:
Mixing DAC with AD RMS and file classification is a powerful mix that helps organizations with the DLP dilemma, and with Windows Server 2012 organization has total control for the first time on the files and data within the files. please try the lab and let me know your feedback
Upgrade your Active Directory from 2008 to Windows Server 2012 #Microsoft #winserv2012
Windows Server 2012 introduces new ways of managing and configuring your Windows infrastructure, one of these components are the Active Directory.
First, Microsoft removed the famous “DCPROMO” and the functionality of installing and promoting a new Domain Controller is moved entirely to the Server Manager.
in this lab, we have a single DC that we would like to move all of its roles to a new fresh installed Windows Server 2012.
Configuration Steps:
1- Install your Windows 2012 Server and Join it to the Domain.
2- open Server manager and from tasks, select “Add Roles and Features”:
3- In the Welcome screen click next:
4- In the select Installation type, select Role-based:
5- in the select server, select the desired server or server group (for server groups refer to my previous article “Windows 2012 first look”:
6- from the list of roles, select Active Directory Domain Services:
7- Active Directory Domain Services in Windows Server 2012 depends on other roles/features, you must add them, the wizard will add them if they are not pre-installed, so accept adding those missing roles/features:
8- In the installation summary, review your selection, also you might want to restart the Server directly after installation completes:
Until this point, we have not actually configured the server as domain controller, we were just adding the roles, after completing the installation, the wizard will inform you that there is post installation configuration to configure this server as domain controller, select more
In the following screen you will find the post deployment tasks are pending:
1- When you select the “Promote this server to domain controller” the following wizard opens:
from the previous screen you can select to install new forest, new domain or a new forest, in our case we are upgrading so select “add a domain controller to an existing domain”.
Note: you have the option to select the domain information if you have multiple domains.
Important Note: if this is the first Windows Server 2012 DC to be installed in the forest and you didn’t extend the schema yet, then you will need to make sure that this account has the necessary permissions to extend the schema (Enterprise Admin/Schema Admin), otherwise the setup will fail.
In Windows Server 2012, you don’t need to extend the schema separately as the wizard will handle this for you, unless you really want to perform it in a separate step.
If you do not run adprep.exe command separately and you are installing the first domain controller that runs Windows Server 2012 in an existing domain or forest, you will be prompted to supply credentials to run Adprep commands. The credential requirements are as follows:
- To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials for a member of Enterprise Admins group, the Schema Admins group, and the Domain Admins group in the domain that hosts the schema master.
- To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials for a member of the Domain Admins group.
- To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for a member of the Enterprise Admins group.
2- from the Domain Controller Options, select if this server will be a Global Catalog and DNS server or not, since we are upgrading, we need to make sure that this server is a DNS and GC, also select the site where this server will be assigned to:
3- in the DNS delegation page, next:
4- In the additional options, you might have to select Install from media or replicate from a specific DC, or let it automatically:
5- Review the Paths for NTDS, SYSVOL, customize them if needed:
6- In the prerequisites check, make sure that you passed successfully and Install.
7- After installation finishes server will reboot and you will AD DS role installed and the server is identified as a DC:
You can now run “DCPROMO” on the old server to remove it, if it is a single server environment the FSMO roles will be moved to the 2012 DC, if not and you have multiple servers then you can move them as before from the ADUC and ADDT MMCs.
Raising the Forest/Domain Functional level:
Raising the Forest/Domain levels is needed only to enable one new feature: the Support for Dynamic Access Control and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. otherwise and if you are not using these and not comfortable with raising the Forest/Domain Function yet, don’t.
You have successfully upgraded you domain controller, congrats.
The Scale-out File Server Design Criteria #Microsoft
So Scale-out file servers are a super cool feature from Windows Server 2012, but is it for every file server use, let us see:
from http://technet.microsoft.com/en-us/library/hh831349:
You should not use Scale-Out File Server if your workload generates a high number of metadata operations, such as opening files, closing files, creating new files, or renaming existing files. A typical information worker would generate a lot of metadata operations. You should use a Scale-Out File Server if you are interested in the scalability and simplicity that it offers and you only require technologies that are supported with Scale-Out File Server.
and the below table is a nice reference from the same page to compare traditional clustered file server Vs. scale-out ones
so what are the design and selection criteria for scale-out file servers, the usual answer is “it depends”.
from my point of view, SO file servers are not for every use, although it offers greater scalability and performance for some workloads like SQL cluster and Hyper-v, it doesn’t really go well with the regular end-user usage for file servers as they generate a lot of metadata, also you will lose a lot of handy features like de-duplication, FCI and DFS.
So be careful when selecting your SO FS and make sure that you really need them, they are note for every use.
Windows 2012 Administration–First impression #Microsoft #win2012 #windows2012
I started my test drive for Windows Server 2012 yesterday, I was late behind until the RC, I don’t like the betas (unless of course for Exchange and Lync) as I always tend to wait for the RC and start taking the learning curve.
One of the most impressive thing about Windows Server 2012 is its administration, first let us take a look on how it is effective and productive the new Windows Server 2012 administration:
the first, you will not the new server manager, it is very awesome and starts directly after windows login, and it enables you to open and administrate every aspect of the server:
for example in my labs I like to disable windows firewall, previously I had to go to start menu, administrative tools and then choose the windows firewall, or if you are in server manager you have to go to the top menu and chosoe the windows firewall.
in Windows Server 2012, and from the server Manager console and from anywhere I am I can go tools and open the event viewer, the firewall or any preferred tool listed in the tool section
now let us change the computer name, instead of going to the computer properties , all what you need is to go the local server and choose the settings you want to modify:
now let us add a group of servers to manage:
from the dashboard you create a group of servers, I will create a group of my Windows Server 2012:
Now I created a group and added my Windows Server 2012 Servers:
now I can go to the group and find them listed there:
now I can click on the server and manage it, add roles to it RDP
I loved how it is easy and effective to manage now server 2012, the new server manager is way too awesome and effective and the new management capabilities is great. WAY TO GO Windows Server 2012