There is a lot of new stuff in Windows Server 2012 Active Directory.
- Active Directory management enhancements
- Active Directory Administrative Center
- Active Directory Recycle Bin management
- Fine-Grained Password Policy management
- Windows PowerShell History Viewer
- Dynamic Access Control
- Group Policy enhancements
- Kerberos constrained delegation changes
- Active Directory deployment enhancements
- Remote DCPromo and built-in troubleshooting
- ADPrep integration
- Improved virtualization support
- Domain controller cloning
- Active Directory snapshots
- Active Directory-based activation
- Active Directory Federation Services 2.1 built in
In this post we will concentrate on Dynamic Access Control (DAC). DAC allows administrators to create and manage central access and audit policies in Active Directory, which can be managed through the AD Administrative Console to help organizations reach data compliance.
**NOTE: DAC is the amalgamation of different features working together. It leverage AD, GPO, File Servers … It is one the more involved Labs we have tackled so far.
Microsoft has focused on the following areas:
- Identify the information that needs to be managed to meet business and compliance requirements
- Apply appropriate access policies to information
- Audit access to information
- Encrypt information
You can now create and managed Central Access and Audit Policies in Active Directory through the ADAC . These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control:
- Who the user is
- What device they are using, and
- What data is being accessed
Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: "User is from the Finance department" and "User's security clearance is High"
Here is a sample usage of DAC
Policy Type | Usage |
Organization-wide authorization policy |
|
Departmental authorization policy |
|
Specific data-management policy |
|
Need-to-know policy |
|
You king find different scenarios of DAC usage here.
What we will do in this post is setup DAC and create a rule to show the flexibility and the value you can get from this technology.
Step-by-Step: enabling and configuring DAC
DAC is a claim based security feature.
Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature.
To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts.
- Claim Type
- Resource properties for files
- Resource property lists ( add resource property to global)
- Create new central access rule
- Create central access policy
First, we logged on our domain controller ITCamp-DC1 and created some accounts for this lab.
- Create the following users with the attributes indicated:
User | Username | Email address | Department | Country/Region |
Myriam Delesalle | MDelesalle | MDelesalle@ITCAMP.Local | Finance | Canada |
Miles Reid | MReid | MReid@ITCAMP.Local | Finance | United States |
Esther Valle | EValle | EValle@ITCAMP.Local | Operations | Canada |
Maira Wenzel | MWenzel | MWenzel@ITCAMP.Local | HR | Canada |
Jeff Low | JLow | JLow@ITCAMP.Local | HR | United States |
RMS Server | rms | rms@ITCAMP.Local |
It's now time to enable Dynamic Access Control for ITCamp.Local
- Open the Group Policy Management Console, click ITCamp.Local, and then double-click Domain Controllers.
- Right-click Default Domain Controllers Policy, and select Edit.
- In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.
- Double-click KDC support for claims, compound authentication, and Kerberos armoring and select the option next to Enabled. You need to enable this setting to use Central Access Policies.
- Open an elevated command prompt, and run the following command:
gpupdate /force |
Configure Claim Type
In this step we will configure Claim type for Users. We will add existing Active Directory attributes to the list of attributes that we can use when evaluating dynamic access control. In our case, the user's department and his country
1- After login to the DC , you can just open the Active Directory Administrative Center to start configuring the Dynamic Access Policy (DAP).
2- In the Claim Type Section, click "New" and "Claim Type" in the task pane,
3- Select the attribute you want to use, in our case "c" and in the suggested value section define the countries you want to define. In our Lab we will look for Canada and United States.
4- Repeat for the department attribute with the following suggested value. (HR, Finance, Operations)
Configure Resource properties for files
1- In this step, we will configure the properties which will be downloaded by file servers and used to classify files or directories or shares. The DAC rules will compare user attribute values with resource properties. You can enable existing properties or create new ones.
2- Click on resource property and here you can select the existing resource properties or also you can create the new ones, I have selected Country and Department.
Resource property lists (add resource property to global)
1- Each resource property must be added to at least one resource property list. It will then be downloaded by file servers in your environment. The global resource property list is downloaded by all file servers.
Our properties are already part of the global list.
Create new central access rule
This is when we create a Rule that uses the properties we have defined earlier. This describes which conditions must be met in order for file access to be granted.
1- In the Central Access Rule section, click "New" and "Central Access Rule"
2- Give it a name in the Create Central Access Rule form.
3- In the Permission section, click "Use Following Permissions" and click "Edit"
4- Click "Add" and in the following "permission Entry for Permissions" select The "Authenticated User" as the principal and set the following conditions.
5- Click "OK" you are back to the DAC configuration screen.
Create central access policy
This part is very straight forward.
1- In the Central Access Policy, click "New" and "Central Access Policy" and give the new policy a name in the "Create Central Access Policy" form. We named our CAP. You also need to Add the Central Access Rule you created earlier to the policy.
2- Once that is created we need to tell AD about the policy. In the "Group Policy Management Console" we edited the "Default domain policy" but you can apply a different policy as you see fit. And in the Computer ManagementàPoliciesàWindows SettingsàSecurity settingsàFile SystemàCentral Access Policy, right-click the right pane and select manage Central Access Policy.
3- Add the Policy you created to the Applicable Central Access Policies.
We are done configuring the DAC… well… not quite. We still need to configure our shares and share properties.
To configure the shares the File Server Resource Manager must be installed on the server that will be used as the files server. In our case the file server we are using is VMHost10B.itcamp.local.
- Logon VMHost10B.itcamp.local as itcamp\administrator
- In Server Manager, click Add Roles and Features.
- On the Before you begin page, click Next.
- On the Select installation type page, click Next.
- On the Select destination server page, click Next.
- On the Select Server Roles page, expand File and Storage Services, select the check-box next to File and iSCSI Services, expand, and select File Server Resource Manager.
- In the Add Roles and Features Wizard, click Add Features, and then click Next.
- On the Select features page, click Next.
- On the Confirm installation selections page, click Install.
- On the Installation progress page, click Close
On the VMHost10B machine we created 2 SMB Shares-Advanced shares. (HR, Finance) select all defaults to complete this part.
Once the shares have been created, we need to go the location where the directory has been created and modify the properties of each folders.
To include the classification of these folders.
And in the advanced Security Settings, in the Central Policy Tab, change the "No central Access Policy" to "CAP" the policy we defined.
You can test to see if everything worked well by using the effective Access tab.
That is that start of the value that DAC can bring. But we just skimmed the surface.
So try it for yourself. It's well worth the effort.
You can deploy this in you lab and take advantage of the flexibility this technology can provide. Try it for yourself by downloading Windows Server 2012?
Cheers!
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn
Additional Resources
TechNet manual : http://technet.microsoft.com/en-us/library/hh831717.aspx
Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data)
Dynamic Access Control at MMS 2012: http://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview