Learning Microsoft Windows Server 2012 Dynamic Access Control
上QQ阅读APP看书,第一时间看更新

Inside the architecture of DAC

As promised in the previous section, Dynamic Access Control is not just a single feature, but an end-to-end file server solution based on the following features in Windows Server 2012:

  • Windows authorization and audit engine supporting expression-based access control
  • Kerberos version 5 support for user and device claims
  • File classification infrastructure that supports claims
  • RMS support that can be extended for further file types from third-party vendors
  • API to extend the solution with custom classification and audit tools

Building blocks

The Dynamic Access Control solution can be logically divided into the following main components to get a better, granular overview:

  • Infrastructure requirements
  • User and device claims
  • Expression-based ACEs
  • Classification enhancements
  • Central access and audit policies
  • Access-denied assistance

These different building blocks are explained in the following sections with all the details. But first, you need to get a quick overview of the most important facts of Dynamic Access Control. We will start the overview with the infrastructure requirements.

Infrastructure requirements

For basic deployment of Dynamic Access Control, you do not need to put in a big effort. To use claims for authorization and auditing, there is only a need for the following components:

  • At least one Windows 2012 or newer domain controller
  • Configure DAC objects, which are:
    • Claim Types
    • Central Access Rules
    • Central Access Policies
  • Administering with Active Directory Administrative Center (ADAC) or Remote Server Administration Tools (RSAT) installed on Windows 8/ Windows Server 2012 or newer

    Tip

    A Claim is something that Active Directory states about a specific object (user or computer). A Claim may include the user, a unique Security Identifier (SID), department classification of a file or other attributes of a file, user, or computer.

    Infrastructure requirements
  • Group policy to deploy Central Access Policies to your file servers
  • Group policy to enable the KDC support for claims
  • Group policy to enable the Kerberos client support for claims
  • All the file servers that use DAC must be 2012 or newer
  • Windows 8 or newer client computers must be part of that domain (only required when using device claims)
  • AD RMS role must be enabled and configured if you want to use automatic encryption
  • You need to enable claims support on domain controllers and clients (disabled by default)
  • DAC stores all configurations in the Active Directory configuration partition
  • Group policies are used to configure DAC on file servers and clients
  • The File Server Resource Manager (FSRM) brings up many features such as File Server Classification Infrastructure (FCI)
  • Dynamic Access Control also works over organization boundaries with Claims Transformation Policies (CTP)

The following figure shows the basic deployment and configuration that needs to be done

Infrastructure requirements

However, what happens if you don't use Windows 8 clients?

Note

For non-Windows 8 / Windows Server 2012, such as XP, Vista or Windows 7, the user doesn't need to worry about claims. In that case, the 2012-based file server will query the Active Directory services and forward the claims request to get information about the claims the user or the machine provides.

As you can see in the figure above, DAC works between different Active Directory Forests (Active Directory instance of an organization), and Claims Transformation Policies will provide the functionality to translate the claims definitions between two or more organizations. To prepare for this scenario, you need to establish a Forest Trust between the Active Directory Forests and the Domain Function Level (DFL), which in both the Forest Root domains must be Windows 2012 or higher. Right now, this is a challenge but also a necessary requirement. There is no need for Claim Transformation Rules inside a Forest. This works fine out of the box because Dynamic Access Control objects are stored in the configuration part of the Active Directory and the whole Forest knows the relevant information.

User and device claims

Traditionally, you may have secured access to files by using NTFS file permissions and security groups. With this configuration, we were restricted to making policy decisions based on the user's group membership and the number of groups will explode. Therefore, if we wanted to include the device to control access, there was no chance to do this in an earlier version of the Windows Server. Another limitation was the requirement for folder or file access based on a certificate. Before Windows 2012 Dynamic Access Control, there was no way for the built-in functionality to include devices or certificates. DAC now integrates claims into Windows Authentication so that we can use Active Directory attributes from users and computers to control access to our information stored on file servers such as a location, department, or project.

Note

DAC will only be used as complementary technology and is not a replacement for security groups.

The following figure shows the new combinations you can use for authorization:

User and device claims

This opens new ways of giving permissions on files and folders, such as:

Allow | Read, Write |
If (@User.Department == @File.Department)
AND (@Device.Managed == True)

Note

There is no development knowledge required to implement a Dynamic Access Control solution.

Expression-based access rules

By using expression-based access control, users or devices must satisfy conditions that we define to access files in a given classification.

To explain the major benefits, we use a very easy and common example. Let us consider that 200 projects, 20 countries, and two divisions are part of an organization. So in fact, this results in something like 8,000 groups to solve the access control in this scenario using the traditional approach. Reducing security groups is always a vital task in the current IT environment. For example:

  • Project Budget2014 CH Finance Users
  • Project Budget2014 UK Finance Users

Windows Server 2012, without claims, already allows multiple groups with a Boolean logic (expression-based Access Control lists). This helps us to reduce the groups in an effective way. Let us look at the following example of using the AND operations to build up a permission model:

Allow Modify IF MemberOf(ProjectA)
AND MemberOf(CH)
AND MemberOf(Finance)

The result is 222 groups instead of something like 8,000 security groups. Yeah!

Finally, by using claims inside the expression-based access rules, we can convert the groups into exactly three user claims.

Classification enhancements

The first task in every Dynamic Access Control project is to identify and classify files based on their content. With Windows 2008 R2, we could already fulfil the following tasks:

  • Define classification properties
  • Automatically classify files based on location and content
  • Apply file management tasks (file expiration / custom commands) based on classification
  • Produce reports

With Windows Server 2012, the following classification improvements are added:

  • Manual classification (Windows Explorer)
  • Continuous classification (File Server Resource Manager)
  • Folder-based inherited classification
  • Conditional access control entries (additional authorization layer)

The next figure gives you an introduction to the processes carried out in a file classification scenario and shows the continuous classification:

  1. Define resource properties in Active Directory such as a department or company, and apply them to your file servers.
  2. The File Classification Infrastructure checks the file content and classifies the information with the correct classification.
  3. After classifying the information, the classification can be used for authorizing access to the information.
Classification enhancements

With the Windows Server 2012 File Classification Infrastructure (FCI) feature, you can identify sensitive files and encrypt them automatically with RMS.

Some possible scenarios include:

  • Access to all documents on the file server must be limited to active, full-time employees of the company—even if an employee distributes copies to different places, such as Skydrive, Dropbox, or SharePoint
  • The AD RMS-policy of Finance read only must be applied to all files containing more than 10 credit card numbers or other Personal Identifiable Information (PII)
  • The AD RMS-policy of Sales Managers only to all Excel files larger than 100 MB containing Personal Identifiable Information (PII) and 10 contract numbers being created by the CRM system

This technology also gives you the possibility of supporting file types other than Office documents. You just need to install and configure a combination of FCI with Rights Protected Folder Explorer from http://blogs.technet.com/b/rms/archive/2012/06/29/official-release-of-rights-protected-folder-explorer.aspx.

Otherwise, you need to add a third-party solution to provide support for other file types.

Central Access and Audit policies

Central Access Policies (CAPs) play an essential role in a Dynamic Access Control scenario. CAPs are a set of authorization policies that we manage in the Active Directory and deploy them to the file servers over Group Policies. You can think about a CAP-like safety net policy to give you another idea of what you can expect from that element.

A CAP has two logical parts:

  • Defined conditions as to which files the policy will be applied
  • List of one or more Access Control Entries (ACEs)
    Central Access and Audit policies

The next figure should provide you with some information on how the different solution components interact and where the information of the DAC objects is stored. Furthermore, it gives you the necessary tasks in the right order and the tools that you can use to configure CAPs, claims, and property definitions.

Obviously, if you change policy, you want to check the consequences of your work. For this reason there is a function called "policy staging" available, which lets you run a new policy parallel to your current configuration to evaluate the results.

On the left-hand side of the following figure, you see the tasks that need to be done to configure Dynamic Access Control, and on the right-hand side, the results on the system.

Central Access and Audit policies

Also, a new tab is present in the Advanced Security Setting for Finance Documents called Central Policy.

Central Access and Audit policies

After applying Central Access Policies, we need to think about Auditing Policies. With Windows Server 2012, you can author audit policies by combining claims and resource properties. It enables scenarios for you that were impossible or very hard to implement until now. The next figure shows you the file-access auditing workflow to give you a better understanding of this process:

Central Access and Audit policies

A quick look at how much power is inside these new audit improvements:

Note

Auditing everyone who is not working on a specific project and trying to access information tagged as only accessible for full-time employees and a project member working on that project is now possible.

To view and analyze audit events you can use the common Event Viewer or if available, the System Center Operations Manager with the Audit Collection Service configured.

Access-denied assistance

Access-denied assistance is a role service of the File and Storage Services role in Windows Server 2012 and helps us in the following use cases:

  • Users get more than just an Access-denied message. They are provided with detailed information for the data owner, helpdesk, or file server administrators.
  • Allows user to request access from the data owner.

There are two ways to configure the Access-denied assistance:

  • E-mail – The user gets a customized access-denied message with a button to request assistance and an e-mail fired to the data owner
  • Web service - The user gets a customized access-denied message with a link included and gets redirected to a self-service portal, such as Forefront Identity Manager 2010 R2

Note

The minimum requirement to use access-denied assistance is at least a Windows 8/Windows server 2012/8 RT or newer devices.