Dynamic access control DAC for Windows Server 2012

What is a DAC?

Dynamic access Control (dac,dynamic access controls) is a new access control mechanism for file system resources in Windows Server 2012. It allows administrators to define central file access policies that can be applied to all file servers in the organization. The DAC provides security for all file servers and existing shares, as well as NTFS file system permissions. Regardless of the permissions of the shared and NTFS file systems, it ensures that the central policy is forced to overwrite the app.

The DAC determines access rights based on a combination of multiple standards. It combines the NTFS file system access control lists so that users need to meet the share permissions, NTFS file system access control lists, and central access policies to gain access to files. However, the DAC can also be used independently of NTFS file system permissions.

The DAC provides a flexible way to apply, manage, and audit access to file servers in those domains. Verify the claims in the token, resource properties, permissions, and conditional expressions for the audit license, and the DAC grants and audits the files and folders tagged with the adds attribute by combining these features.

The DAC is primarily used to control file access and is more flexible than NTFS file system and share permissions. It can also be used to audit file access, as well as optional to integrate with AD RMS.

The DAC is designed to meet the following four scenarios:

1. Use the central access policy to manage access to files. This allows organizations to establish a security policy that corresponds to business requirements and management compliance.

2. For analysis and compliance audits. Targeted audits of cross-file servers for compliance reporting and electronic forensics analysis.

3. Protect sensitive information. DACs are able to identify and protect sensitive information in a Windows Server2012 environment, and if you have integrated ad RMS, you can keep files protected after leaving the Windows Server 2012 environment.

4. Access denied correction. Improved access-denied experience reduces the burden on IT staff and provides downtime for troubleshooting. This technology makes it easier for users who manage these files to control files. Access denied remediation is able to send information to different owners of each folder, which describes why access is denied, allowing the owner to determine how to fix the problem based on information prompts.

What is a statement?

User statement:

A user declaration is information about the user that is provided by the domain controller for Windows Server 2012. The Windows server2012 domain controller can use most of the adds user attributes as a declared information. This gives the administrator a wide range of configuration possibilities and provides access control through a declaration. Before you define a user declaration, you need to fill in the appropriate values in the user attributes that you want to use as access control.

Equipment statement:

A device declaration, often referred to as a computer statement, is information about the device that is provided by the Windows Server 2012 domain controller, which is represented in the adds as a computer account. As with the user declaration, the device declaration is able to use most of the properties of the computer object in adds. The DAC is not like NTFS file system permissions, and when a user attempts to access a resource, the DAC determines the authorization in conjunction with the device that the user is currently using. Device declarations are used to represent the properties of the device that you want to use to implement access control.

Cross-Forest declaration:

In Windows Server 2012, adds maintains a declaration dictionary for each forest. All declaration types defined and used within the forest are defined at the adds forest level. However, in some scenarios, the security principles of a user or device may need to pass through the trust boundary to access resources from the trusted forest. The cross-forest declaration of Windows Server 2012 allows users to pass inbound and outbound claims across the forest in order to assert that they are recognized and accepted in a trusted and trusted forest. By default, a trusted forest allows all outbound declarations to pass, and a trusted forest blocks all inbound claims that are received.

What is a resource attribute?

When you use a statement or security group to control access to files and folders, you can also provide additional information about those resources. This information can be used by DAC rules for access management.

Similar to configuring users and device declarations, you must define the properties of the resources you want to use. These properties are configured through the Resource Property object. These objects define additional attributes that can be assigned to files and folders. Typically these properties are assigned when the file is categorized, and Windows Server 2012 can use these properties for authentication purposes. For example, these properties can be categorized as a type of file or folder, like a value such as confidential or internal. Other properties can represent the value of the file, such as which department owned the information, or which project it is related to, similar to development, Project X equivalent.

Resource properties need to be managed in the resource properties container, and the resource properties container is located in the DAC node of the Active Directory Administration Center.

You can create your own resource attributes, or use a preset property, such as Department, folder usage, and so on. All predefined resource Property objects are disabled by default, so if you need to use them, you must first enable these objects. If you want to create your own resource Property object, you can specify the attribute type and the allowed or recommended values for the object.

When you create a resource Property object, you can choose to include the attributes in the files and folders. When you evaluate file authorization and auditing, the Windows operating system combines the values in these attributes with the user and device claims values to evaluate.

How do I access resources through a DAC?

As a new authorization and auditing mechanism, the DAC needs to be extended to adds. These extended actions create a Windows declaration dictionary that the Windows operating system uses to store declarations for Active Directory forests. The validation process that is asserted also requires a KDC (Key Publishing Center) that relies on the KERBEROS5 protocol.

When you use the NTFS file system to manage access control, the user's access token contains the SID of the user and all groups that the user is a member of. When a user attempts to access a resource, the Access Control List (ACL) in the resource is evaluated, and if at least one SID in the user's token matches the SID in the ACL, the user is given the corresponding permission.

But the DAC not only uses the SID to manage resource access, it uses the declaration to define some additional attributes for the user or device. This means that the user's access token no longer only contains information about the SID, but also contains information about the user's claims and the claims from the device that the user is using, which will be used for the evaluation when accessing the resource.

The Windows server. KDC enhanced the Kerberos protocol, which required claims to be transmitted in the Kerberos ticket and used to synthesize the identity. The Windows server. KDC also has an enhanced capability to support Kerberos armor. Kerberos armor is a flexible way to verify the implementation of a secure tunnel that provides a protected channel between the Kerberos client and the KDC. The claim is stored in the Kerberos privileged account certificate, but these features do not increase the token size.

After you have configured user and device declarations and resource properties, you must implement file and folder protection through conditional expressions. Conditional expressions evaluate user and device declarations based on some constant value or the value of a resource property. You can do this in three ways:

1. If you only want to cover specific folders, you can use the Advanced Security Settings editor directly in the security descriptor to create conditional expressions.

2. If you want to cover some or all of the file servers, you can create a central access rule and then connect the rules to the central access policy object. You can then use Group Policy to apply the central access policy object to the file server, and then configure the share for the use of the central Access policy object. Central access policies are the most effective and appropriate way to protect files and folders.

3. When you use DAC to manage access, you can use file classification to cover specific files that have a common set of attributes in different files or folders.

Both Windows Server 2012 and WINDOWS8 support setting one or more conditional expressions in permission licenses. Conditional expressions are simply added to another available layer of permission permission, and the results of all conditional expressions must be evaluated by the Windows operating system to true to authorize permission to perform validation. For example, suppose you define a declaration named department to a user with a department source attribute, and then you define a resource Property object named Department. Now that you can define a conditional expression, the user can access the folder only if the value of the user's property department is equal to the value of the Department property in the folder, depending on the resource Property object that is applied. Note: If the Department resource Property object is not applied to a file or folder, or if the department is null, then the user has permission to access the data.

The server needs to meet some specific pre-requirements before deploying the DAC. Claims-based validation requires the following infrastructure:

1. Win2012 or a later server with the FSRM role service installed, the role must be installed on the file server of the managed resource before the DAC can be used for protection. The file server hosting the share must be a Win2012 file server to read the declaration and device authorization data from the KERBEROS5 ticket, pass the SID in the ticket to a validation token, and compare the authorization data in the token with the conditional expression in the security descriptor.

2. At least one Win2012 DC is used to preserve the central definition of resource properties and policies. User declaration does not require a security group. If you use the user statement, then you must have at least one win2012 DC that can be accessed by the file server in the user's domain so that the file server can retrieve the claims on behalf of the user. If you use the device declaration, all client computers in the adds domain must use the WIN8 operating system. Device declarations can be used only for devices that have a WIN8 or later system installed.

Prerequisites for use of the statement:

1. If you use cross-forest declarations, you must have a win2012 DC installed in each domain.

2. If you use the device declaration, you must have a WIN8 client, the previous Windows operating system does not support the device declaration.

You are required to have at least one Win2012 DC when using the user declaration, but do not require that your domain and forest functional level be Win2012 unless you want to use the declaration in a forest trust. You can install or keep win2008 or win2008r2 DCs in the domain and use the 2008 or 2008r2 domain and forest functional levels. But if you want to make a statement to users and devices through Group Policy, you need to elevate your domain and forest functional levels to win2012.

After you have met the software requirements for enabling DAC support, you must enable the Windows Server for KDC support for the declaration. The Kerberos protocol support for the DAC provides a mechanism for saving user claims and device authorization information in a Windows authentication token. Access checks for files or folders use this authorization information to verify identity.

Lab Environment:

LON-DC1 WIN2012R2 Domain Control

LON-SVR1 WIN2012R2 member Server

LON-CL1 WIN8.1 Domain Client

Lon-cl2 WIN8.1 Domain Client

I. Preparing the DAC for AD configuration

Create an dac-protected OU in AD, add Lon-svr1,lon-cl1,lon-cl2 to the OU, then open the Group Policy Manager, edit the default Domain Controller policy, navigate to Computer Configuration-policies-Administrative Templates-system-KDC-KDC supports claims, composite authentication, and Kerberos Armoring, which is enabled and set to always provide claims. Refresh Group Policy on LON-DC1 after the setup is complete.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/BD/wKiom1RYj_3QHXGhAAdJ9uIudEY719.jpg "title=" QQ picture 20141104163504.jpg "alt=" Wkiom1ryj_3qhxghaadj9uiudey719.jpg "/>

Establish a users&groups OU in AD, establish Managerwks groups in it, and add LON-CL1 to this group, set the manager and Research,manager department properties to managers, The department attribute of the team is set to the.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4E/3B/wKiom1RgVkzgX2y9AARnNGfThdg782.jpg "title=" QQ picture 20141110140642.jpg "alt=" Wkiom1rgvkzgx2y9aarnngfthdg782.jpg "/>

Ii. Configuring user and device declarations

Open the Active Directory Admin Center on LON-DC1, navigate to claim Types in the dynamic Access control node, and right-click a new claim type in the panel blank on the right

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/AE/wKioL1RXLtSAFDlxAAPNRTMuUAg985.jpg "title=" QQ picture 20141103152425.jpg "alt=" Wkiol1rxltsafdlxaapnrtmuuag985.jpg "/>

Select Department in the source properties area, modify it to company Department in the Display Name field, and select the Users and computers below and add the suggested values managers and the

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/BA/wKioL1RYdZ_AYjJZAARyTyW_HH8480.jpg "title=" QQ picture 20141104144055.jpg "alt=" Wkiol1rydz_ayjjzaarytyw_hh8480.jpg "/>

Iii. Configuring resource properties and Resource properties list

Navigates the view to the resource properties, enabling the Department and Confidentiality resource attributes

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4D/AF/wKioL1RXMdyxjNv5AAbkDs9R8oQ188.jpg "title=" QQ picture 20141103153931.jpg "alt=" Wkiol1rxmdyxjnv5aabkds9r8oq188.jpg "/>

Double-click the Department property to add to the right of suggested values in the pop-up window and fill in the Add Suggested Values window

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/AF/wKioL1RXM2mzW21XAAT34WPadHk312.jpg "title=" QQ picture 20141103154302.jpg "alt=" Wkiol1rxm2mzw21xaat34wpadhk312.jpg "/>

Iv. implementation of the document classification

Log in to LON-SVR1 and install File Server Explorer on LON-SVR1, open the cluster properties node in Manager, and you can see that the resource properties that we enabled above department and confidentiality appear in the classification properties.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/B9/wKiom1RYR8GClbqzAAPoUh6BS2s045.jpg "title=" QQ picture 20141104112658.jpg "alt=" Wkiom1ryr8gclbqzaapouh6bs2s045.jpg "/>

In the classification rule, create a new rule set confidentiality, scope set to C:\Docs, select the content classifier in the category, select Confidentiality-high for the property, select the string value in the configuration as "secret", and select "in the evaluation type" Re-evaluate existing property values and overwrite existing values, after you have finished setting up, click "Use all rules to categorize now" in the operator panel on the right. After running, see the classification properties of File1,file2,file3 respectively, you can see that the file3 confidentiality is high.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/B9/wKiom1RYTaSTL-4PAASUidLOE08571.jpg "title=" QQ picture 20141104115037.jpg "alt=" Wkiom1rytastl-4paasuidloe08571.jpg "/>

Five, set the classification properties of the Files folder

Set up a "LON-SVR1" in the C-disk, setting the folder's classification property to the

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/BB/wKiom1RYeQ6gL_KSAAWQvOIC0uw195.jpg "title=" QQ picture 20141104145715.jpg "alt=" Wkiom1ryeq6gl_ksaawqvoic0uw195.jpg "/>

VI. Configuring central access rules

Open Active Directory Admin Center on LON-DC1, navigate to central access rules for dynamic access control, right-click in the right margin to select new central access rule

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/AF/wKioL1RXNdnzFZKtAALpM1aDr9M107.jpg "title=" QQ picture 20141103155630.jpg "alt=" Wkiol1rxndnzfzktaalpm1adr9m107.jpg "/>

In the Create Central Access Rule window, enter the name department Match and click the Edit button to the right of the target resource

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/B0/wKiom1RXNlLzkjfYAATqnUTRcEc112.jpg "title=" QQ picture 20141103160021.jpg "alt=" Wkiom1rxnllzkjfyaatqnutrcec112.jpg "/>

Click "Add Condition" in the pop-up central access Rule window, and then you can see that there are two previously enabled resource properties department and confidentiality can be selected as criteria

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4D/B0/wKiom1RXN0WzPsW0AARZEnKKTzM587.jpg "title=" QQ picture 20141103160423.jpg "alt=" Wkiom1rxn0wzpsw0aarzenkktzm587.jpg "/>

Set a condition department-equals-value-research

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4D/B0/wKioL1RXOCzSz9jNAATU2paSY5E944.jpg "title=" QQ picture 20141103160640.jpg "alt=" Wkiol1rxoczsz9jnaatu2pasy5e944.jpg "/>

When the condition setting is complete, go back to the Create Central Access Rule window, select "Assign the following permissions as current Permissions" in the Permissions area, and click "Edit" on the right

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/B0/wKioL1RXOYWTZ1KSAAT9FZGxThA879.jpg "title=" QQ picture 20141103161223.jpg "alt=" Wkiol1rxoywtz1ksaat9fzgxtha879.jpg "/>

In the Advanced Security Settings window that pops up, remove administrators, and then "add" the new object, we select authenticated Uers as the principal, give it modify, read/write, read and execute permissions, and click "Add Condition" below, add a condition, The group is set to "Company Department", the value is set to "resource" and the Department is selected as the value of the resource.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/B1/wKiom1RXO7fgNi63AAMOsGqwny8504.jpg "title=" QQ picture 20141103162323.jpg "alt=" Wkiom1rxo7fgni63aamosgqwny8504.jpg "/>

Return to the central access Rules panel, then create a new rule named Access Confidential File, add the conditional expression resource-confidentiality-equals-value-high in the target resource, and also select "Use the following permissions as the current permission."

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/B7/wKioL1RYPSOh7eKPAAVd9MdVnkY098.jpg "title=" QQ picture 20141104104000.jpg "alt=" Wkiol1rypsoh7ekpaavd9mdvnky098.jpg "/>

Edit permissions, remove administrator permissions, and then grant authenticated users read, write, read, and execute, modify permissions. Add two conditions to the condition to verify that the user belongs to the departments and computers that belong to the group, the user-company department-belongs to each item-value-managers, device-group-is subordinate to each item-value-managerwks.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/BB/wKiom1RYfAmCrlG9AAO6XQJ0sXs405.jpg "title=" QQ picture 20141104150948.jpg "alt=" Wkiom1ryfamcrlg9aao6xqj0sxs405.jpg "/>

Vii. Configuring the central access Policy

Open the Active Directory Admin Center in LON-DC1, navigate to central access policy, create a new protect confidential file, and the Access confidential created above The rules for file are added to the policy.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4D/BA/wKiom1RYa66wOU8dAAQjDIYqwJs530.jpg "title=" QQ picture 20141104135954.jpg "alt=" Wkiom1rya66wou8daaqjdiyqwjs530.jpg "/>

Build a central Access policy department match and add the previously established department match rule to the policy.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4D/BA/wKiom1RYbY7A1YhIAASx-G0djzU146.jpg "title=" QQ picture 20141104140254.jpg "alt=" Wkiom1ryby7a1yhiaasx-g0djzu146.jpg "/>

Viii. apply a central access policy to a file server

On LON-DC1, open the Group Policy manager, set up a DAC policy to link to the Dac-protected ou, and edit this policy to navigate to the Group Policy Management editor Computer Configuration-Policy-windows Settings-Security Settings-File system-central access policy, right-click Central Administration Access Policy

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/BB/wKiom1RYfl2SO3M5AAWd4TeJ3SY408.jpg "title=" QQ picture 20141104151953.jpg "alt=" Wkiom1ryfl2so3m5aawd4tej3sy408.jpg "/>

Add the two central access policies you've built

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4D/BB/wKiom1RYfwrz7DCbAASU9FLsbP0890.jpg "title=" QQ picture 20141104152251.jpg "alt=" Wkiom1ryfwrz7dcbaasu9flsbp0890.jpg "/>

After Setup is complete, we use Gpupdate/force to force Refresh Group Policy on LON-SVR1, then open the properties of Docs-security-advanced-central policy, apply protect confidential file policy, Apply the Department match to the study folder in the same way.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4D/BB/wKioL1RYhfCRQpzGAAOj-7ahsyA630.jpg "title=" QQ picture 20141104155040.jpg "alt=" Wkiol1ryhfcrqpzgaaoj-7ahsya630.jpg "/>

Ix. Verifying the results of a central access policy

First restart the LON-CL1 and Lon-cl2

Using the manager login LON-CL1 to access the LON-SVR1 on the docs and the Files folder, with the LON-CL1 to visit the lon-svr1 the files and Docs folder.

Then repeat the above action on the Lon-cl2 and verify the result as follows:

Manager Login LON-CL1 access to docs and file success

Manager Login LON-CL1 access to the Files folder failed

LON-CL1 accessing File3 in docs failed to access File1,file2 successfully

The LON-CL1 visited and the file was successfully

Manager Login Lon-cl2 access to File3 in docs failed, access File1,file2 succeeded

Manager Login Lon-cl2 access to the Files folder failed

Lon-cl2 accessing File3 in docs failed to access File1,file2 successfully

Lon-cl2 access to the files and the success of the file

X. Configuring access denial of repair

Open the Group Policy manager, edit the DAC Policies Group Policy object, navigate to Computer Configuration-policies-Administrative Templates-system-access denied assistance, enable "Custom Access Denied error message" and "Enable access denied assistance on client for all file types", and "Custom Access Denied error message" window, enter the message content you want to display to the user, and then tick "allow user to request assistance"

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/4F/24/wKioL1RhfBfCZ6E-AAcqS3HdGfM156.jpg "title=" QQ picture 20141111105731.jpg "alt=" Wkiol1rhfbfcz6e-aacqs3hdgfm156.jpg "/>

Switch to LON-SVR1 refresh Group Policy to see if Group Policy is successfully applied by gpresult/h dac.html

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/4F/27/wKioL1RhgIGiLCI1AAQvlGkuzAY313.jpg "title=" QQ picture 20141111111649.jpg "alt=" Wkiol1rhgigilci1aaqvlgkuzay313.jpg "/>

Using the manager account to log in to the LON-CL1, to open the Files folder, prompted by the message we have just in the Group Policy to customize the content of the reject message, and below the prompt there is a "Request assistance" button

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/2C/wKioL1Rhgz3QHKwsAAS9cVQp7t8773.jpg "title=" QQ picture 20141111112737.jpg "alt=" Wkiol1rhgz3qhkwsaas9cvqp7t8773.jpg "/>

When you click Request Assistance, a dialog box appears and asks you to enter the reason for the visit. If a mail server is built, the Administrator and folder owner receives the request message and then decides whether to give the user access.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/4F/30/wKioL1RhhD_SnZrlAAUOyVtuNc4706.jpg "title=" QQ picture 20141111113326.jpg "alt=" Wkiol1rhhd_snzrlaauoyvtunc4706.jpg "/>

This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1575253

Dynamic access control DAC for Windows Server 2012