Upload
cte-solutions
View
235
Download
3
Embed Size (px)
DESCRIPTION
Slides from the live webinar on October 18th, 2012 Throughout the years, IT administrators have sought many ways to protect file server data. As organizations mature, so does their security policies, data governance, and data leakage prevention capabilities. Technology has played a key role to assist with the simple goal of preventing unauthorized access to corporate data. However, preventing unauthorized access is only a part of the equation. Granting authorized access, whilst minimizing the effort in doing so is the tricky part. Microsoft’s new Dynamic Access Control capability, built into Windows Server 2012, greatly improves Compliance and leverages Data Leakage Prevention to enable Data Governance. Administrators now have greater control over file server data by taking advantage of Active Directory claims, an improved access control technology over standard ACLs, Active Directory centralized authorization/auditing policy, and data classification. This webinar provides a quick peek at Dynamic Access Control and how it can greatly reduce the micromanagement of Active Directory groups and Access Control Lists. If you would like to view the full presentation, please visit: https://skydrive.live.com/redir?resid=B5F6C9912573B947!374&authkey=!AE8C9JEOEJv9VmQ
Citation preview
Windows Server 2012
DYNAMIC ACCESS
CONTROL
YOUR PRESENTER
Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since ‘89 MCSA: Windows Server 2008, MCSE: Security
MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+
Gérald F. Tessier
WHAT PROBLEM IS DAC TRYING TO SOLVE?
ACCESS CONTROL, AS WE KNOW IT
TRADITIONAL APPROACH
A G L P
A G DL
P
DIRECTORY SERVICE ADMINS
HRrocks
G-SalesG-Marketing
G-Engineering
RESOURCE ADMINS
G-MarketingG-EngineeringG-SalesManagers
L-MarketingPrinterUsersL-SalesDocAuthors
L-EngineeringDBEditors
PrintReadWriteCreate
ReadWrite
UPDATE GLOBAL GROUPS
G-BloodServicesTechnician
s
DILIGENCE, PERSEVERENCE, ADHERENCE
• Special Assignments• Changing Business• Legal Requirements
• Resource Evolution
DECENTRALIZED & DELEGATED?
G-CanadaEngineeringUsers
ProjectX
L-ProjectXAdmins
DECENTRALIZED & DELEGATED?
G-CanadaEngineeringU
sersProjectX
L-ProjectXAdmins
G-CanadaProjectXEngineeringUsersG-CanadaProjectXFinanceUsers
G-CanadaProjectXSalesUsers
• 500 Projects• 100 Countries• 10 Divisions
500 000 Groups
PROCESS INTEGRATION, ANYONE?
ITHR
HOW MANY GROUPS DO YOU HAVE?
1000?
10000?
100000?
DYNAMIC ACCESS CONTROL
CAP
FileClassifications
Claims
Remediation
IN A NUTSHELL
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
UNDERSTANDING EXPRESSIONS
ALLOW MODIFY IF MEMBEROF (PROJECTX)
AND MEMBEROF (CANADA) AND MEMBEROF (ENGINEERING)
• 500 Projects
• 100 Countries
• 10 Divisions
610 Groups
PART 1:FILE CLASSIFICATION INSTRUCTURE
AUTOMATED CLASSIFICATION
Resource Property Definitions
FCI
In-box content classifier
3rd party classificatio
n plugin
File Management
Task
See modified / created file
RMS Encryp
t
Save classificatio
n
Match file to policy
MANUAL CLASSIFICATION
PART 2:CENTRAL ACCESS POLICIES
CAP
EXPRESSION-BASED ACCESS POLICY
User claimsUser.Department =
FinanceUser.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department ==
@File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department =
FinanceDevice.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
CAP SELECTION
CAP RULES
CENTRAL ACCESS RULES
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:Full
Central Access Rule 1: Engineering Docs
Dept=Engineering
Engineering:Modify
Everyone: Read
Rule 2: Sensitive Data
Sensitivity=High
FTE:Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify
NTFS FTE:ModifyVendors:Read
Effective Rights:
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
STAGING POLICY
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Resource propertiesDepartment = Finance | HR |
EngImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == Contoso
Staging policyApplies to: @File.Impact = High
Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)
SAMPLE STAGING EVENT (4818)
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
Presentation has been recorded and will be made available on skydrive
Offi cial Microsoft Courses Available: 20410 - Installing and Configuring Windows Server 2012 20411 - Administering Windows Server 2012 20412 - Configuring Advance Windows Server 2012
Services *
Contact Gerry – [email protected]
Connect with CTE on Twitter - @CTESolutions
THANK YOU FOR YOUR PARTICIPATION!