1 / 40

Module 11

Module 11. Implementing Secure Shared File Access . Module Overview. Overview of DAC Implementing DAC Components Implementing DAC for Access Control Implementing Access Denied Assistance Implementing and Managing Work Folders Implementing Workplace Join. Lesson 1: Overview of DAC.

fairly
Download Presentation

Module 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 11 Implementing Secure Shared File Access

  2. Module Overview • Overview of DAC Implementing DAC Components Implementing DAC for Access Control Implementing Access Denied Assistance Implementing and Managing Work Folders Implementing Workplace Join

  3. Lesson 1: Overview of DAC • Limitations of Current Access Management Methods What Is DAC? What Are Claims? What Are Resource Properties? Accessing Resources with DAC Requirements for DAC Implementation

  4. Limitations of Current Access Management Methods • NTFS file system permissions and ACLs provide access control that is based on a user’s SID or group membership SID • AD RMS provides greater protection for documents by controlling how applications use them, and also works with user or group SID • NTFS file system permissions cannot use AND between conditions • In NTFS file system permissions, you cannot build your own conditions for access control

  5. What Is DAC? • DAC in Windows Server 2012 is a new access control mechanism for file system resources. • DAC uses claims in the authentication token, resource properties on the resource, and conditional expressions within permission and auditing entries • DAC is designed for four scenarios: • Central access policy for managing access to files • Auditing for compliance and analysis • Protecting sensitive information • Access-denied remediation

  6. What Are Claims? • The claimis something that AD DS states about a specific object • In the DAC infrastructure, claims are defined by using specific attributes from a user or device • In Windows Server 2012, the authorization mechanism is extended to support conditional expressionsthatincludeclaims • In Windows Server 2012, you can create: • User claims • Device claims

  7. What Are Resource Properties? • Resource Properties define attributes of the resource that you want to use • Resource Properties are grouped in Resource Property lists • When creating a Resource Property, you can specify the property type and the allowed or suggested values

  8. Accessing Resources with DAC File Server AD DSAdmin Enable domain to issue claims User attempts to logon Receives a Kerberos ticket AD DS User

  9. Requirements for DAC Implementation To implement DAC, you need to have: • Windows Server 2012 or newer with the FSRM • Update AD DS schema, or at least one Windows Server 2012 domain controller • Windows 8 or newer later on clients to use device claims • Enabled support for DAC in AD DS (default domain controllers GPO)

  10. Lesson 2: Implementing DAC Components • Creating and Managing Claims Creating and Managing Resource Properties and Resource Property Lists Creating and Managing Access Control Rules Creating and Managing Access Policies Demonstration: Configuring Claims, Resource Properties, and Rules Implementing and Managing File Classifications Demonstration: Configuring Classification Rules

  11. Creating and Managing Claims • Use the Active Directory Administrative Center to create attribute-based claims • Use the Active Directory module for Windows PowerShell to create certificate-based claims • Claims are stored within the configuration partition in AD DS • Attributes are used to source values for claims • Make sure that you configure attributes for your computer and user accounts in AD DS with the information that is correct for respective user or computer

  12. Creating and Managing Resource Properties and Resource Property Lists • Resource Properties describe resources that you protect with DAC • Several Resource Properties are already predefinedin Windows Server 2012 • All predefined Resource Properties are disabled • When creating a new Resource Property, you have to set its name, and value type • In Windows Server 2012 R2, you also can create Reference Resource Properties • Resource Properties are grouped in Resource Property Lists

  13. Creating and Managing Access Control Rules • A Central Access Rule, contains one or multiple criteria that the Windows operating system uses when evaluating access • You create and configure central access rules in the Active Directory Administrative Center • To create a new central access rule you should: • Provide a name and description for the rule • Configure the target resources • Configure permissions

  14. Creating and Managing Access Policies • Central access policies enable you to manage and deploy consistent authorization throughout an organization • The main component of a central access policy is a central access rule • Central access policies act as a security net that an organization applies across its servers • Group Policy is usedto deploy a central access policy • Manually apply the policies to all Windows Server 2012 file servers

  15. Demonstration: Configuring Claims, Resource Properties, and Rules In this demonstration, you will learn how to configure claims, resource properties, and access rules

  16. Implementing and Managing File Classifications • Resource Property definitions are defined in AD DS • Resource Property definitions can be used during file classifications • File classifications can be run automatically

  17. Demonstration: Configuring Classification Rules In this demonstration, you will learn how to classify files by using a file classification mechanism

  18. Lesson 3: Implementing DAC for Access Control • Planning Central Access Policies for File Servers Demonstration: Creating and Deploying Central Access Policies How Does Access Check Work When DAC Is in Use? Managing and Monitoring DAC Demonstration: Evaluating and Managing DAC

  19. Planning Central Access Policies for File Servers When planning deployment of central access policies, you should: • Identify the resources that you want to protect • Define the authorization policies • Translate the authorization policies that you require into expressions • Identify attributes for access filtering

  20. Demonstration: Creating and Deploying Central Access Policies In this demonstration, your instructor will showyou how to create and deploy central access policy

  21. How Does Access Check Work When DAC Is in Use? Sharesecurity descriptor Share permissions Active Directory (cached in local registry) File/Foldersecurity descriptor Cached central access policy definition Central access policy reference Cached central access rule Cached central access rule NTFS file system permissions Cached central access rule Access control decision Access check – Share permissions if applicable Access check – File permissions Access check – Every matching central access rule in central access policy

  22. Managing and Monitoring DAC • DAC allows you to test a central access policy update by staging it • Windows Server 2012 staging: • Is implemented by deploying proposed permissions • Compares the proposed permissions against the current permissions • Causes audit-log events to appear in the security log on the file server Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company=Contoso Staging policy Applies to:@File.Impact = High Allow | Full Control | if (@User.Company=Contoso) AND (@User.Clearance =High)

  23. Demonstration: Evaluating and Managing DAC In this demonstration, you will learn how to evaluate and manage DAC

  24. Lesson 4: Implementing Access Denied Assistance • What Is Access Denied Assistance? Configuring Access Denied Assistance Demonstration: Implementing Access Denied Assistance

  25. What Is Access Denied Assistance? • On file server: • Specify troubleshooting text for access denied • Specify owner’s email for share or folder • Access attempt: • User is denied access, sees troubleshooting text or device-state troubleshooting • User can request access via email • Data owner or helpdesk: • Owner receives user’s request • Use effective permissions UI to decide appropriate actions • Can forward request to IT admin DataOwner User FileServer

  26. Configuring Access Denied Assistance • When implementing Access Denied Assistance: • Define messages that users will receive when they attempt to access resources • Determine whether users should be able to send a request for access • Determine recipients for the access-request email messages • Consider target operating systems • Use Group Policy to enable and configure Access Denied Assistance • Decide about the method for remediation

  27. Demonstration: Implementing Access Denied Assistance In this demonstration, your instructor will show you how to configure and implement Access Denied Assistance

  28. Lesson 5: Implementing and Managing Work Folders • What Are Work Folders? Configuring Work Folders Demonstration: Implementing Work Folders

  29. What Are Work Folders? • Work Folders enable users to access business data securely at any location and on any device • Work Folders are managed by administrators • Currently supported on Windows 8.1 devices, and support also is planned for iOS-based devices

  30. Configuring Work Folders To use Work Folders, you should: • Have at least one Windows Server 2012 R2 file server • Have at least one Windows Server 2012 R2 domain controller • InstallWork Folders functionality on file server • Provision a share where users’ data will be stored • RunNew Sync Share Wizard to create Work Folders structure • Configure clients to use Work Folders by using Group Policy or manually

  31. Demonstration: Implementing Work Folders In this demonstration, you will learn how to implement Work Folders

  32. Lesson 6: Implementing Workplace Join • Scenarios for Using Workplace Join How Workplace Join Works Configuring Workplace Join Registering and Enrolling Devices

  33. Scenarios for Using Workplace Join • BYOD concept allows users to use their private devices to do their work • Connecting non-domain, non-managed devices to company networks and resources can pose a security risk • Technology is needed to provide users with flexibility while maintaining security • Windows Server 2012 R2 provides Workplace Join technology

  34. How Workplace Join Works • Workplace Joined devices become known devices to AD DS • Known devicesstore a subset of their attributes in AD DS • Device Registration Service provisions a device object in AD DS and issues a certificate to known devices • Users on known devices have an SSO experience • Windows Server 2012 R2 with AD FS roleservice is needed • Windows 8.1 client operating system or iOS-based devices are supported • DRS can be published externally by using Web Application Proxy

  35. Configuring Workplace Join To enable Workplace Join, you need to: • Create the appropriate Group Managed Serviceaccount • Install and configure the AD FS role service • Enable DRS • Enable device authentication in AD FS • Install an SSL certificate on the federation server • Createthe appropriate recordsin your DNS

  36. Registering and Enrolling Devices • To enroll a device in the Workplace-Join process, ensure following: • The device trusts the certificate on thefederation server • The device can access at least one certificate revocation list distributionpoint • Record enterpriseregistration is accessible by the device being Workplace-Joined • On Windows 8.1, use the Workplace option • On iOS-based devices, use web-based enrollment with profile installation

  37. Lab: Implementing Secure File Access • Exercise 1: Preparing for DAC Deployment Exercise 2: Implementing DAC Exercise 3: Validating and Remediating DAC Exercise 4: Implementing Work Folders Logon Information Virtual machines: 10969A-LON-DC1 10969A-LON-DC2 10969A-LON-SVR1 10969A-LON-SVR2 10969A-LON-CL1 10969A-LON-CL2 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 110 minutes

  38. Lab Scenario • You are working as an administrator at A. Datum Corporation. The company has a wide and complex file server infrastructure. It manages access control to folder shares by using NTFS file system ACLs, but in some cases, that approach does not provide the desired results. • Most of the files used by departments are stored in shared folders dedicated to specific departments, but confidential documents sometimes appear in other shared folders. Only members of the Research team should be able to access Research team folders, and only Executive department managers should be able to access highly confidential documents. • The Security department also is concerned that managers are accessing files by using their home computers, which might not be highly secure. Therefore, you must create a plan for securing documents regardless of where they are located, and you must ensure that documents can be accessed from authorized computers only. Authorized computers for managers are members of the security group ManagersWks. • The Support department reports that a high number of calls are generated by users who cannot access resources. You must implement a feature that helps users understand error messages better and will enable them to request access automatically. • Quite a few users use personal devices such as tablets and laptops to work from home and at work. You have to provide them with an efficient way to synchronize business data on all the devices that they use.

  39. Lab Review • How do file classifications enhance the usage of DAC? Can you implement DAC without Central Access Policy?

  40. Module Review and Takeaways • Review Questions Tools Best Practice Common Issues and Troubleshooting Tips

More Related