Learning Disabilities: Dynamic Registers Webinar – 12 December 2016
CTE Solutions- Dynamic Access Control Webinar
-
Upload
cte-solutions -
Category
Education
-
view
234 -
download
3
description
Transcript of CTE Solutions- Dynamic Access Control Webinar
Windows Server 2012
DYNAMIC ACCESS
CONTROL
YOUR PRESENTER
Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since ‘89 MCSA: Windows Server 2008, MCSE: Security
MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+
Gérald F. Tessier
WHAT PROBLEM IS DAC TRYING TO SOLVE?
ACCESS CONTROL, AS WE KNOW IT
TRADITIONAL APPROACH
A G L P
A G DL
P
DIRECTORY SERVICE ADMINS
HRrocks
G-SalesG-Marketing
G-Engineering
RESOURCE ADMINS
G-MarketingG-EngineeringG-SalesManagers
L-MarketingPrinterUsersL-SalesDocAuthors
L-EngineeringDBEditors
PrintReadWriteCreate
ReadWrite
UPDATE GLOBAL GROUPS
G-BloodServicesTechnician
s
DILIGENCE, PERSEVERENCE, ADHERENCE
• Special Assignments• Changing Business• Legal Requirements
• Resource Evolution
DECENTRALIZED & DELEGATED?
G-CanadaEngineeringUsers
ProjectX
L-ProjectXAdmins
DECENTRALIZED & DELEGATED?
G-CanadaEngineeringU
sersProjectX
L-ProjectXAdmins
G-CanadaProjectXEngineeringUsersG-CanadaProjectXFinanceUsers
G-CanadaProjectXSalesUsers
• 500 Projects• 100 Countries• 10 Divisions
500 000 Groups
PROCESS INTEGRATION, ANYONE?
ITHR
HOW MANY GROUPS DO YOU HAVE?
1000?
10000?
100000?
DYNAMIC ACCESS CONTROL
CAP
FileClassifications
Claims
Remediation
IN A NUTSHELL
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
UNDERSTANDING EXPRESSIONS
ALLOW MODIFY IF MEMBEROF (PROJECTX)
AND MEMBEROF (CANADA) AND MEMBEROF (ENGINEERING)
• 500 Projects
• 100 Countries
• 10 Divisions
610 Groups
PART 1:FILE CLASSIFICATION INSTRUCTURE
AUTOMATED CLASSIFICATION
Resource Property Definitions
FCI
In-box content classifier
3rd party classificatio
n plugin
File Management
Task
See modified / created file
RMS Encryp
t
Save classificatio
n
Match file to policy
MANUAL CLASSIFICATION
PART 2:CENTRAL ACCESS POLICIES
CAP
EXPRESSION-BASED ACCESS POLICY
User claimsUser.Department =
FinanceUser.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department ==
@File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department =
FinanceDevice.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
CAP SELECTION
CAP RULES
CENTRAL ACCESS RULES
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:Full
Central Access Rule 1: Engineering Docs
Dept=Engineering
Engineering:Modify
Everyone: Read
Rule 2: Sensitive Data
Sensitivity=High
FTE:Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify
NTFS FTE:ModifyVendors:Read
Effective Rights:
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
STAGING POLICY
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Resource propertiesDepartment = Finance | HR |
EngImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == Contoso
Staging policyApplies to: @File.Impact = High
Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)
SAMPLE STAGING EVENT (4818)
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
Presentation has been recorded and will be made available on skydrive
Offi cial Microsoft Courses Available: 20410 - Installing and Configuring Windows Server 2012 20411 - Administering Windows Server 2012 20412 - Configuring Advance Windows Server 2012
Services *
Contact Gerry – [email protected]
Connect with CTE on Twitter - @CTESolutions
THANK YOU FOR YOUR PARTICIPATION!