Dynamic Access Control the file server, reimagined Presented by Mark Minasi [email protected] @mminasi...
-
Upload
rickey-bleckley -
Category
Documents
-
view
214 -
download
0
Transcript of Dynamic Access Control the file server, reimagined Presented by Mark Minasi [email protected] @mminasi...
![Page 1: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/1.jpg)
Dynamic Access Controlthe file server, reimaginedPresented by Mark [email protected]@mminasi on twitter
1contents copyright 2013 Mark Minasi. Please do not redistribute, and thanks for respecting my copyrights!
![Page 2: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/2.jpg)
Dynamic Access Control
o Big topic, arguably the biggest in Server 2012
o A new, fourth level of permissionso Incorporates more information about
the shared information, who's reading it, and what machine they're reading it from
o Builds in more troubleshooting information
o Affects auditing as wello Should make Windows security enable
compliance issues more effectively2
![Page 3: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/3.jpg)
3
High-Level Benefitso Finer grained, richer file server
permissions: "only people with the title 'manager' can access 'secure' files in this share, provided they're on a machine on the 12th floor"
o More complex permissions, but a central way to build them and distribute them
o Security that considers not only who you are, but what machine you're trying to access from
o File classification systems to identify data that is "high importance," "private," "regulated" either through human intervention or automatic classification
![Page 4: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/4.jpg)
4
High-Level Benefitso Partially aimed at people trying to
meet regulatory requirementso Partially aimed at large orgs with lots
of non-specialized "departmental admins"
o Does not require a complete move to Windows 8 and Server 2012
![Page 5: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/5.jpg)
5
Approacho There's a lot to absorb here both from
the point of view of new concepts and new skills
o So let me start this out with some examples to (with hope) make you interested enough to want to dig in
![Page 6: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/6.jpg)
6
DAC Examples
o …you are a member of the Sales group and the Managers group
o …you are sitting on a machine in the Accountants group
o …the value of your "Title" in AD is "engineer"
o …the machine you're sitting at is in Building 23 (AD physical location info)
o …the files are classified "medical records" and you are a member of the "Doctors" group
"you can read these files if…"
![Page 7: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/7.jpg)
7
DAC Joins Share and NTFS Permso DAC is a fourth level of "ACL:" just as
NTFS permissions interact with another set of permissions – sharing permissions – to determine your access, DAC joins the party
o And of course there are Windows Integrity Levels, although we don't use them much
o As with NTFS vs share differences, the most restrictive wins
![Page 8: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/8.jpg)
8
DAC Appears in Two Placeso The simpler and easier-to-see
manifestation of DAC is in a set of extensions to NTFS permissions
o They appear when a 2012 system is domain-joined
o They're easy to show and I'll be using them a lot
o DAC also appears as that fourth, separate level of permissions, and it is the DAC power
o The only way to get a "real" DAC permission is, as we'll see, via a group policy
![Page 9: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/9.jpg)
10
New Concepts/Skillso Creating permissions with "And's"o Using the new Effective Access UIo Understanding claims=AD attributeso "Promoting" an attribute to a claimo Adding claims in permissionso Device claimso Creating file classificationso Classifying files by hando Building automatic file classifiers
![Page 10: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/10.jpg)
11
New Concepts/Skillso Creating central access ruleso Making central access policies from
central access ruleso Applying central access rules
![Page 11: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/11.jpg)
12
"And's" in Permissionso Suppose you wanted to say, "only
people who are a member of 'engineers' and 'Omaha plant employees' can access this share?"
o Answer, pre-2012? More groupso How many groups are in your
organization right now?o Do you do "role-based management"
of objects?o Perhaps the phrase "token bloat" has
some meaning…
![Page 12: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/12.jpg)
13
Making "And" Worko Again, it first appears as an extension
to NTFSo So it's easy to demonstrateo Will work on any domain-joined
machineo Requires no group policy changes; try
thiso Create a folder, needn't share ito Create two groups, two userso Put one user in both, one user in just oneo Yank out all permissions but system &
adminso Create a new one in Advanced, condition
= must be a "member of each" groupo Try out Effective Permissions
![Page 13: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/13.jpg)
14
Our Opening Situationo We've got a server that is domain-
joined – you can't do any fancy permissions unless you're domain-joined
o We've got two users, Tom and Dicko Tom is in groups McCoyso Dick is in groups McCoys and Hatfieldso I create a folder "myfolder" and yank
out all ACEs except the ones for System and Administrators
o Opening up Advanced Security, I see this…
![Page 14: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/14.jpg)
15Click Add…
![Page 15: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/15.jpg)
16
Now for the interesting part… click Add a condition
![Page 16: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/16.jpg)
17
In "Add Items," choose the two groups (the UI's not good at showing this)
![Page 17: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/17.jpg)
18
Choose the groups with this dialog box:
And then the new permission will look like this:
Click OK/Apply and …
![Page 18: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/18.jpg)
19
New Permission
![Page 19: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/19.jpg)
20
Click "Effective Access" to try it out
![Page 20: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/20.jpg)
21
Note "include group membership" (what if-ing,) "select device"
![Page 21: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/21.jpg)
22
Next, Consider Claimso Claims are assertions about someone,
like "my title is 'Manager,'" or "my email is [email protected]"
o Claims from AD attributeso AD has 100+ attributes about user
and machine accounts (title, description, physical location, etc)
o DAC does not "see" any of them by default, but you can make them "visible" by making them "claim types"
o GUI tool is AD Admin Center
![Page 22: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/22.jpg)
23
Making an AD Attribute a Claimo Open ADACo On left, click "Dynamic Access
Control"o In center pane, right-click on Claim
Typeso Choose New / Claim Typeo Choose an attribute in "Source
Attribute"o Choose User and/or Computero Add "Suggested Values" if you likeo Click OK on the bottom right
![Page 23: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/23.jpg)
24
Promoting AD Attribs to Claims
![Page 24: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/24.jpg)
25
Example: Make "Office" a Claim Type
![Page 25: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/25.jpg)
26
Giving “Office” a Suggested Value (1)
![Page 26: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/26.jpg)
27
Giving “Office” a Suggested Value (2)
![Page 27: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/27.jpg)
28
Giving “Office” a Suggested Value (3)
![Page 28: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/28.jpg)
29
Giving “Office” a Suggested Value (4)
![Page 29: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/29.jpg)
30
Using Claimso At this point, we could create another
ACE: "authenticated users get Modify permission under the condition that their physicalDeliveryOfficeName = 'Pungo'"
o (* and % wildcards don't work, and case doesn't matter)
o You can set AD attributes in ADAC, with the PowerShell set-aduser command, or in ADSIEdit
o Here’s a rule that says you need to have a “Office” value of “Pungo” to get access
o (don’t try this yet, it won’t work)
![Page 30: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/30.jpg)
31
Creating a Claims-Based ACE
![Page 31: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/31.jpg)
32
Using Claimso You’ll see that the drop-down next to
Users, which only offered “Group” before, now also offers each claim, like “physicalofficedeliverylocation” or “title”
o Ditto the drop-downs that offer values like “Pungo,” but if you’ve created Suggested Values then that’s all you’re offered, and if no Suggested Values, you get a blank text field that you can populate… again no wild cards
o Try out Effective Access again, and the dialog has changed a bit
![Page 32: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/32.jpg)
33
Here you see that now Effective Access lets me give Mark a claim for "what if-ing"
![Page 33: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/33.jpg)
34
How Does the File Server Know?o So we have modified AD, and so our
DCs know thato But wait… we’re working on a file
server; why would its Security dialog box know all of a sudden that it should offer Title, PhysicalDeliveryOfficeName, “Pungo,” “Manager,” etc?
o It doesn’t… until you tell ito Tool: a PowerShell command:o Update-
FSRMClassificationpropertyDefinitiono We’ll see this again in DAC!
![Page 34: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/34.jpg)
35
One More Thing for Claims…o You've got to tell your DC to provide
claimso In Admin Templates / System / KDC,
"KDC support for claims…," set it to "supported" on your DCs
o For all client systems, Admin Templates / System / Kerberos, "Kerberos client support…" set to Enabled
o Servers and clients need gpupdate then
o At this point, you can see your claims:o whoami /claimso (You have to log off/on to see them)
![Page 35: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/35.jpg)
36
Seeing Claims and Setting ValuesWe haven’t enabled the Kerberos settings yet, so whoami can’t help
Another example, now that we’ve got everything enabled…
![Page 36: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/36.jpg)
37
![Page 37: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/37.jpg)
39
Is Using Claims Secure?
o AD attributes fall into several groups –passwords, phone&mail options, general, personal, public, RAS, account restrictions, user logon, Web info
o By default, users can only mess with phone/mail, web and "personal" which includes addresses, assistant, comment, honorific, various phone and fax numbers, office location, and picture
o So you're safe with other attributes, and you can always change the permissions
I mean, can't any user just change her title to "doctor?"
![Page 38: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/38.jpg)
40
Now Your Workstation Counts, Tooo AD claims can be asserted both for
user accounts and machine accountso Lets you control which machines users
access your data fromo Ditto workstation group membershipso Device claims created as with user
claims
![Page 39: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/39.jpg)
42
File Classificationo Might be "sensitive," "contains
personal data," "is a photograph" or anything you care about
o In more detailo You define classificationso Files get classified either by someone
digging into the file's property page (new "Classification" tab), or by a process that regularly scans folders looking for keywords and the like
o Both the classifications and the auto-classification scans are configured from the File Server Resource Manager (not installed by default)
![Page 40: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/40.jpg)
43
How to Classify Files?o Microsoft figured that they knew what
classifications many people needed, so 16 classifications are pre-loaded in AD and you can enable them if you'd like
o In ADAC, DAC there's a section "Resource Properties"
o Enable a property, and that file property will appear in the Security dialog box and you’ll be able to create classification-related ACEs
![Page 41: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/41.jpg)
44
ADAC and DAC
![Page 42: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/42.jpg)
45
Enabling an Existing Propertyo Quite easyo In ADAC, navigate to Dynamic Access
Controlo Doubleclick on Resource Properties to
display the currently-available oneso Right-click the property you want to
enable and choose Enableo The property icon changes to show
you that it’s enabled
![Page 43: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/43.jpg)
46
Choosing Two Built-in Properties
![Page 44: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/44.jpg)
47
And Once You’ve Chosen Them…o Their icon changes, but it’s kind of
subtle…
![Page 45: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/45.jpg)
48
Tell the File Servero The file server won't learn that that
the new file property is important until AD tells it
o Tell a file server about the resources with update-fsrmclassificationpropertydefinition
o Now they'll appear on "classification" and as options in the ACE editor
o In my experience, you have to either close the Explorer window and reopen, or refresh the window (it seems to vary) for the file classification properties to appear in the Security UI and on a file’s Properties page
![Page 46: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/46.jpg)
49
Example ACE with Resources
![Page 47: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/47.jpg)
50
How Do You Set a Property?o We can now “classify” files and
folders, which is how Immutable gets set to “yes” or “no”
o There's an automatic way, but first let's see the manual method
o Right-click a file or folder, choose Properties and there will be a new tab, "Classification"
![Page 48: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/48.jpg)
Classification UI
51
Right-click any NTFS folder or file and you'll see the new "Classification" tab
![Page 49: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/49.jpg)
52
If You Classify a Folder…o Files created in the folder get the
classificationo Move a file in from the same volume,
it doesn’t classifyo Copy a file from another volume, it
gets the folder classification (with Explorer, PowerShell copy, robocopy)
o If you modify a file, the classifications are not reset
![Page 50: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/50.jpg)
53
Home-Grown Properties
o Windows comes with a bunch of properties, but we can create our own
o It’s in ADACo Under Resource Properties, click New /
Resource Propertieso Give it a name, types of values, and
suggested valueso update-
fsrmclassificationpropertydefinition
making your own classifications
![Page 51: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/51.jpg)
54
![Page 52: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/52.jpg)
55
Automatic Classificationo Microsoft offers a sort of basic
automated classifier toolo Lets you tell the tool to look at a
folder and examine its contents, matching them either to a particular string or a regular expression, with a PoSH script, or just changing everything in a folder wholesale
o The tool is in the File Server Resource Manager (FSRM)
o Here’s a very simple one for Scary Stuff
o Open FSRM, click “Classification Management,” “Classification Rules,” “Create Classification…”
![Page 53: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/53.jpg)
56
Create the Rule (1)
![Page 54: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/54.jpg)
57
Create the Rule (2)
![Page 55: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/55.jpg)
58
Create the Rule (3)
“Content Classifier” means “match a given string or a regular expression”Click this to specify what to look for
![Page 56: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/56.jpg)
59
Specifying Expression to Match
![Page 57: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/57.jpg)
60
Re-Evaluation Rules
![Page 58: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/58.jpg)
61
Apply the Rule
Run this and all of the frightening stuff is immediately marked
![Page 59: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/59.jpg)
62
FSRM Classification Report
![Page 60: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/60.jpg)
63
FSRM Classification Report
![Page 61: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/61.jpg)
64
When You Run the Classifier…o By default, anything currently
classified, whether by hand or automatically, is ignored, no scan
o This is true even if a file has changed since the last scan
o Alternatively you can choose (as we saw) to re-evaluate all files
o In my experience if you have been classified and you drop out of the rule, the classifier never “de-classifies” you to “no” from “yes” or from “yes” to “none”
![Page 62: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/62.jpg)
65
Regular Expression Exampleo Create a rule that looks inside a folder
to find files that contain SSNso The rule will basically say, "if you find
a file that contains nnn-nn-nnnn where "n" are all digits, then set HasSSN to "Yes.“
o Same process as before, but choose Regular Expression and enter this text:
o \d{3}-\d{2}-\d{4}
![Page 63: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/63.jpg)
66
When Does it Happen?o You can make a rule run from FSRM,
as we’ve seeno In Classification
Management/Classification Rules, click on the rule, then look in the "Actions" pane, choose "Run classification with all rules now…" or
o start-fsrmclassificationo When you're trying this, remember
that the UI can be a bit slow in updating changes in status… relax, hit refresh, wait a few secs!
![Page 64: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/64.jpg)
Back to the Big Picture
o Clearly setting up this stuff will be more complex
o But the good news is that you can create any of the policies I just imagined and store them on the AD
o They are called "central access policies"
o Those policies can then be applied by a local admin, and thus can be kept consistent
Won’t this be too complex for most admins?
67
![Page 65: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/65.jpg)
68
Contrived but Complete Exampleo We're now ready to move from the
NTFSish DAC examples to a more "complete" and centrally deployable set of examples
o We'll use a simple example that (I think) showcases the new stuff – AD claims and file resources
o Let's say that we want a central access rule that says
o If a file's marked "Immutable=Yes," then you must have the "Title=Doctor" to access it
o Then we'll deploy it
![Page 66: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/66.jpg)
69
Central Access Rules and Policieso First, you build one or more central
access rules (CARs); you build them in ADAC (or, in theory, ADSIEdit)
o Then you join one or more CARs to create a Central Access Policy (CAP), and again you do it in ADAC
o You then create a group policy object that contains that CAP (or CAPs)
o Deploy that GPO to a servero Then go to the server and activate the
CAP
overview
![Page 67: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/67.jpg)
70
To Follow Along…o If you want to try this out:
o I built a domain controller called DC1o Created a folder named c:\stuffo Set its NTFS permissions to everyone:full
controlo Set share perms to everyone:full controlo Create a standard usero Elevate the AD "title" attribute to a claim,
create a suggested value of "Doctor"o Give the standard user the title "Doctor"o Enable the "Immutable" property, update
FS infoo Create some files in c:\stuff with
immutable=yeso Verify that the user can dir \\dc1\stuff
![Page 68: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/68.jpg)
71
More Specific Task Listo Create Central Access Rule "Titles
Matter"o Direct it to files with immutable=yeso Set permissions with condition
"title=doctor"o Create CAP "Protect Immutable"o Add CAR "Titles Matter"o Create GPO "DAC Example," link to
domaino Add CAR "Protect Immutable"o Update policieso From c:\stuff Security dialog, add the
CAR
![Page 69: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/69.jpg)
72
Central Access Rules and Policieso They are both sections in Active
Directory Administrative Center, under the "Dynamic Access Control" section on the left-hand column
o Right click Central Access Rules or Central Access Policies and choose New
o Give it a title
finding them
![Page 70: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/70.jpg)
73
![Page 71: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/71.jpg)
74
Where To Make the Conditionso As I've said, this CAR will have two
conditions, but the UI is somewhat different from what we've seen so far
o The resource-related condition (Immutable=Yes) gets installed via what the CAR UI calls "Targeted Resources"
o The "user-related condition" (title=Doctor) gets installed just below that, under "Permissions"
o First, add the resource condition by clicking "Edit" in the "Target Resources" section
![Page 72: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/72.jpg)
75
Creating a Resource Conditiono Click "Add a condition" to tell the CAR
that the CAR will apply only to files of a particular type
![Page 73: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/73.jpg)
76
Creating a Resource Conditiono The drop-downs look like the ones
we've seen so far, but the far left-hand one is solely "Resource," not "Device" or "User"
o Click OK to finish this part
![Page 74: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/74.jpg)
77
The Resource Condition is Visibleo You can see the new condition back in
the main page for the new CAR:
![Page 75: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/75.jpg)
78
Create the User Conditiono We've configured the "this affects
Immutable=Yes files" part, now let's add the "… and they can only be accessed by people with the title 'Doctor'" part
o To do that, click "Edit" in "Current Permissions"
![Page 76: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/76.jpg)
79
This Part Should Look Familiar
As before, click "Add a condition"
![Page 77: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/77.jpg)
80
As Should This One…
![Page 78: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/78.jpg)
81
A CAR is Borno You can see the rules in this screen
crop; click OK and you have a CAR
![Page 79: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/79.jpg)
82
Next, Create the CA Policyo Again, CAPs are next to CARs in AD
Admin Centero Right-click "Central Access Policies,"
New and you get new blanko I'll call this one "Protect Immutable"
and all I've got to do is name it and insert its one rule, "Titles Matter"
![Page 80: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/80.jpg)
83
Making a CAPo To add a CAR, click the "Add…" button
![Page 81: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/81.jpg)
84
Adding a CARo Just use the >> and << buttons to
include the CAR or CARs, then click OK
![Page 82: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/82.jpg)
85
The new CAP
![Page 83: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/83.jpg)
86
Deploy/Publish the CAPo The only way to make a CAP useful is
to publish it to servers, which makes it easy for local admins to choose and apply it to their shares
o Windows does that by having you create a GPO with a setting that points to the CAP
o So next we create a GPO, link it to the domain, OU or whatever
o Look in the GPO in Computer / Windows Settings / Security Settings / File System / Central Access Policy
![Page 84: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/84.jpg)
87
![Page 85: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/85.jpg)
88
Installing the CAP in the GPOo Right-click the folder, choose "Manage
Central Access Policies…" and choose the desired CAP or CAPs
![Page 86: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/86.jpg)
89
Deploy the GPOo To see and use the CA policy on a file
server, ensure that it got the DAC-related GPO
o Then navigate to the Advanced Security Settings folder on your share
o In addition to Permissions, Share, Auditing and Effective Access, you'll have a new tab "Central Policy"
o Click it and you'll see "No Central Access Policy," but click the "Change" link next to the UAC shield and you'll be able to see and apply "Protect Immutable"
![Page 87: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/87.jpg)
90
CAP Installed
![Page 88: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/88.jpg)
91
Testing CAPso CARs and CAPs are complex, so it's
easy to mess them upo That's why there's a provision to
install test permissionso They don't actually take effect, but
they log what would have happened in if you've got object auditing enabled and SACLs on the folder(s) concerned
o Check "enable permission staging configuration" to use this
![Page 89: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/89.jpg)
92
![Page 90: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/90.jpg)
93
Using the Staged Permissionso Enable object auditingo Set SACLs on the folder/fileso Try to access it as you can now and
won't be able to latero Look in the Security log for event
4818
![Page 91: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/91.jpg)
94
Sample 4818
![Page 92: Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi.](https://reader035.fdocuments.us/reader035/viewer/2022062620/551a7edc550346b52d8b5592/html5/thumbnails/92.jpg)
95
Thanks for Coming!o My Server 2012 class (two days) and
my PowerShell class (one day) are coming to San Francisco July 15-17 2013, info at www.minasi.com
o Newsletters there alsoo Contact me at [email protected]