Dynamic Access Controlthe file server, reimaginedPresented by Mark Minasihelp@minasi.com@mminasi on twitter

1contents copyright 2013 Mark Minasi. Please do not redistribute, and thanks for respecting my copyrights!

Dynamic Access Control

o Big topic, arguably the biggest in Server 2012

o A new, fourth level of permissionso Incorporates more information about

the shared information, who's reading it, and what machine they're reading it from

o Builds in more troubleshooting information

o Affects auditing as wello Should make Windows security enable

compliance issues more effectively2

3

High-Level Benefitso Finer grained, richer file server

permissions: "only people with the title 'manager' can access 'secure' files in this share, provided they're on a machine on the 12th floor"

o More complex permissions, but a central way to build them and distribute them

o Security that considers not only who you are, but what machine you're trying to access from

o File classification systems to identify data that is "high importance," "private," "regulated" either through human intervention or automatic classification

4

High-Level Benefitso Partially aimed at people trying to

meet regulatory requirementso Partially aimed at large orgs with lots

of non-specialized "departmental admins"

o Does not require a complete move to Windows 8 and Server 2012

5

Approacho There's a lot to absorb here both from

the point of view of new concepts and new skills

o So let me start this out with some examples to (with hope) make you interested enough to want to dig in

6

DAC Examples

o …you are a member of the Sales group and the Managers group

o …you are sitting on a machine in the Accountants group

o …the value of your "Title" in AD is "engineer"

o …the machine you're sitting at is in Building 23 (AD physical location info)

o …the files are classified "medical records" and you are a member of the "Doctors" group

"you can read these files if…"

7

DAC Joins Share and NTFS Permso DAC is a fourth level of "ACL:" just as

NTFS permissions interact with another set of permissions – sharing permissions – to determine your access, DAC joins the party

o And of course there are Windows Integrity Levels, although we don't use them much

o As with NTFS vs share differences, the most restrictive wins

8

DAC Appears in Two Placeso The simpler and easier-to-see

manifestation of DAC is in a set of extensions to NTFS permissions

o They appear when a 2012 system is domain-joined

o They're easy to show and I'll be using them a lot

o DAC also appears as that fourth, separate level of permissions, and it is the DAC power

o The only way to get a "real" DAC permission is, as we'll see, via a group policy

10

New Concepts/Skillso Creating permissions with "And's"o Using the new Effective Access UIo Understanding claims=AD attributeso "Promoting" an attribute to a claimo Adding claims in permissionso Device claimso Creating file classificationso Classifying files by hando Building automatic file classifiers

11

New Concepts/Skillso Creating central access ruleso Making central access policies from

central access ruleso Applying central access rules

12

"And's" in Permissionso Suppose you wanted to say, "only

people who are a member of 'engineers' and 'Omaha plant employees' can access this share?"

o Answer, pre-2012? More groupso How many groups are in your

organization right now?o Do you do "role-based management"

of objects?o Perhaps the phrase "token bloat" has

some meaning…

13

Making "And" Worko Again, it first appears as an extension

to NTFSo So it's easy to demonstrateo Will work on any domain-joined

machineo Requires no group policy changes; try

thiso Create a folder, needn't share ito Create two groups, two userso Put one user in both, one user in just oneo Yank out all permissions but system &

adminso Create a new one in Advanced, condition

= must be a "member of each" groupo Try out Effective Permissions

14

Our Opening Situationo We've got a server that is domain-

joined – you can't do any fancy permissions unless you're domain-joined

o We've got two users, Tom and Dicko Tom is in groups McCoyso Dick is in groups McCoys and Hatfieldso I create a folder "myfolder" and yank

out all ACEs except the ones for System and Administrators

o Opening up Advanced Security, I see this…

15Click Add…

16

Now for the interesting part… click Add a condition

17

In "Add Items," choose the two groups (the UI's not good at showing this)

18

Choose the groups with this dialog box:

And then the new permission will look like this:

Click OK/Apply and …

19

New Permission

20

Click "Effective Access" to try it out

21

Note "include group membership" (what if-ing,) "select device"

22

Next, Consider Claimso Claims are assertions about someone,

like "my title is 'Manager,'" or "my email is mark@nospam.com"

o Claims from AD attributeso AD has 100+ attributes about user

and machine accounts (title, description, physical location, etc)

o DAC does not "see" any of them by default, but you can make them "visible" by making them "claim types"

o GUI tool is AD Admin Center

23

Making an AD Attribute a Claimo Open ADACo On left, click "Dynamic Access

Control"o In center pane, right-click on Claim

Typeso Choose New / Claim Typeo Choose an attribute in "Source

Attribute"o Choose User and/or Computero Add "Suggested Values" if you likeo Click OK on the bottom right

24

Promoting AD Attribs to Claims

25

Example: Make "Office" a Claim Type

26

Giving “Office” a Suggested Value (1)

27

Giving “Office” a Suggested Value (2)

28

Giving “Office” a Suggested Value (3)

29

Giving “Office” a Suggested Value (4)

30

Using Claimso At this point, we could create another

ACE: "authenticated users get Modify permission under the condition that their physicalDeliveryOfficeName = 'Pungo'"

o (* and % wildcards don't work, and case doesn't matter)

o You can set AD attributes in ADAC, with the PowerShell set-aduser command, or in ADSIEdit

o Here’s a rule that says you need to have a “Office” value of “Pungo” to get access

o (don’t try this yet, it won’t work)

31

Creating a Claims-Based ACE

32

Using Claimso You’ll see that the drop-down next to

Users, which only offered “Group” before, now also offers each claim, like “physicalofficedeliverylocation” or “title”

o Ditto the drop-downs that offer values like “Pungo,” but if you’ve created Suggested Values then that’s all you’re offered, and if no Suggested Values, you get a blank text field that you can populate… again no wild cards

o Try out Effective Access again, and the dialog has changed a bit

33

Here you see that now Effective Access lets me give Mark a claim for "what if-ing"

34

How Does the File Server Know?o So we have modified AD, and so our

DCs know thato But wait… we’re working on a file

server; why would its Security dialog box know all of a sudden that it should offer Title, PhysicalDeliveryOfficeName, “Pungo,” “Manager,” etc?

o It doesn’t… until you tell ito Tool: a PowerShell command:o Update-

FSRMClassificationpropertyDefinitiono We’ll see this again in DAC!

35

One More Thing for Claims…o You've got to tell your DC to provide

claimso In Admin Templates / System / KDC,

"KDC support for claims…," set it to "supported" on your DCs

o For all client systems, Admin Templates / System / Kerberos, "Kerberos client support…" set to Enabled

o Servers and clients need gpupdate then

o At this point, you can see your claims:o whoami /claimso (You have to log off/on to see them)

36

Seeing Claims and Setting ValuesWe haven’t enabled the Kerberos settings yet, so whoami can’t help

Another example, now that we’ve got everything enabled…

37

39

Is Using Claims Secure?

o AD attributes fall into several groups –passwords, phone&mail options, general, personal, public, RAS, account restrictions, user logon, Web info

o By default, users can only mess with phone/mail, web and "personal" which includes addresses, assistant, comment, honorific, various phone and fax numbers, office location, and picture

o So you're safe with other attributes, and you can always change the permissions

I mean, can't any user just change her title to "doctor?"

40

Now Your Workstation Counts, Tooo AD claims can be asserted both for

user accounts and machine accountso Lets you control which machines users

access your data fromo Ditto workstation group membershipso Device claims created as with user

claims

42

File Classificationo Might be "sensitive," "contains

personal data," "is a photograph" or anything you care about

o In more detailo You define classificationso Files get classified either by someone

digging into the file's property page (new "Classification" tab), or by a process that regularly scans folders looking for keywords and the like

o Both the classifications and the auto-classification scans are configured from the File Server Resource Manager (not installed by default)

43

How to Classify Files?o Microsoft figured that they knew what

classifications many people needed, so 16 classifications are pre-loaded in AD and you can enable them if you'd like

o In ADAC, DAC there's a section "Resource Properties"

o Enable a property, and that file property will appear in the Security dialog box and you’ll be able to create classification-related ACEs

44

ADAC and DAC

45

Enabling an Existing Propertyo Quite easyo In ADAC, navigate to Dynamic Access

Controlo Doubleclick on Resource Properties to

display the currently-available oneso Right-click the property you want to

enable and choose Enableo The property icon changes to show

you that it’s enabled

46

Choosing Two Built-in Properties

47

And Once You’ve Chosen Them…o Their icon changes, but it’s kind of

subtle…

48

Tell the File Servero The file server won't learn that that

the new file property is important until AD tells it

o Tell a file server about the resources with update-fsrmclassificationpropertydefinition

o Now they'll appear on "classification" and as options in the ACE editor

o In my experience, you have to either close the Explorer window and reopen, or refresh the window (it seems to vary) for the file classification properties to appear in the Security UI and on a file’s Properties page

49

Example ACE with Resources

50

How Do You Set a Property?o We can now “classify” files and

folders, which is how Immutable gets set to “yes” or “no”

o There's an automatic way, but first let's see the manual method

o Right-click a file or folder, choose Properties and there will be a new tab, "Classification"

Classification UI

51

Right-click any NTFS folder or file and you'll see the new "Classification" tab

52

If You Classify a Folder…o Files created in the folder get the

classificationo Move a file in from the same volume,

it doesn’t classifyo Copy a file from another volume, it

gets the folder classification (with Explorer, PowerShell copy, robocopy)

o If you modify a file, the classifications are not reset

53

Home-Grown Properties

o Windows comes with a bunch of properties, but we can create our own

o It’s in ADACo Under Resource Properties, click New /

Resource Propertieso Give it a name, types of values, and

suggested valueso update-

fsrmclassificationpropertydefinition

making your own classifications

54

55

Automatic Classificationo Microsoft offers a sort of basic

automated classifier toolo Lets you tell the tool to look at a

folder and examine its contents, matching them either to a particular string or a regular expression, with a PoSH script, or just changing everything in a folder wholesale

o The tool is in the File Server Resource Manager (FSRM)

o Here’s a very simple one for Scary Stuff

o Open FSRM, click “Classification Management,” “Classification Rules,” “Create Classification…”

56

Create the Rule (1)

57

Create the Rule (2)

58

Create the Rule (3)

“Content Classifier” means “match a given string or a regular expression”Click this to specify what to look for

59

Specifying Expression to Match

60

Re-Evaluation Rules

61

Apply the Rule

Run this and all of the frightening stuff is immediately marked

62

FSRM Classification Report

63

FSRM Classification Report

64

When You Run the Classifier…o By default, anything currently

classified, whether by hand or automatically, is ignored, no scan

o This is true even if a file has changed since the last scan

o Alternatively you can choose (as we saw) to re-evaluate all files

o In my experience if you have been classified and you drop out of the rule, the classifier never “de-classifies” you to “no” from “yes” or from “yes” to “none”

65

Regular Expression Exampleo Create a rule that looks inside a folder

to find files that contain SSNso The rule will basically say, "if you find

a file that contains nnn-nn-nnnn where "n" are all digits, then set HasSSN to "Yes.“

o Same process as before, but choose Regular Expression and enter this text:

o \d{3}-\d{2}-\d{4}

66

When Does it Happen?o You can make a rule run from FSRM,

as we’ve seeno In Classification

Management/Classification Rules, click on the rule, then look in the "Actions" pane, choose "Run classification with all rules now…" or

o start-fsrmclassificationo When you're trying this, remember

that the UI can be a bit slow in updating changes in status… relax, hit refresh, wait a few secs!

Back to the Big Picture

o Clearly setting up this stuff will be more complex

o But the good news is that you can create any of the policies I just imagined and store them on the AD

o They are called "central access policies"

o Those policies can then be applied by a local admin, and thus can be kept consistent

Won’t this be too complex for most admins?

67

68

Contrived but Complete Exampleo We're now ready to move from the

NTFSish DAC examples to a more "complete" and centrally deployable set of examples

o We'll use a simple example that (I think) showcases the new stuff – AD claims and file resources

o Let's say that we want a central access rule that says

o If a file's marked "Immutable=Yes," then you must have the "Title=Doctor" to access it

o Then we'll deploy it

69

Central Access Rules and Policieso First, you build one or more central

access rules (CARs); you build them in ADAC (or, in theory, ADSIEdit)

o Then you join one or more CARs to create a Central Access Policy (CAP), and again you do it in ADAC

o You then create a group policy object that contains that CAP (or CAPs)

o Deploy that GPO to a servero Then go to the server and activate the

CAP

overview

70

To Follow Along…o If you want to try this out:

o I built a domain controller called DC1o Created a folder named c:\stuffo Set its NTFS permissions to everyone:full

controlo Set share perms to everyone:full controlo Create a standard usero Elevate the AD "title" attribute to a claim,

create a suggested value of "Doctor"o Give the standard user the title "Doctor"o Enable the "Immutable" property, update

FS infoo Create some files in c:\stuff with

immutable=yeso Verify that the user can dir \\dc1\stuff

71

More Specific Task Listo Create Central Access Rule "Titles

Matter"o Direct it to files with immutable=yeso Set permissions with condition

"title=doctor"o Create CAP "Protect Immutable"o Add CAR "Titles Matter"o Create GPO "DAC Example," link to

domaino Add CAR "Protect Immutable"o Update policieso From c:\stuff Security dialog, add the

CAR

72

Central Access Rules and Policieso They are both sections in Active

Directory Administrative Center, under the "Dynamic Access Control" section on the left-hand column

o Right click Central Access Rules or Central Access Policies and choose New

o Give it a title

finding them

73

74

Where To Make the Conditionso As I've said, this CAR will have two

conditions, but the UI is somewhat different from what we've seen so far

o The resource-related condition (Immutable=Yes) gets installed via what the CAR UI calls "Targeted Resources"

o The "user-related condition" (title=Doctor) gets installed just below that, under "Permissions"

o First, add the resource condition by clicking "Edit" in the "Target Resources" section

75

Creating a Resource Conditiono Click "Add a condition" to tell the CAR

that the CAR will apply only to files of a particular type

76

Creating a Resource Conditiono The drop-downs look like the ones

we've seen so far, but the far left-hand one is solely "Resource," not "Device" or "User"

o Click OK to finish this part

77

The Resource Condition is Visibleo You can see the new condition back in

the main page for the new CAR:

78

Create the User Conditiono We've configured the "this affects

Immutable=Yes files" part, now let's add the "… and they can only be accessed by people with the title 'Doctor'" part

o To do that, click "Edit" in "Current Permissions"

79

This Part Should Look Familiar

As before, click "Add a condition"

80

As Should This One…

81

A CAR is Borno You can see the rules in this screen

crop; click OK and you have a CAR

82

Next, Create the CA Policyo Again, CAPs are next to CARs in AD

Admin Centero Right-click "Central Access Policies,"

New and you get new blanko I'll call this one "Protect Immutable"

and all I've got to do is name it and insert its one rule, "Titles Matter"

83

Making a CAPo To add a CAR, click the "Add…" button

84

Adding a CARo Just use the >> and << buttons to

include the CAR or CARs, then click OK

85

The new CAP

86

Deploy/Publish the CAPo The only way to make a CAP useful is

to publish it to servers, which makes it easy for local admins to choose and apply it to their shares

o Windows does that by having you create a GPO with a setting that points to the CAP

o So next we create a GPO, link it to the domain, OU or whatever

o Look in the GPO in Computer / Windows Settings / Security Settings / File System / Central Access Policy

87

88

Installing the CAP in the GPOo Right-click the folder, choose "Manage

Central Access Policies…" and choose the desired CAP or CAPs

89

Deploy the GPOo To see and use the CA policy on a file

server, ensure that it got the DAC-related GPO

o Then navigate to the Advanced Security Settings folder on your share

o In addition to Permissions, Share, Auditing and Effective Access, you'll have a new tab "Central Policy"

o Click it and you'll see "No Central Access Policy," but click the "Change" link next to the UAC shield and you'll be able to see and apply "Protect Immutable"

90

CAP Installed

91

Testing CAPso CARs and CAPs are complex, so it's

easy to mess them upo That's why there's a provision to

install test permissionso They don't actually take effect, but

they log what would have happened in if you've got object auditing enabled and SACLs on the folder(s) concerned

o Check "enable permission staging configuration" to use this

92

93

Using the Staged Permissionso Enable object auditingo Set SACLs on the folder/fileso Try to access it as you can now and

won't be able to latero Look in the Security log for event

4818

94

Sample 4818

95

Thanks for Coming!o My Server 2012 class (two days) and

my PowerShell class (one day) are coming to San Francisco July 15-17 2013, info at www.minasi.com

o Newsletters there alsoo Contact me at mark@minasi.com