Slides from the live webinar on October 18th, 2012 Throughout the years, IT administrators have sought many ways to protect file server data. As organizations mature, so does their security policies, data governance, and data leakage prevention capabilities. Technology has played a key role to assist with the simple goal of preventing unauthorized access to corporate data. However, preventing unauthorized access is only a part of the equation. Granting authorized access, whilst minimizing the effort in doing so is the tricky part. Microsoft’s new Dynamic Access Control capability, built into Windows Server 2012, greatly improves Compliance and leverages Data Leakage Prevention to enable Data Governance. Administrators now have greater control over file server data by taking advantage of Active Directory claims, an improved access control technology over standard ACLs, Active Directory centralized authorization/auditing policy, and data classification. This webinar provides a quick peek at Dynamic Access Control and how it can greatly reduce the micromanagement of Active Directory groups and Access Control Lists. If you would like to view the full presentation, please visit: https://skydrive.live.com/redir?resid=B5F6C9912573B947!374&authkey=!AE8C9JEOEJv9VmQ

1. DYNAMIC ACCESS
CONTROL
Windows Server 2012

2. YOUR PRESENTER
Gérald F. Tessier
 Senior Trainer at CTE Solutions, Inc.
 Training for 18 years
 Working in IT since „89
 MCSA: Windows Server 2008, MCSE: Security MCITP:
Server Administrator on Windows Server 2008 and
Enterprise Messaging Administrator on Exchange
2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I,
MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA
CTT+, Security+, Network+, A+, EIEIO+

3. WHAT PROBLEM IS DAC TRYING TO
SOLVE?

4. ACCESS CONTROL, AS WE KNOW IT

5. TRADITIONAL APPROACH

6. DIRECTORY SERVICE ADMINS

7. RESOURCE ADMINS

8. UPDATE GLOBAL GROUPS

9. DILIGENCE, PERSEVERENCE, ADHERENCE

10. DECENTRALIZED & DELEGATED?
ProjectX

11. DECENTRALIZED & DELEGATED?
ProjectX

12. PROCESS INTEGRATION, ANYONE?

13. HOW MANY GROUPS DO YOU HAVE?

14. DYNAMIC ACCESS CONTROL

15. IN A NUTSHELL

16. UNDERSTANDING EXPRESSIONS

17. PART 1:
FILE CLASSIFICATION INSTRUCTURE

18. AUTOMATED CLASSIFICATION
In-box 3rd party
content classification
classifier plugin
Resource
Property
Definitions See modified /
created file
Save
classification FCI
Match file to
policy
File
Management
Task

19. MANUAL CLASSIFICATION

20. PART 2:
CENTRAL ACCESS POLICIES

21. EXPRESSION-BASED ACCESS POLICY
Resource properties
User claims Device claims
Resource.Department =
User.Department = Finance Device.Department = Finance
Finance
User.Clearance = High Device.Managed = True
Resource.Impact = High
ACCESS POLICY
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)

22. CAP SELECTION

23. CAP RULES

24. CENTRAL ACCESS RULES
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Permission Type Target Files Permissions Engineering Engineering Sales
FTE Vendor FTE
Share Everyone:Full Full Full Full
Central Access Rule 1: Dept=Engineering Engineering:Modify
Modify Modify Read
Engineering Docs Everyone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]
NTFS FTE:Modify Read Modify
Modify
Vendors:Read
Effective Rights: Modify None Read

25. STAGING POLICY
User claims Resource properties
Clearance = High | Med | Low Department = Finance | HR | Eng
Company = Contoso | Fabrikam Impact = High | Med | Low
Current Central Access policy for high impact data
Applies to: @File.Impact = High
Allow | Full Control | if @User.Company == Contoso
Staging policy
Applies to: @File.Impact = High
Allow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)

26. SAMPLE STAGING EVENT (4818)
Proposed Central Access Policy does not grant the same access permissions as the
current Central Access Policy
Subject:
Security ID: CONTOSODOMalice
Account Name: alice
Account Domain: CONTOSODOM
Object:
Object Server: Security
Object Type: File
Object Name: C:FileShareFinanceFinanceReportsFinanceReport.xls
Current Central Access Policy results:
Access Reasons: READ_CONTROL: Granted by Ownership
ReadAttributes: Granted by D:(A;ID;FA;;;BA)
Proposed Central Access Policy results that differ from the current Central Access Policy
results:
Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule”
ReadAttributes: NOT Granted by CAR “HBI Rule”

27. THANK YOU FOR YOUR PARTICIPATION!
 Presentation has been recorded and will be made available on
skydrive
 Of ficial Microsoft Courses Available:
 20410 - Installing and Configuring Windows Server 2012
 20411 - Administering Windows Server 2012
 20412 - Configuring Advance Windows Server 2012 Services *
 Contact Gerry – gerry@ctesolutions.com
 Connect with CTE on Twitter - @CTESolutions