Slides from the live webinar on October 18th, 2012
Throughout the years, IT administrators have sought many ways to protect file server data. As organizations mature, so does their security policies, data governance, and data leakage prevention capabilities. Technology has played a key role to assist with the simple goal of preventing unauthorized access to corporate data. However, preventing unauthorized access is only a part of the equation. Granting authorized access, whilst minimizing the effort in doing so is the tricky part.
Microsoft’s new Dynamic Access Control capability, built into Windows Server 2012, greatly improves Compliance and leverages Data Leakage Prevention to enable Data Governance. Administrators now have greater control over file server data by taking advantage of Active Directory claims, an improved access control technology over standard ACLs, Active Directory centralized authorization/auditing policy, and data classification. This webinar provides a quick peek at Dynamic Access Control and how it can greatly reduce the micromanagement of Active Directory groups and Access Control Lists.
If you would like to view the full presentation, please visit: https://skydrive.live.com/redir?resid=B5F6C9912573B947!374&authkey=!AE8C9JEOEJv9VmQ
2. YOUR PRESENTER
Gérald F. Tessier
Senior Trainer at CTE Solutions, Inc.
Training for 18 years
Working in IT since „89
MCSA: Windows Server 2008, MCSE: Security MCITP:
Server Administrator on Windows Server 2008 and
Enterprise Messaging Administrator on Exchange
2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I,
MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA
CTT+, Security+, Network+, A+, EIEIO+
18. AUTOMATED CLASSIFICATION
In-box 3rd party
content classification
classifier plugin
Resource
Property
Definitions See modified /
created file
Save
classification FCI
Match file to
policy
File
Management
Task
24. CENTRAL ACCESS RULES
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Permission Type Target Files Permissions Engineering Engineering Sales
FTE Vendor FTE
Share Everyone:Full Full Full Full
Central Access Rule 1: Dept=Engineering Engineering:Modify
Modify Modify Read
Engineering Docs Everyone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]
NTFS FTE:Modify Read Modify
Modify
Vendors:Read
Effective Rights: Modify None Read
25. STAGING POLICY
User claims Resource properties
Clearance = High | Med | Low Department = Finance | HR | Eng
Company = Contoso | Fabrikam Impact = High | Med | Low
Current Central Access policy for high impact data
Applies to: @File.Impact = High
Allow | Full Control | if @User.Company == Contoso
Staging policy
Applies to: @File.Impact = High
Allow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)
26. SAMPLE STAGING EVENT (4818)
Proposed Central Access Policy does not grant the same access permissions as the
current Central Access Policy
Subject:
Security ID: CONTOSODOMalice
Account Name: alice
Account Domain: CONTOSODOM
Object:
Object Server: Security
Object Type: File
Object Name: C:FileShareFinanceFinanceReportsFinanceReport.xls
Current Central Access Policy results:
Access Reasons: READ_CONTROL: Granted by Ownership
ReadAttributes: Granted by D:(A;ID;FA;;;BA)
Proposed Central Access Policy results that differ from the current Central Access Policy
results:
Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule”
ReadAttributes: NOT Granted by CAR “HBI Rule”
27. THANK YOU FOR YOUR PARTICIPATION!
Presentation has been recorded and will be made available on
skydrive
Of ficial Microsoft Courses Available:
20410 - Installing and Configuring Windows Server 2012
20411 - Administering Windows Server 2012
20412 - Configuring Advance Windows Server 2012 Services *
Contact Gerry – gerry@ctesolutions.com
Connect with CTE on Twitter - @CTESolutions
Notas do Editor
All Directory Service Admins have to do now is stay on top of it!
But that can be hard to do!
Especially if you have decentralized HR and IT.
Especially if you have decentralized HR and IT.
And if your anything like most organizations, communication is not your forte.
How long before you end up with an unmanageable number of groups? How long before you reach the tipping point? How long before we lose control and access control starts slipping?
A claim is an assertion of an object, also known as a user or a device, that is issued from a “Trusted Identity Provider”. In Windows, this Trusted Identity Provider is a DOMAIN CONTROLLER running Windows Server 2012. These assertions, or claims map to a user or computer account attributes in Active Directory. These are then store in a Kerberos ticket at logon.