DAC represents a significant improvement in the way administrators manage access control and auditing of Windows file servers. Understanding this technology is critical to pass the Microsoft exams to become a Microsoft Certified Solutions Associate (MCSA) on Windows Server 2012.
MCSE Training – Resources (Intense)
DAC is a powerful, claims-based authorization system that allows a more flexible administration of file servers by providing a well-developed process aimed to protect and control access to resources. This article explains how DAC is different from previous file system access methods by diving into major DAC components like claims and resource properties, and how DAC works using Windows Server 2012 file servers and domain controllers.
NTFS Access Control Security
In previous versions of Windows Server, the basic process to control file and folder access was the configuration of NTFS file system permissions. When a user logs in, a domain controller validates the user name and password. This generates an access token that contains the user’s security identifier (SID) and the SIDs of all the groups of which that user is a member. In other words, each user logged into the network holds an access token with security information for that login session. Every process executed on behalf of the user has a copy of the access token.
The NTFS file system depends on access control lists (ACL) to protect the data stored on file servers. The ACL indicates which users or groups are permitted to access or modify a particular resource. When NTFS manages access control and a user tries to access a file or folder, the operating system evaluates that file or folder’s ACL. If at least one SID from the user’s token is matched to the SID on the ACL, the system grants appropriate permissions to the user. Even newer technologies such as active directory rights management service (AD RMS), used to protect document access, relies on SIDs associated with user and group accounts. This process has been around for a very long time, since the days of Windows NT and the birth of the NTFS file system.
One limitation of the NTFS access control method is that it does not allow the use of conditional expressions. This rigid approach prevents administrators from customizing access by requiring multiple conditions to apply at the same time. For example, it is not possible to set NTFS file system permissions to grant a user access to a file or folder if that user is a member of two or more security groups at the same time. Logical operators like inclusive disjunction (OR) and logical conjunction (AND) are not permitted.
Another major NTFS limitation is that it cannot evaluate and authorize access based on a user or computer’s account properties or attributes. For example, you cannot set permissions in a folder so that only users who have an active directory department attribute assigned with a specific value can access that folder.
All these limitations can be overcome by implementing dynamic access Control (DAC) on Windows Server 2012 or Windows Server 2012 R2.
Dynamic Access Control (DAC) Security
DAC provides a more holistic approach to manage access control and auditing on domain-based file servers. When DAC is implemented and users log in to the network, claims are included in the authentication token, resource properties can be assigned to files and folders and conditional expressions may be configured within permissions and auditing entries. With DAC, it is possible to grant access to files and folders based on active directory domain services (AD DS) user and computer account attributes.
DAC blends multiple criteria for access control. This augments the NTFS file system security as users must meet share permissions, NTFS file system ACL, and the central access policy requirements to gain access to a file. Using DAC, administrators can define central file access policies that apply to all or specific file servers in their environment without replacing configured share and NTFS file system permissions. DAC is another layer of security to ensure that regardless of how the Share and NTFS file system permissions change, this centrally administered policy is enforced.
DAC can also be configured to integrate with AD RMS protection. DAC central access policy for file access management can be aligned with an organization’s business and regulatory environment. DAC may be used to execute targeted auditing in file servers to ensure compliance or for forensic analysis.
Claims and resource properties are critical components on DAC deployment and configuration; let’s review them next.
In Windows Server 2012, the authorization process has been enhanced to support conditional expressions that contain claims. A claim is a piece of information that AD DS states about a specific object, typically a user or a computer.
A claim must come from a trusted source. In DAC, the claims from domain controllers are trusted and used to conform the identity of the users. Because all domain members trust the domain controllers, the claims are treated as authoritative. Some examples of claims include a user’s department, a user’s security clearance, the status of an employee such as full-time or part-time, a computer’s description, etc. All these claims expose something about a certain object in a DAC’s framework; it is always about the user or device. When you configure resource access, you can use any combination of claims to authorize access to files and folders.
In a DAC infrastructure claims are derived from specific active directory attributes of a user or a computer. By defining a claim, you really tell active directory domain services (AD DS) which attributes you want to use in DAC’s conditional expressions. DAC does not allow an administrator to create conditional expressions, configure access rules, or set up central access policies until at least one claim has been defined.
Windows Server 2012 still supports using group membership for authorization decisions, but user and device claims can be used for file and folder authorization, in addition to NTFS file system permissions that are based on a user’s SID or group SIDs. Two types of claims can be created on Windows Server 2012: user claims and device claims.
User Claims and Device Claims
A user claim is information that the AD DS on a Windows Server 2012 domain controller provides about a user. Most of the AD DS user attributes on Windows Server 2012 domain controllers can be used as user claims. This provides great flexibility for administrators who now have an extent range of options for configuring and managing claims for access control. It is highly recommended that you fill the user attributes that you want to use for access control with suitable values and ensure consistency as you define your user claims. User claims are not required for security groups.
A device claim is information that the AD DS on a Windows Server 2012 domain controller provides about a computer account. Similar to user claims, device claims can be related to most of the AD DS attributes available on computer accounts. Using device claims, you can configure DAC to restrict the device or devices from which a user may access a resource.
Resource properties describe the attributes of the resources, such as files and folders, that you want to control access to using DAC. As with user claims and device claims, it is the administrator’s responsibility to label the attributes of a resource before access rules and conditional expressions can be used to configure access to the files and folders. Windows Server 2012 provides preconfigured properties, i.e., “Required Clearance”, “Personally Identifiable Information”, “Protected Health Information”, etc. These properties are disabled by default. You would need to enable the ones you need for your configuration. In Windows Server 2012, administrators may also create or customize their own resource property objects.
Creating resource property objects allows you to select the properties to include in the files and folders. New resource property objects can be configured with allowed or suggested values of the object. The values in these properties and the values from user claims and device claims are used by DAC to evaluate file authorization and auditing. For a user or computer to gain authorization, the claim must provide the correct value corresponding to the requirements set by the resource property object.
Resource properties are grouped in resource property lists. A predefined global resource property list that contains all resource properties that applications can use is available in the active directory administrative center. Administrators can create their own resource property lists, if they want to group some specific resource properties.
DAC and Active Directory Domain Services (AD DS)
DAC includes new extensions that are added to AD DS. These extensions facilitate the storage and processing of claims in the active directory. When a user logs in, the claims defining additional properties for that user are considered. The token generated by the domain controller not only has the SID’s data, it also has information about the user’s claims and information about claims from the device from which the user is trying to access the resource.
All claims are stored in the AD DS configuration partition. This is a forest-wide partition, which means that all domains within the forest share the same claim information, and any domain controllers in the forest can issue consistent claims data during user and computer authentication.
In Windows Server 2012 domain controllers, the Kerberos protocol handles this compound identity and is responsible for transporting the claims within a Kerberos ticket. Windows Server 2012 domain controllers also support Kerberos armoring, which is an implementation of flexible authentication via secure tunneling (FAST). FAST operates in a protected channel between the Kerberos client and the key distribution center (KDC). KDC is a single process that runs on every domain controller to provide two services: authentication service and ticket-granting service.
After configuring user claims, device claims and resource properties, administrators can protect files and folders by applying conditional expressions. You configure central access rules with conditional expressions to evaluate user and device claims against persistent values within resource properties. Typically you would use the active directory administrative center or Windows PowerShell to configure central access rules, and then associate those rules with the central access policy objects. You can use group policy management to trickle down the central access policy objects to the file servers. In the file servers, you have the flexibility to selectively configure the shares to use the central access policy objects.
Both Windows Server 2012 and Windows 8 support one or more conditional expressions within a permission entry. Conditional expressions add an additional layer of security to the permission entry. When DAC examines a user trying to access a file or folder, all conditional expressions must evaluate to TRUE for the system to welcome the user and provide authorization. For example, suppose that you define a user claim named “Division”, with an AD DS source attribute “Division”, and that you define a resource property object named “Division.” The division resource Property object would have some suggested values, i.e., “Software Development,” “Online Marketing,” etc.
Using the division resource property object you may label a folder “Online Marketing.” Now you can define a conditional expression that says that a user can access that folder only if the user’s token carries a claim that identifies the user’s Division attribute as “Online Marketing.” The attribute Division value must be equal to the value of property Division in the folder for access to be granted. You can also use file classifications to include specific files with a common set of properties across various folders or files.
Dynamic access control (DAC) is a new claims-based authorization framework introduced in Windows Server 2012. DAC improves access control for file-based and folder-based resources enhancing the security provided by the NTFS file system and Share permissions. DAC augments the legacy access control model for file system resources and enables administrators to define central file access policies that can trickle down to all or selected file servers in the organization. Our next article will demonstrate the initial steps of a DAC deployment, which includes configuring active directory, creating user and device claims and implementing file classifications.