A previous article (link here) in this series described how DAC is different from the legacy access control model for file system resources on Windows Servers. The article described the main components that need to be configured in a DAC implementation and the integration of DAC with active directory domain services (AD DS). This article reviews the DAC requirements and demonstrates the initial steps of a DAC deployment from the active directory configuration to the configuration of claims and the implementation of file classifications.
DAC Deployment Requirements
To deploy DAC, you need Windows Server 2012 or a newer version on every file server hosting resources for DAC protection and auditing. The file server resource manager (FSRM) role service must be enabled on the file servers. Only Windows Server 2012 or newer file servers can read the claims and device authorization information from a Kerberos ticket. DAC allows the file servers to interpret the SIDs and the claims on the ticket, translating them into an authentication token, and then compares the token’s authorization data against the conditional expressions stored as part of the security information associated with the object that the user is trying to access.
MCSE Training – Resources (Intense)
At least one Windows Server 2012 domain controller is needed to maintain the central definitions for the resource properties and policies. For user claims, at least one Windows Server 2012 domain controller in the user domain should be reachable by the file server in order to retrieve the claims on the user’s behalf.
Only Windows 8 or newer versions can be configured to use device claims. There is no requirement to have a Windows Server 2012 domain functional level and/or forest functional level, unless you want to use the claims across a forest trust.
To demonstrate DAC functionality in this article, three computers will be used in a domain name lanztek.com. The computer names and roles are as follows:
- DC-DNS1 – Windows Server 2012 R2 domain controller and DNS server
- FileServer1 – Windows Server 2012 R2 file server member of the lanztek.com domain.
- Win8A – Windows 8.1 client in the lanztek.com domain
Task 1. Create Active Directory Organizational Unit and move DAC computers
- On DC-DNS1, in Server Manager, click on Tools, and then click Active Directory Administrative Center.
- In Active Directory Administrative Center, right-click LanzTek (local), click New, and then click Organizational Unit.
- In the Create Organizational Unit: dialog box, in the Name field, type DAC-Computers, and then click OK.
- In Active Directory Administrative Center, click the Computer container. Press and hold the Ctrl key, click the FILESERVER1, WIN8A, and WIN8B computers, right-click them, and then click Move.
- In the Move window, click DAC-Computers, and then click OK.
- Click on the DAC-Computers organizational unit and verify that FILESERVER1, WIN8A, and WIN8B have been moved.
Task 2. Enable support for Kerberos armoring
- On DC-DN1, in Server Manager, click Tools, and then click Group Policy Management.
- Expand Forest: lanztek.com, expand Domains, and then expand lanztek.com.
- Click the Group Policy Objects container.
- In the results pane, right-click Default Domain Controllers Policy, and then click Edit.
- In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then click KDC.
- In the details pane, double-click KDC support for claims, compound authentication and Kerberos armoring.
- In the KDC support for claims, compound authentication and Kerberos armoring window, select Enabled; in the Options section, click the drop-down list box to see the four options available: “Not supported,” “Supported,” “Always provide claims,” and “Fail unarmored authentication request.” Select Supported, and then click OK.The “Not supported” option is the default and it means that the domain controllers do not support claims, compound authentication, or armoring. When “Supported” is selected, the domain controllers advertise to Kerberos client computers that the domain can process claims and compound authentication for Dynamic Access Control and Kerberos armoring. If the domain functional level is Windows Server 2008 R2 or earlier, the “Always provide claims” and “Fail unarmored authentication request” options deliver the same results as the “Supported” option.However, when the domain functional level is Windows Server 2012, configuring the “Always provide claims” option forces the domain controllers to always return claims for accounts while following the RFC standard for advertising the flexible authentication secure tunneling (FAST).
- On a Windows Server 2012 domain functional level, the “Fail unarmored authentication request” option will prevent client computers, which do not support Kerberos armoring, from authenticating to the domain controllers. This is because the domain controllers will reject unarmored Kerberos messages.
- Open a command prompt, type gpupdate /force, and then press Enter.
- In the Group Policy Management Console, expand Forest:Lanztek.com, expand Domains, expand Lanztek.com, right-click DAC-Computers, and then click Create a GPO in this domain, and Link it here.
- Type Compound Authentication Policy, and then click OK.
- Click on the DAC-Computers OU, right-click Compound Authentication Policy, and then click Edit.
- Expand to Computer Configuration, expand Administrative Templates, expand System and click Kerberos. Double-click the Kerberos client support for claims, compound authentication and Kerberos armoring setting.
- Click Enable and then click OK. Close the Group Policy Management Editor and the Group Policy Management Console.
Task 3. Use Active Directory Administrative Center to confirm that the user accounts have been configured with the correct attributes and the right group membership.
Click the Managers OU, right-click John Smith, and then click Properties.
In the John Smith Properties dialog box, ensure that the Department field is populated with the value Managers, and then click Cancel.
In the Managers OU, right-click the Managers group, select Properties and confirm that John Smith is a member of the Managers group.
In the Active Directory Administrative Center, Click the Sales OU, right-click Rosa Lopez, and then click Properties.
In the Rosa Lopez Properties dialog box, ensure that the Department field is populated with the value Sales, and then click Cancel.
Task 4. Create a group name “MgrComputers” for the computers from which managers will be allowed to access specific files and folders. Make WIN8A a member of that group.
Expand lanztek.com, right-click Users, click New, and then click Group.
In the Group name field, type MgrComputers, and then click OK.
Click the DAC-Computers OU, right-click WIN8A, and then click Properties.
Click the Member option, and then click Add.
In Select Groups window, type Mgr, click Check Names, verify the MgrComputers group and then click OK twice.
Task 5. Configure user and device claims
In the Active Directory Administrative Center window, in the navigation pane, click Dynamic Access Control, and then double-click Claim Types.
In the Claim Types view, in the Tasks pane, click New, and then click Claim Type.
In the Create Claim Type window, in the Source Attribute section, select department. In the Display name text box, type LanzTek Department. Select both User and Computer check boxes, ensure that the “Protect from accidental deletion” option is checked, and then click OK.
In the Claim Types view, in the Tasks pane, click New, and then select Claim Type.
In the Create Claim Type window, in the Source Attribute section, click description. Clear the User check box, select the Computer check box, ensure that the “Protect from accidental deletion” option is checked, and then click OK.
Task 5. Configure resource properties and resource property lists
In the Active Directory Administrative Center, click Dynamic Access Control. In the central pane, double-click Resource Properties.
In the Resource Properties list, right-click Department, and then click Enable.
In the Resource Properties list, right-click Confidentiality, and then click Enable.
Double-click Department, scroll down to the Suggested Values section, and verify that Sales is included. Here you can add any department name that is not part of the default list of suggested values.
Click Dynamic Access Control, and then double-click Resource Property Lists.
In the central pane, double-click Global Resource Property List.
In the Global Resource Property List window, ensure that both Department and Confidentiality appear in the list, and then click Cancel.
Preamble to File and Folder Classification Implementation
To test this part of our Dynamic Access Control implementation, on the Windows Server 2012 R2 file server named FileServer1, the following folders and files have been created on the root of the “C” drive.
- * A folder named Reports contains five files named Report1, Report2, Report3, Report4 and Report5. The word “confidential” is included in the content of the Report3, and Report4 files.
- * A folder named Sales contains three files name Oct. Sales, Nov. sales and Dec. Sales.
Before applying dynamic access control, the permissions on these resources are configured as follows:
- * The Share permissions on the folders are set to the default which is to allow “Read” for the Everyone group.
- * The NTFS permissions on the folders allow the Domain Users group to “Read & Execute”, “List folder contents” and “Read.” The SYSTEM Administrator accounts have full control of the folders.
- * The NTFS permissions on the files allow the Domain Users group to “Read & Execute” and “Read.” The SYSTEM Administrator accounts have full control of the files.
On Fileserver1, the File Server Resource Manager has been installed. This role service is necessary for the file and folder classification functionality to work. It is also used to schedule file management tasks, create storage reports, configure quotas, and set file screening policies. Typically you would install File Server Resource Manager from the Server manager or using Windows PowerShell.
Task 6. Implement file classifications
On Fileserver1, in Server Manager, click Tools, and then click File Server Resource Manager.
In File Server Resource Manager, expand Classification Management. Select and right-click Classification Properties, and then click Refresh.
Verify that Confidentiality and Department properties are listed and that the scope is Global for both of them.
Click Classification Rules and, in the Actions pane, click Create Classification Rule.
In the Create Classification Rule window, in the General tab, for the Rule name, type Confidentiality
Level and make sure that the Enabled option is checked.
Click the Scope tab, and under Include all folders that store the following kinds of data, check “Application files”, “Group Files” and “User Files”, then click Add.
In the Browse For Folder dialog box, expand Local Disk (C:), click the Reports folder, and then click OK.
- Click the Classification tab. Ensure that the following settings are set, and then click Configure:
- Classification method: Content Classifier
- Property: Confidentiality
- Value: High
- In the Classification Parameters dialog box, click the Regular expression drop-down list box, and then click String.
In the Expression field next to the word “String,” type confidential. Ensure that the “Minimum Occurrences” field has a value of 1 and the “Maximum Occurrences” field does not have any value. Proceed to click OK.
Click the Evaluation Type tab, select Re-evaluate existing property values, click Overwrite the existing value, and then click OK.
In File Server Resource Manager, in the Actions pane, click Run Classification with all rules now.
On the Run Classification dialog box, click Wait for classification to complete, and then click OK.
After the classification is complete, an “Automatic Classification Report” is generated. Verify that the two file names were classified. You can confirm this in the “Report Totals” and in the “Statistics for files by Confidentiality” sections. See below the “Report Totals” section.
The “Statistics for files by Confidentiality” section provides more details. It shows the two files, Report3.txt and Report4.txt that are classified as confidential.
On the taskbar, click the File Explorer icon. In the File Explorer window, expand drive C, and then expand the Reports folder.
In the Reports folder, right-click Report3.txt, click Properties, and then click the Classification tab. Confirm that Confidentiality is set to High.
- Repeat the previous step on files Report1.txt, Report2.txt, Report4.txt and Report5.txt. Report3.txt, and Report4.txt should have the same Confidentiality value while Report1.txt, Report2.txt, and report5.txt should have no value. This is because only Report3.txt, and Report4.txt contain the word “confidential.”In the File Explorer window, navigate to folder C:\Sales, right-click it, and then select Properties. In the Sales Properties window, click Classification tab to verify that no value is assigned to Department.
- In the classification tab, click on Department and then, if necessary, scroll down in the Value list to select Sales. Click OK.
This article laid the groundwork of our Dynamic Access Control undertaking. The organizational units, groups, user and computer accounts exist in Active Directory. Support for compound authentication and Kerberos armoring have been enabled, user and device claims have been created and file classification is in place. The next article will demonstrate the completion of the project by configuring central access policies and applying those policies to the file servers.