Windows Server 2012 : Deploying Dynamic Access Control (part 4) - Validating the Configuration

Now we need to add the new central access rule to a central access policy. With DAC, there is one central access policy per file or folder.

From ADAC, click Dynamic Access Control, Central Access Policies, New, and then Central Access Policy.

Name your policy Domain File Server Policy, and then click Add. The Department-Payroll-Match-Required rule is available to add to the policy. Now, click the right arrows to add, and click OK.

Once you’ve created the central access policy, you need to push it out to file servers using group policy objects (GPOs).

From Server Manager, click Tools and then Group Policy Management. Right-click the domain name and click “Create a GPO in this domain and Link it here.”

Let’s name the GPO “Dynamic Access Control Policy,” click OK, and then click “New policy.” At this point, remove the default group that’s granted access, “Authenticated users,” because we don’t want all authenticated users to have access to the payroll data.

On this screen, select Object Type to choose the file server(s) to which to apply the policy. Ensure that Computers is checked as the Object Type.

Next, right-click the policy you named Dynamic Access Control Policy and then click Edit. Then navigate to Computer Configuration→Policies→Windows Settings→Security Settings→File System and right-click Central Access Policies. Now select Manage Central Access Policy. Here, select the policy you created, then click OK and exit the Group Policy Management Editor.

To complete publishing, there are two more tasks to perform: enable Kerberos armoring and update Group Policy.

Kerberos armoring addresses security concerns that dogged Kerberos authentication, such as vulnerability to brute force attacks and spoofing. With Kerberos armoring, a secured tunnel is created between a domain client and a domain controller.

Kerberos armoring is easy to enable. From Group Policy Management, navigate to Computer Configuration→Policies→Administrative Templates→System→KDC. Enable “KDC support for claims, compound authentication and Kerberos armoring.”

To perform a group policy update, simply launch Windows PowerShell and run the command: GPUPDATE /FORCE.

The steps outlined thus far detail the necessary configuration for DAC on the domain controller side. We will perform the next steps on the file server where we want to apply the created claims-based access rule.

Launch that file server’s Server Manager. From the Dashboard, click “Add roles and features,” and keep clicking Next until server roles are selectable. Add the File Server Resource Manager Feature as part of the already-installed File and Storage Services.

Once that’s complete, go to the folder share on which you want to perform access controls. In our case, this is the Payroll share for which we set up claims-based conditions at the beginning of the example. Right-click the folder, go into its properties, and click the Classification tab. You should see the resource property we created earlier listed here—a good indication that your DAC configuration is going well.

Before adding the central access policy to the Payroll share, you should perform another forced Group Policy update to make sure the central policy defined by the Dynamic Access Control Policy GPO is applied to the file servers.

Next, go into the properties of the folder share; click the Security tab and then Advanced. Click Central Policy and then Change. From the drop-down menu, select your central access policy (the one you named Domain File Server Policy), click Apply, and then click OK. (See Figure 6.)

After completing all these steps and configuration requirements, you’ll want to test to see if what you set up works. A really handy capability in DAC is the ability to view a user’s effective permissions once you have configured some aspect of DAC. Let’s view the effective permissions of two domain users for the Payroll network folder. The user Betty Test is a member of the Executives security group, but not a member of the Payroll group. Henry Pym is a domain user with membership only to the Payroll group.

If DAC is configured correctly, Betty should have no access to the Payroll share. In the properties of the Payroll share, click the Advanced button under Security. As we expected, the effective permissions of Betty’s account show she has no access to Payroll (see Figure 7).

Figure 6. Adding a central policy to a folder share

Figure 7. DAC gives this user no access to the configured network share

Henry’s effective permissions show full access to the Payroll share, so again, DAC is working the way we intended (see Figure 8).

Figure 8. This user is granted full permissions to the DAC-configured network share

These are fairly easy DAC deployments, but a good way to get familiar with the basics and first steps of working with DAC.