IT tutorials
 
Windows
 

Windows Server 2012 : Deploying Dynamic Access Control (part 4) - Validating the Configuration

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
4/20/2014 9:40:37 PM

Creating a Central Access Policy

Now we need to add the new central access rule to a central access policy. With DAC, there is one central access policy per file or folder.

From ADAC, click Dynamic Access Control, Central Access Policies, New, and then Central Access Policy.

Name your policy Domain File Server Policy, and then click Add. The Department-Payroll-Match-Required rule is available to add to the policy. Now, click the right arrows to add, and click OK.

Publishing a Central Access Policy

Once you’ve created the central access policy, you need to push it out to file servers using group policy objects (GPOs).

From Server Manager, click Tools and then Group Policy Management. Right-click the domain name and click “Create a GPO in this domain and Link it here.”

Let’s name the GPO “Dynamic Access Control Policy,” click OK, and then click “New policy.” At this point, remove the default group that’s granted access, “Authenticated users,” because we don’t want all authenticated users to have access to the payroll data.

On this screen, select Object Type to choose the file server(s) to which to apply the policy. Ensure that Computers is checked as the Object Type.

Next, right-click the policy you named Dynamic Access Control Policy and then click Edit. Then navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsFile System and right-click Central Access Policies. Now select Manage Central Access Policy. Here, select the policy you created, then click OK and exit the Group Policy Management Editor.

To complete publishing, there are two more tasks to perform: enable Kerberos armoring and update Group Policy.

Kerberos armoring addresses security concerns that dogged Kerberos authentication, such as vulnerability to brute force attacks and spoofing. With Kerberos armoring, a secured tunnel is created between a domain client and a domain controller.

Kerberos armoring is easy to enable. From Group Policy Management, navigate to Computer ConfigurationPoliciesAdministrative TemplatesSystemKDC. Enable “KDC support for claims, compound authentication and Kerberos armoring.”

To perform a group policy update, simply launch Windows PowerShell and run the command: GPUPDATE /FORCE.

Configuring the File Server

The steps outlined thus far detail the necessary configuration for DAC on the domain controller side. We will perform the next steps on the file server where we want to apply the created claims-based access rule.

Launch that file server’s Server Manager. From the Dashboard, click “Add roles and features,” and keep clicking Next until server roles are selectable. Add the File Server Resource Manager Feature as part of the already-installed File and Storage Services.

Once that’s complete, go to the folder share on which you want to perform access controls. In our case, this is the Payroll share for which we set up claims-based conditions at the beginning of the example. Right-click the folder, go into its properties, and click the Classification tab. You should see the resource property we created earlier listed here—a good indication that your DAC configuration is going well.

Note

If you don’t see the resource property or properties you created in the Classification tab, the domain may be taking a little long to replicate changes. You can force an update by running the command Update-FSRMClassificationpropertyDefinition from Windows PowerShell.

Adding the Central Access Policy to the Folder

Before adding the central access policy to the Payroll share, you should perform another forced Group Policy update to make sure the central policy defined by the Dynamic Access Control Policy GPO is applied to the file servers.

Next, go into the properties of the folder share; click the Security tab and then Advanced. Click Central Policy and then Change. From the drop-down menu, select your central access policy (the one you named Domain File Server Policy), click Apply, and then click OK. (See Figure 6.)

Validating the Configuration

After completing all these steps and configuration requirements, you’ll want to test to see if what you set up works. A really handy capability in DAC is the ability to view a user’s effective permissions once you have configured some aspect of DAC. Let’s view the effective permissions of two domain users for the Payroll network folder. The user Betty Test is a member of the Executives security group, but not a member of the Payroll group. Henry Pym is a domain user with membership only to the Payroll group.

If DAC is configured correctly, Betty should have no access to the Payroll share. In the properties of the Payroll share, click the Advanced button under Security. As we expected, the effective permissions of Betty’s account show she has no access to Payroll (see Figure 7).

Adding a central policy to a folder share
Figure 6. Adding a central policy to a folder share
DAC gives this user no access to the configured network share
Figure 7. DAC gives this user no access to the configured network share

Henry’s effective permissions show full access to the Payroll share, so again, DAC is working the way we intended (see Figure 8).

This user is granted full permissions to the DAC-configured network share
Figure 8. This user is granted full permissions to the DAC-configured network share

These are fairly easy DAC deployments, but a good way to get familiar with the basics and first steps of working with DAC.

 
Others
 
- Windows Server 2012 : Deploying Dynamic Access Control (part 3) - Adding a Resource Property to the Global Resource Property List, Creating a New Central Access Rule
- Windows Server 2012 : Deploying Dynamic Access Control (part 2) - Configuring Resource Property for Files
- Windows Server 2012 : Deploying Dynamic Access Control (part 1) - Preparing Claims
- Windows Server 2012 : Managing Users and Data with Dynamic Access Control - The Building Blocks of DAC , Requirements and Predeployment Pointers
- Windows 7 : Using BitLocker Drive Encryption
- Windows 7 : Using System Protection (part 3) - Using previous versions
- Windows 7 : Using System Protection (part 2) - Creating a restore point, Returning to a Previous Restore Point, Undoing a System Restore
- Windows 7 : Using System Protection (part 1) - Turning System Protection on or off
- Windows 8 for Business : Disk Encryption - EFS, BitLocker and BitLocker To Go
- Windows 8 for Business : Domain Join and Group Policy
 
25 Inspiring Game of Thrones Quotes
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS