DAC doesn’t replace NTFS and share permissions but is sometimes combined with them.
When DAC permissions are combined with the NTFS and share permissions, the most
restrictive permissions always apply to the account requesting access.
You can think of DAC as being based on access rules. These rules are if-then statements
built on the attributes of files, users, and devices. An example expression to serve as the basis
for an access rule could be “If a user is a member of the Support department connecting from a device that is located in the Cluj location, then that user
can access sensibile files and folder designated as having a high business impact.” Before you
can even create such an access rule, you need to create and assign the needed attributes to
all the objects mentioned in that rule. The user and device attributes are called claims. The file
attributes are called classifications (or resource properties).
We have a Folder hosted on FileServer (srv-2012) under U:\TopSecret that keep 3 documents: Two word documents and one excel sheet.
Only one document has confidential information. Inside the document we will find the Credit Card Numbers.
Tutorial for Implementing Dynamic Access Control (DAC)
2. Second, Open AD Administrative Center, Dynamic Access Control
3. Implement Policy Changes and Staging
In order for Dynamic Access Contro to work properly, a new GPO settings needs to be enabled:
4. Create and Configure Resource Properties and Lists
b. Go to AD Administrative Center, Dynamic Access Control\ Resource Properties List (container) New, Res Prop List, put a name of the list add a Resource Properties (the above one Personally Identifiable Information) – this list will contain the filters that will be applied to targeted files and folders
5. Update Classification Property
Open Power-Shell on File Server that has the role installed, and type:
6. Classifying files and folders (manual)
7. Configure File Classification (Automatically)
a. At General tab, fill the name and description of the rule.
c. Also, please be aware that targeted shared folder is marked in Management Properties (Server Manager\Shares) as User File.
d. At Classification tab, choose Content Classifier and the Personally Identifiable Information with High value
The Folder Classifier option assigns the property value to all files that fall within the
scope of the rule.
The Windows PowerShell Classifier prompts you to specify a script to determine the
target files within the scope of the rule.
The Content Classifier option searches Microsoft documents for a text or regular
expression string. Click Configure to further configure this option with the Classification
Parameters dialog box, shown in Figure 2-22.
e. Select the Configure button. For our specific purpose we will define an Regular Expression that will search for all documents in targeted folder that contains the key word “Credit Card Numbers”
8. Configure Classification Schedule
Now, from right side of the FSRM console, choose Configure Classification Scheduled. Here we can personalize how often we would like FSRM to search in the targeted folder to see if there is any new document will match with our string “Top Secret” that we earlier defined.
After we set Classification Scheduled hit ok and select right Run Classification With All Rule Now. After this process will take place, at we will receive an HTML report that will show all matching documents from targeted folder
9. Verify File Classification
10. Perform Access-Denied Remediation
From right side of the FSRM console, choose Configure Classification Scheduled. Select the Access-Denied Assistance tab, enabled access-denied assistance, and type a custom error message for users that will get Access Denied message.
11. Create and Configure Central Access Rules and Policies
a. Go to AD Administrative Center, Dynamic Access Control:
At Permissions – Edit, use second option, add an Authenticated Users Read Write and Execute with the following conditions
In our example, we would like to grant access to TopSecret files (that match the String defined at 7.e) only for the users that are in Support department that use devices with location in Cluj)
12. GPO for FileServer
For our final step we need to create and link an new GPO at the root of the domain (DAC Central Access Policy)
(remember on the root of the domain, not on the Domain Controllers)
13. Configuration on the File Server
a. Execute an “gpupdate /force” on File Server that keep the shared targeted folder (TopSecret).
c. Now, everything should be in place. Dynamic Access Control it is configured! Let’s test if permission were applied properly:
(Keep in mind that DAC work’s only for Clients with OS Windows 7, 8.1 and 10 and NOT for Windows Server (Be aware if you are using an Terminal Server) )
First picture shows that File Server01 (file01 user) has indeed access to targeted file, because User department is Support, and user use Desktop-899PTEU computer, that has location in Cluj
Second picture, shows that File Server02 (file02 user) didn’t have access to targeted file because User department is Sales. Even the fact that the user use Desktop-899PTEU computer (that has location in Cluj) not all condition (that was defined at point 11) have been met.