[Windows Server] Implementing Dynamic Access Control (DAC)

 

DAC doesn’t replace NTFS and share permissions but is sometimes combined with them.
When DAC permissions are combined with the NTFS and share permissions, the most
restrictive permissions always apply to the account requesting access.
You can think of DAC as being based on access rules. These rules are if-then statements
built on the attributes of files, users, and devices. An example expression to serve as the basis
for an access rule could be “If a user is a member of the Support department connecting from a device that is located in the Cluj location, then that user
can access sensibile files and folder designated as having a high business impact.” Before you
can even create such an access rule, you need to create and assign the needed attributes to
all the objects mentioned in that rule. The user and device attributes are called claims. The file
attributes are called classifications (or resource properties).

Scenario:

We have a Folder hosted on FileServer (srv-2012) under U:\TopSecret that keep 3 documents: Two word documents and one excel sheet.

Only one document has confidential information. Inside the document we will find the Credit Card Numbers.

Our management informed us that only users that are in Support department that use devices from Cluj location, should be granted to access documents that have “Credit Card Numbers” keys inside.

Tutorial for Implementing Dynamic Access Control (DAC)

  1. First, install FSRM role. 

2. Second, Open AD Administrative Center, Dynamic Access Control

New, ClaimType, and select an attribute for making a filter (let’s say “Description” for user)

And another New, ClaimType, Location (for computer)

3. Implement Policy Changes and Staging

In order for Dynamic Access Contro to work properly, a new GPO settings needs to be enabled:

Under Default Domain Controller Policy \Computer\Admin Template\System\KDC\KDC support for claims, compound authentication and Kerberos armoring – Enabled (supported)

4. Create and Configure Resource Properties and Lists

a. Go to AD Administrative Center, Dynamic Access Control\ Resource Properties (everyone will be disabled by default) Select and enabled Personally Identifiable Information

b. Go to AD Administrative Center, Dynamic Access Control\ Resource Properties List (container) New, Res Prop List, put a name of the list add a Resource Properties (the above one Personally Identifiable Information) – this list will contain the filters that will be applied to targeted files and folders

5. Update Classification Property

Open Power-Shell on File Server that has the role installed, and type:

Update-FSRMClassificationpropertyDefinition

6. Classifying files and folders (manual)

For manual classifying files on targeted folder, select desired file, choose Properties and at Classification Tab choose desired value for “Personally Identifiable Information” should appear. 

7. Configure File Classification (Automatically)

Open FSRM, right click on Classification Rules (under Classification Management) and select Create Classification Rule

a. At General tab, fill the name and description of the rule.

b. At the Scope tab choose User Files,  hit Add and select the targeted shared folder. 

c. Also, please be aware that targeted shared folder is marked in Management Properties (Server Manager\Shares) as User File.

d. At Classification tab, choose Content Classifier and the Personally Identifiable Information with High value

The Folder Classifier option assigns the property value to all files that fall within the
scope of the rule.
The Windows PowerShell Classifier prompts you to specify a script to determine the
target files within the scope of the rule.
The Content Classifier option searches Microsoft documents for a text or regular
expression string. Click Configure to further configure this option with the Classification
Parameters dialog box, shown in Figure 2-22.

e.  Select the Configure button. For our specific purpose we will define an Regular Expression that will search for all documents in targeted folder that contains the key word “Credit Card Numbers”

 

f. At Evaluation Type choose “Re-evaluate existing property values” if you already had some existing files that have been manually clasificate.

8. Configure Classification Schedule

Now, from right side of the FSRM console, choose Configure Classification Scheduled. Here we can personalize how often we would like FSRM to search in the targeted folder to see if there is any new document will match with our string “Top Secret” that we earlier defined.

 

After we set Classification Scheduled hit ok and select right Run Classification With All Rule Now. After this process will take place, at we will receive an HTML report that will show all matching documents from targeted folder

9. Verify File Classification

Go to targeted folder (U:\TopSecret) and select the file that contains “Credit Card Numbers”. Go to Properties and select Classification tab. Now, it should be marked as High.

10. Perform Access-Denied Remediation

From right side of the FSRM console, choose Configure Classification Scheduled. Select the Access-Denied Assistance tab, enabled access-denied assistance, and type a custom error message for users that will get Access Denied message.

 

11. Create and Configure Central Access Rules and Policies

a. Go to AD Administrative Center, Dynamic Access Control:

Central Access Rules, New, Central Access Rule

Fill the Name and Edit the Target Resources (Add a condition)

At Permissions – Edit, use second option, add an Authenticated Users Read Write and Execute with the following conditions

In our example, we would like to grant access to TopSecret files (that match the String defined at 7.e) only for the users that are in Support department that use devices with location in Cluj)

b.  Select Central Access Policies (under Dynamic Access Control):

Fill the Name and Add an Member central Access Rules (the earlier defined Rule)

12. GPO for FileServer

For our final step we need to create and link an new GPO at the root of the domain (DAC Central Access Policy)

(remember on the root of the domain, not on the Domain Controllers)

13. Configuration on the File Server

a. Execute an “gpupdate /force” on File Server that keep the shared targeted folder (TopSecret).

b. On the File Server, select the targeted folder (U:\TopSecret), properties and check Central Policy tab:

 

c. Now, everything should be in place. Dynamic Access Control it is configured! Let’s test if permission were applied properly:

(Keep in mind that DAC work’s only for Clients with OS Windows 7, 8.1 and 10 and NOT for Windows Server (Be aware if you are using an Terminal Server) )

Legend:

Nr User PC Department Location
1 file01 N/A Support N/A
2 file02 N/A Sales N/A
3 N/A DESKTOP-899PTEU N/A Cluj

First picture shows that File Server01 (file01 user) has indeed access to targeted file, because User department is Support, and user use Desktop-899PTEU computer, that has location in Cluj

 

Second picture, shows that File Server02 (file02 user) didn’t have access to targeted file because User department is Sales. Even the fact that the user use Desktop-899PTEU computer (that has location in Cluj) not all condition (that was defined at point 11)  have been met.

Ionut Sandu

Despre autor: Ionuț Sandu este un blogger entuziast, pasionat de IT. Pe blogul lui, JonTECH.ro, apar constant cele mai interesante articole din domeniul tehnologiei. Ionuț a mai scris două articole științifice despre Cloud Computing și Protocoale de Securitate SSL/TLS și SSH.

Leave a Reply

Your email address will not be published. Required fields are marked *