CTE Solutions- Dynamic Access Control Webinar
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

CTE Solutions- Dynamic Access Control Webinar

on

  • 536 views

Slides from the live webinar on October 18th, 2012 ...

Slides from the live webinar on October 18th, 2012

Throughout the years, IT administrators have sought many ways to protect file server data. As organizations mature, so does their security policies, data governance, and data leakage prevention capabilities. Technology has played a key role to assist with the simple goal of preventing unauthorized access to corporate data. However, preventing unauthorized access is only a part of the equation. Granting authorized access, whilst minimizing the effort in doing so is the tricky part.

Microsoft’s new Dynamic Access Control capability, built into Windows Server 2012, greatly improves Compliance and leverages Data Leakage Prevention to enable Data Governance. Administrators now have greater control over file server data by taking advantage of Active Directory claims, an improved access control technology over standard ACLs, Active Directory centralized authorization/auditing policy, and data classification. This webinar provides a quick peek at Dynamic Access Control and how it can greatly reduce the micromanagement of Active Directory groups and Access Control Lists.

If you would like to view the full presentation, please visit: https://skydrive.live.com/redir?resid=B5F6C9912573B947!374&authkey=!AE8C9JEOEJv9VmQ

Statistics

Views

Total Views
536
Views on SlideShare
535
Embed Views
1

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 1

http://www.ctesolutions.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • All Directory Service Admins have to do now is stay on top of it!
  • But that can be hard to do!
  • Especially if you have decentralized HR and IT.
  • Especially if you have decentralized HR and IT.
  • And if your anything like most organizations, communication is not your forte.
  • How long before you end up with an unmanageable number of groups? How long before you reach the tipping point? How long before we lose control and access control starts slipping?
  • A claim is an assertion of an object, also known as a user or a device, that is issued from a “Trusted Identity Provider”. In Windows, this Trusted Identity Provider is a DOMAIN CONTROLLER running Windows Server 2012. These assertions, or claims map to a user or computer account attributes in Active Directory. These are then store in a Kerberos ticket at logon.

CTE Solutions- Dynamic Access Control Webinar Presentation Transcript

  • 1. DYNAMIC ACCESS CONTROLWindows Server 2012
  • 2. YOUR PRESENTER Gérald F. Tessier Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since „89 MCSA: Windows Server 2008, MCSE: Security MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+
  • 3. WHAT PROBLEM IS DAC TRYING TO SOLVE?
  • 4. ACCESS CONTROL, AS WE KNOW IT
  • 5. TRADITIONAL APPROACH
  • 6. DIRECTORY SERVICE ADMINS
  • 7. RESOURCE ADMINS
  • 8. UPDATE GLOBAL GROUPS
  • 9. DILIGENCE, PERSEVERENCE, ADHERENCE
  • 10. DECENTRALIZED & DELEGATED? ProjectX
  • 11. DECENTRALIZED & DELEGATED? ProjectX
  • 12. PROCESS INTEGRATION, ANYONE?
  • 13. HOW MANY GROUPS DO YOU HAVE?
  • 14. DYNAMIC ACCESS CONTROL
  • 15. IN A NUTSHELL
  • 16. UNDERSTANDING EXPRESSIONS
  • 17. PART 1:FILE CLASSIFICATION INSTRUCTURE
  • 18. AUTOMATED CLASSIFICATION In-box 3rd party content classification classifier plugin Resource Property Definitions See modified / created file Save classification FCI Match file to policy File Management Task
  • 19. MANUAL CLASSIFICATION
  • 20. PART 2:CENTRAL ACCESS POLICIES
  • 21. EXPRESSION-BASED ACCESS POLICY Resource properties User claims Device claims Resource.Department =User.Department = Finance Device.Department = Finance Finance User.Clearance = High Device.Managed = True Resource.Impact = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
  • 22. CAP SELECTION
  • 23. CAP RULES
  • 24. CENTRAL ACCESS RULES Classifications on File Being Accessed Department Engineering Sensitivity High Permission Type Target Files Permissions Engineering Engineering Sales FTE Vendor FTEShare Everyone:Full Full Full FullCentral Access Rule 1: Dept=Engineering Engineering:Modify Modify Modify ReadEngineering Docs Everyone: ReadRule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None ModifyRule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]NTFS FTE:Modify Read Modify Modify Vendors:Read Effective Rights: Modify None Read
  • 25. STAGING POLICY User claims Resource propertiesClearance = High | Med | Low Department = Finance | HR | EngCompany = Contoso | Fabrikam Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)
  • 26. SAMPLE STAGING EVENT (4818)Proposed Central Access Policy does not grant the same access permissions as thecurrent Central Access PolicySubject: Security ID: CONTOSODOMalice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:FileShareFinanceFinanceReportsFinanceReport.xlsCurrent Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA)Proposed Central Access Policy results that differ from the current Central Access Policyresults: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
  • 27. THANK YOU FOR YOUR PARTICIPATION! Presentation has been recorded and will be made available on skydrive Of ficial Microsoft Courses Available:  20410 - Installing and Configuring Windows Server 2012  20411 - Administering Windows Server 2012  20412 - Configuring Advance Windows Server 2012 Services * Contact Gerry – gerry@ctesolutions.com Connect with CTE on Twitter - @CTESolutions