Your SlideShare is downloading. ×
0
DYNAMIC ACCESS          CONTROLWindows Server 2012
YOUR PRESENTER                Gérald F. Tessier   Senior Trainer at CTE Solutions, Inc.   Training for 18 years   Worki...
WHAT PROBLEM IS DAC TRYING TO          SOLVE?
ACCESS CONTROL, AS WE KNOW IT
TRADITIONAL APPROACH
DIRECTORY SERVICE ADMINS
RESOURCE ADMINS
UPDATE GLOBAL GROUPS
DILIGENCE, PERSEVERENCE, ADHERENCE
DECENTRALIZED & DELEGATED?             ProjectX
DECENTRALIZED & DELEGATED?             ProjectX
PROCESS INTEGRATION, ANYONE?
HOW MANY GROUPS DO YOU HAVE?
DYNAMIC ACCESS CONTROL
IN A NUTSHELL
UNDERSTANDING EXPRESSIONS
PART 1:FILE CLASSIFICATION INSTRUCTURE
AUTOMATED CLASSIFICATION                           In-box         3rd party                          content      classifi...
MANUAL CLASSIFICATION
PART 2:CENTRAL ACCESS POLICIES
EXPRESSION-BASED ACCESS POLICY                                                          Resource properties      User clai...
CAP SELECTION
CAP RULES
CENTRAL ACCESS RULES                                 Classifications on File Being Accessed                               ...
STAGING POLICY           User claims                     Resource propertiesClearance = High | Med | Low         Departmen...
SAMPLE STAGING EVENT (4818)Proposed Central Access Policy does not grant the same access permissions as thecurrent Central...
THANK YOU FOR YOUR PARTICIPATION! Presentation has been recorded and will be made available on  skydrive Of ficial Micro...
Upcoming SlideShare
Loading in...5
×

CTE Solutions- Dynamic Access Control Webinar

307

Published on

Slides from the live webinar on October 18th, 2012

Throughout the years, IT administrators have sought many ways to protect file server data. As organizations mature, so does their security policies, data governance, and data leakage prevention capabilities. Technology has played a key role to assist with the simple goal of preventing unauthorized access to corporate data. However, preventing unauthorized access is only a part of the equation. Granting authorized access, whilst minimizing the effort in doing so is the tricky part.

Microsoft’s new Dynamic Access Control capability, built into Windows Server 2012, greatly improves Compliance and leverages Data Leakage Prevention to enable Data Governance. Administrators now have greater control over file server data by taking advantage of Active Directory claims, an improved access control technology over standard ACLs, Active Directory centralized authorization/auditing policy, and data classification. This webinar provides a quick peek at Dynamic Access Control and how it can greatly reduce the micromanagement of Active Directory groups and Access Control Lists.

If you would like to view the full presentation, please visit: https://skydrive.live.com/redir?resid=B5F6C9912573B947!374&authkey=!AE8C9JEOEJv9VmQ

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
307
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • All Directory Service Admins have to do now is stay on top of it!
  • But that can be hard to do!
  • Especially if you have decentralized HR and IT.
  • Especially if you have decentralized HR and IT.
  • And if your anything like most organizations, communication is not your forte.
  • How long before you end up with an unmanageable number of groups? How long before you reach the tipping point? How long before we lose control and access control starts slipping?
  • A claim is an assertion of an object, also known as a user or a device, that is issued from a “Trusted Identity Provider”. In Windows, this Trusted Identity Provider is a DOMAIN CONTROLLER running Windows Server 2012. These assertions, or claims map to a user or computer account attributes in Active Directory. These are then store in a Kerberos ticket at logon.
  • Transcript of "CTE Solutions- Dynamic Access Control Webinar"

    1. 1. DYNAMIC ACCESS CONTROLWindows Server 2012
    2. 2. YOUR PRESENTER Gérald F. Tessier Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since „89 MCSA: Windows Server 2008, MCSE: Security MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+
    3. 3. WHAT PROBLEM IS DAC TRYING TO SOLVE?
    4. 4. ACCESS CONTROL, AS WE KNOW IT
    5. 5. TRADITIONAL APPROACH
    6. 6. DIRECTORY SERVICE ADMINS
    7. 7. RESOURCE ADMINS
    8. 8. UPDATE GLOBAL GROUPS
    9. 9. DILIGENCE, PERSEVERENCE, ADHERENCE
    10. 10. DECENTRALIZED & DELEGATED? ProjectX
    11. 11. DECENTRALIZED & DELEGATED? ProjectX
    12. 12. PROCESS INTEGRATION, ANYONE?
    13. 13. HOW MANY GROUPS DO YOU HAVE?
    14. 14. DYNAMIC ACCESS CONTROL
    15. 15. IN A NUTSHELL
    16. 16. UNDERSTANDING EXPRESSIONS
    17. 17. PART 1:FILE CLASSIFICATION INSTRUCTURE
    18. 18. AUTOMATED CLASSIFICATION In-box 3rd party content classification classifier plugin Resource Property Definitions See modified / created file Save classification FCI Match file to policy File Management Task
    19. 19. MANUAL CLASSIFICATION
    20. 20. PART 2:CENTRAL ACCESS POLICIES
    21. 21. EXPRESSION-BASED ACCESS POLICY Resource properties User claims Device claims Resource.Department =User.Department = Finance Device.Department = Finance Finance User.Clearance = High Device.Managed = True Resource.Impact = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
    22. 22. CAP SELECTION
    23. 23. CAP RULES
    24. 24. CENTRAL ACCESS RULES Classifications on File Being Accessed Department Engineering Sensitivity High Permission Type Target Files Permissions Engineering Engineering Sales FTE Vendor FTEShare Everyone:Full Full Full FullCentral Access Rule 1: Dept=Engineering Engineering:Modify Modify Modify ReadEngineering Docs Everyone: ReadRule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None ModifyRule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]NTFS FTE:Modify Read Modify Modify Vendors:Read Effective Rights: Modify None Read
    25. 25. STAGING POLICY User claims Resource propertiesClearance = High | Med | Low Department = Finance | HR | EngCompany = Contoso | Fabrikam Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)
    26. 26. SAMPLE STAGING EVENT (4818)Proposed Central Access Policy does not grant the same access permissions as thecurrent Central Access PolicySubject: Security ID: CONTOSODOMalice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:FileShareFinanceFinanceReportsFinanceReport.xlsCurrent Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA)Proposed Central Access Policy results that differ from the current Central Access Policyresults: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
    27. 27. THANK YOU FOR YOUR PARTICIPATION! Presentation has been recorded and will be made available on skydrive Of ficial Microsoft Courses Available:  20410 - Installing and Configuring Windows Server 2012  20411 - Administering Windows Server 2012  20412 - Configuring Advance Windows Server 2012 Services * Contact Gerry – gerry@ctesolutions.com Connect with CTE on Twitter - @CTESolutions
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×