Configuring Dynamic Access Control in a Lab

-

Dynamic access control can be used to simplify security permission management. I mainly use role based access control to control file share access and auditing. However, that could lead to a lot of management overhead and thousands of groups in complex file share structures. 

 Dynamic Access Control has a bit of a learning curve, but once you understand the basic concepts it can be fairly easy to configure and deploy. 

 I have only tested and configured the following in a lab environment. This purpose of this article to get a better understanding of dynamic access control concepts. I will start out with some basic conditional expressions and work up to central access policies.

 Our environment will look similar to the diagram below. Users' access to files will be based on their attributes and the properties of the files.

Pre-requisites

  • File server that is Server 2012+ 
  • 2012+ schema
  • The File Server Resource Manager role must be installed on your file server
  • Apply the following GPO to your Domain Controllers OU
    • Computer Configuration/Policies/Administrative Templates/System/KDC/KDC support for claims, compound authentication and Kerberos armoring
      • Enabled and Supported

Claim Types

Claim Types are used to get information about active directory user and computer objects. You can think of these as "what a user/computer claims to be". These claims correlate to user/computer attributes. You can see them by clicking on the "Attribute Editor" tab of a user/computer.
To add a new claim type open Active Directory Administrative Center (ADAC), click on Dynamic Access Control on the left, right click on Claim Types, and select New>Claim Type

Select description, and leave everything at the default values.

Testing it out

Create an test AD account and leave it with a blank description.

Create a test file C:\DAC Test

Go to the advanced security properties of the folder. Disable inheritance and remove all of the security permissions of the folder except for that of your admin account, and SYSTEM. This will ensure that no one has access to the folder except for your admin account. Click Apply to make sure the changes take effect.
Add a new Full Control security permission for the "Everyone" group. On the bottom click Add a condition. enter the following: [User] [Description] [Any of] [Value] [test123]

Go to the Effective Access tab and select your test user.

Click View Effective Access

The user should have no permissions at all.

Go to Active Directory Users and Computers (ADUC) and set the user's description to "test123"
Clear all of the computer's kerberos tickets. This will ensure that the effective access updates immediately. For instructions on how see the top answer here. We'll be doing this a few more times so keep the CMD window open.

Click View Effective Access again and the user should have full control of the folder.

Remove the condition on the "Everyone" group and leave it at the default Full Access.

You just enabled some basic Dynamic Access Control, but this would be extremely tedious to do for all of your shares. Next we're going to do somethings that will make this much easier.

Resource Properties and Resource Property Lists

As the name implies, Resource properties are details (or properties) of files. There are some built in properties that you can enable, or you can create your own. For instance you can create one called "Customer" that lets user select the customer that the file belongs to. 

Resource property lists can be used to group resource properties.

Go back into ADAC. 

To add a new resource property click on Dynamic Access Control>Right Click Resource Properties>New>Resource Property

Name the new Property "Company"
Create two suggested Values "Contoso" and "Adatum" (use that for the value and name). Leave all other setting at their defaults.


Create another Property called "Building Color"

Create two suggested Values "Red" and "Blue" (use that for the value and name). Leave all other setting at their defaults.

On the file server, open powershell and run the following command: Update-FsrmClassificationPropertyDefinition (this will refresh the properties)

Go back to the C:\DAC Test folder.

Go to the folder properties and select the Classification tab (if this tab is missing you need to install the FSRM role)

For Building Color select Blue and for Customer select Contoso

Make sure to click Apply


We're done here for now, but we will use this later.

Central Access Rules

Central Access rules are used to combine Claim Types and optionally Resource Properties. These rules can look like the following:
  • All files can only be accessed by members of the IT group
  • All files can only be accessed by members of the IT group who have "Test123" in their user description
  • Files with a resource property of Company set to "Contoso" can only be accessed by members of the IT group
  • Files with a resource property of Company set to "Contoso" and Building color set to "Blue" can only be accessed by members of the IT group who have "Test123" in their user description
You can get much more granular, but those are just some examples.

A note about effective permissions: Central Access Rules permissions work similar to how Sharing and NTFS permissions work together. Users will only be able to access files based on their lowest allowed permissions. Essentially you are now dealing with Share, NTFS, and Central Access Rules. 

For example, let's say you have the following permissions on a folder:
  • Share
    • Group1
      • Read
      • Modify
  • NTFS
    • Group1
      • Read
      • Modify
  • Central Access Rule
    • Group1
      • Read
      • No modify
Members of Group1 will only be able to read since that is the lowest folder access that they have.


Create a group in AD called "IT" and add your test user to the group.

Go into ADAC again

Click on Dynamic Access Control>Central Access Rules>New>Central Access Rule

For the name enter Customer Access Rule

For target resources select the following:

[Resource] [Building Color] [Equals] [Value] [Blue]
And
[Resource][Customer][Equals][Value][Contoso]

Select "Use following permissions as effective permissions" (normally you would select proposed, but we're in a lab)


For permissions leave the defaults but add the ones found in the screenshot below.

Your Access Rule should look like the following:

Central Access Policies

Central Access Policies are what we will be using to apply Access Rules to Files and Folders.

Go into ADAC again

Click on Dynamic Access Control>Central Access Policies>New>Central Access Policy

For the name enter Customer Policy

Add the Customer Access Rule we just created

Putting it all together

We will now apply the policy we created to our test folder.

Open Group Policy Management Console and create a new GPO that will apply to your file server.

Go to Computer Configuration/Policies/Windows Settings/Security Settings/File System/Central Access Policy

Add the policy we just created


Run GPUpdate /force on your file server so that it gets the new policy.

Go to the advanced security properties of C:\DAC Test

Apply the Central Policy "Customer Policy"

Click on the "Customer Access Rule" link on the bottom to confirm that the permissions look correct.


Click Apply to make sure that the permissions take effect.

Testing it out

Go to the advanced security tab of the C:\DAC Test folder.

Click on Effective Permissions and select the test user. Click on View Effective Access and it should have all of the permissions except "change permissions". We can even see that "Customer Access Rule" is denying that permission.

Testing User Claim Types

Go to the user's properties in ADUC and change their description to test1234
Clear the kerberos tickets on the computer again.

Test the Effective Access again and the user should not have any permissions to the file.

Testing Resource Properties

Go to the Classification tab of C:\DAC Test

Change the Building Color to Red

Make sure to click Apply


Go back to the Effective Access tab in the Advanced security properties.

Select the test user again and View effective access.

The user should once again have Full Control of the entire folder.

Changing the building color caused the condition on the file access rule to not apply. This resulted in the security permissions reverting back to the NTFS permissions that give "Everyone" Full Control" over the folder.

Additional granularity

Dynamic access control allows you to get much more granular. You can expand the access rules to include conditions that check the computer where the user is accessing files. The diagram below shows that could take this further by only allowing users to read sensitive files as long as they are not on a read only domain controller.

We could also use FSRM to automatically assign resource properties to files and folders.

Summary

Dynamic Access Control is something that you can leverage even if you have a medium sized environment. Once you grasp the basic concepts it's easy to see a lot of possible applications.The reduction in security groups makes management much easier, and you also significant auditing that you can report to managers.

I hope that this guide has been helpful and if you have any questions please leave them in the comments.

References


MCSA Windows Server 2012 R2 Complete Study Guide Pg. 875-887

Comments

Post a Comment

Popular posts from this blog

FSLogix Troubleshooting guide

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org This article will cover some common issues I have ran into, and steps on how to resolve them. The guide should be followed  in order  since most of the advanced items are usually not the cause of a problem. If you just set up FSLogix, make sure that you followed every step under  Deploying FSLogix Office 365 Containers  and  Deploying FSLogix Profile Containers Terminology ODFC = Office Data File Containers This is there Office (Outlook, Teams, Licensing) data is stored This can be used in conjunction with UPDs FSL Profiles Replacement for UPDs User profiles are stored here (Office data is stored in the ODFC) Cannot  be used in conjunction with UPDs Non-Issues The items below should be ignored when troubleshooting Local_ files under C:\Users If FSLogix profiles are enabled, these folders can be ignored. They will be deleted the next
Read more

Best Practices for Deploying User Profile Disks

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org Last Updated 2020-01-03 After months of testing I recommend deploying FSLogix Profile Containers instead of User Profile Disks. You can find my guide here . Some of the items below apply to FSL Profile Containers.  User Profile Disks (UPDs) are great for load balanced RDS farms since it allows users to seamlessly roam from server to server. The goal of this article will be to configure the RDS and file servers in a way that maximizes performance and reduces the likelihood of UPD disconnects. I'll keep this updated any time I find new improvements. Use FSLogix Before you even consider deploying UPDs you need to be aware of  this limitation . On Server 2012 and 2016 (Server 2019 does not have this issue,  but it doesn't support Office ) the Windows Search index is machine wide. This means that when a UPD is disconnected the user's index data is d
Read more

Removing Application UAC Requirements with Shims

-
Image
This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are.   How it works The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it. For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions.  Things to keep in mind: Shims should be installed after the application Shims might need to be re-installed if an application is updated Not all apps play well with shims. Make sure to test the application before putting it into production Pre-Requisites Install the Microsoft Application C
Read more