Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi. Please do not redistribute, and thanks for respecting my copyrights!

Dynamic Access Control 2

High-Level Benefits 3

4

Approach 5

DAC Examples 6

DAC Joins Share and NTFS Perms 7

DAC Appears in Two Places 8

DAC New Notions 9

New Concepts/Skills 10

New Concepts/Skills 11

"And's" in Permissions 12

Making "And" Work 13

Our Opening Situation 14

15 Click Add…

16 Now for the interesting part… click Add a condition

17 In "Add Items," choose the two groups (the UI's not good at showing this)

18 Choose the groups with this dialog box: And then the new permission will look like this: Click OK/Apply and …

New Permission 19

20 Click "Effective Access" to try it out

21 Note "include group membership" (what if-ing,) "select device"

Next, Consider Claims 22

Making an AD Attribute a Claim 23

Promoting AD Attribs to Claims 24

Example: Make "Office" a Claim Type 25

Giving “Office” a Suggested Value (1) 26

Giving “Office” a Suggested Value (2) 27

Giving “Office” a Suggested Value (3) 28

Giving “Office” a Suggested Value (4) 29

Using Claims 30

Creating a Claims-Based ACE 31

Using Claims 32

33 Here you see that now Effective Access lets me give Mark a claim for "what if-ing"

How Does the File Server Know? 34

One More Thing for Claims… 35

Seeing Claims and Setting Values 36 We haven’t enabled the Kerberos settings yet, so whoami can’t help Another example, now that we’ve got everything enabled…

37

Sidebar: You Might Not See Claims 38

Is Using Claims Secure? 39

Now Your Workstation Counts, Too 40

DAC Talk: Review 41

File Classification 42

How to Classify Files? 43

ADAC and DAC 44

Enabling an Existing Property 45

Choosing Two Built-in Properties 46

And Once You’ve Chosen Them… 47

Tell the File Server 48

Example ACE with Resources 49

How Do You Set a Property? 50

Classification UI 51 Right-click any NTFS folder or file and you'll see the new "Classification" tab

If You Classify a Folder… 52

Home-Grown Properties 53

54

Automatic Classification 55

Create the Rule (1) 56

Create the Rule (2) 57

Create the Rule (3) 58 “Content Classifier” means “match a given string or a regular expression” Click this to specify what to look for

Specifying Expression to Match 59

Re-Evaluation Rules 60

Apply the Rule 61 Run this and all of the frightening stuff is immediately marked

FSRM Classification Report 62

FSRM Classification Report 63

When You Run the Classifier… 64

Regular Expression Example 65

When Does it Happen? 66

Back to the Big Picture 67

Contrived but Complete Example 68

Central Access Rules and Policies 69

To Follow Along… 70

More Specific Task List 71

Central Access Rules and Policies 72

73

Where To Make the Conditions 74

Creating a Resource Condition 75

Creating a Resource Condition 76

The Resource Condition is Visible 77

Create the User Condition 78

This Part Should Look Familiar 79 As before, click "Add a condition"

As Should This One… 80

A CAR is Born 81

Next, Create the CA Policy 82

Making a CAP 83

Adding a CAR 84

The new CAP 85

Deploy/Publish the CAP 86

87

Installing the CAP in the GPO 88

Deploy the GPO 89

CAP Installed 90

Testing CAPs 91

92

Using the Staged Permissions 93

Sample

Thanks for Coming! 95