1. Dynamic Access Control the file server, reimagined Presented by Mark Minasi help@minasi.com @mminasi on twitter 1 contents copyright 2013 Mark Minasi. Please do not redistribute, and thanks for respecting my copyrights!

2. Dynamic Access Control 2

3. High-Level Benefits 3

4. 4

5. Approach 5

6. DAC Examples 6

7. DAC Joins Share and NTFS Perms 7

8. DAC Appears in Two Places 8

9. DAC New Notions 9

10. New Concepts/Skills 10

11. New Concepts/Skills 11

12. "And's" in Permissions 12

13. Making "And" Work 13

14. Our Opening Situation 14

15. 15 Click Add…

16. 16 Now for the interesting part… click Add a condition

17. 17 In "Add Items," choose the two groups (the UI's not good at showing this)

18. 18 Choose the groups with this dialog box: And then the new permission will look like this: Click OK/Apply and …

19. New Permission 19

20. 20 Click "Effective Access" to try it out

21. 21 Note "include group membership" (what if-ing,) "select device"

22. Next, Consider Claims 22

23. Making an AD Attribute a Claim 23

24. Promoting AD Attribs to Claims 24

25. Example: Make "Office" a Claim Type 25

26. Giving “Office” a Suggested Value (1) 26

27. Giving “Office” a Suggested Value (2) 27

28. Giving “Office” a Suggested Value (3) 28

29. Giving “Office” a Suggested Value (4) 29

30. Using Claims 30

31. Creating a Claims-Based ACE 31

32. Using Claims 32

33. 33 Here you see that now Effective Access lets me give Mark a claim for "what if-ing"

34. How Does the File Server Know? 34

35. One More Thing for Claims… 35

36. Seeing Claims and Setting Values 36 We haven’t enabled the Kerberos settings yet, so whoami can’t help Another example, now that we’ve got everything enabled…

37. 37

38. Sidebar: You Might Not See Claims 38

39. Is Using Claims Secure? 39

40. Now Your Workstation Counts, Too 40

41. DAC Talk: Review 41

42. File Classification 42

43. How to Classify Files? 43

44. ADAC and DAC 44

45. Enabling an Existing Property 45

46. Choosing Two Built-in Properties 46

47. And Once You’ve Chosen Them… 47

48. Tell the File Server 48

49. Example ACE with Resources 49

50. How Do You Set a Property? 50

51. Classification UI 51 Right-click any NTFS folder or file and you'll see the new "Classification" tab

52. If You Classify a Folder… 52

53. Home-Grown Properties 53

54. 54

55. Automatic Classification 55

56. Create the Rule (1) 56

57. Create the Rule (2) 57

58. Create the Rule (3) 58 “Content Classifier” means “match a given string or a regular expression” Click this to specify what to look for

59. Specifying Expression to Match 59

60. Re-Evaluation Rules 60

61. Apply the Rule 61 Run this and all of the frightening stuff is immediately marked

62. FSRM Classification Report 62

63. FSRM Classification Report 63

64. When You Run the Classifier… 64

65. Regular Expression Example 65

66. When Does it Happen? 66

67. Back to the Big Picture 67

68. Contrived but Complete Example 68

69. Central Access Rules and Policies 69

70. To Follow Along… 70

71. More Specific Task List 71

72. Central Access Rules and Policies 72

73. 73

74. Where To Make the Conditions 74

75. Creating a Resource Condition 75

76. Creating a Resource Condition 76

77. The Resource Condition is Visible 77

78. Create the User Condition 78

79. This Part Should Look Familiar 79 As before, click "Add a condition"

80. As Should This One… 80

81. A CAR is Born 81

82. Next, Create the CA Policy 82

83. Making a CAP 83

84. Adding a CAR 84

85. The new CAP 85

86. Deploy/Publish the CAP 86

87. 87

88. Installing the CAP in the GPO 88

89. Deploy the GPO 89

90. CAP Installed 90

91. Testing CAPs 91

92. 92

93. Using the Staged Permissions 93

94. Sample 4818 94

95. Thanks for Coming! 95