DAC (DynamicAccessControl)
let's take a look at the different pieces that make up Dynamic Access Control. The first one is going to be Claim types. Now, once you've create a Claim type, you then put that into the Resource properties. Resource properties then go into Resource lists. Then we have a couple more pieces, Central access rules and Central access policies. We're going to step through each one of these different pieces in Active Directory.
So, let's take a look at how we access this. We are in our Domain Controller and we're in Server Manager. So, let's go up to the Tools menu, and let's go to a little known, little used, Active Directory tool called Active Directory Administrative Center. You're going to see a lot more of this with newer versions of Windows Server in the future. So, on the left hand side, you're going to see something called Dynamic Access Control. Let's go ahead and click on that. Now, we see those five pieces we just talked about, but they're not in the order that we just discussed.
Now, before we can use any of these five pieces and configure them, we've got to turn on Kerberos Armoring. Kerberos is an open-source authentication tool that Windows Server uses and we're going to need it in order to make Dynamic Access Control work. So, we're going to step through each one of those things, including Group Policy Changes.
Now we're going to take a look at how to set this up by starting with the Claim Types. But before we start to make this work, we need to go into Group Policy Manager and turn on Kerberos awareness. And now we're going to go into Tools and Group Policy Management.
So from here we need to make a change to the Domain Controllers, Default Domain Controllers Policy. So we can just go ahead and right-click on that policy and choose Edit.
Let's start out in the Computer section, and from here we're going to go to Policies. And after Policies we're going to go to Administrative Templates.
After Templates, we'll go to System and of course there's a lot in System here. You can just go right to the KDC... expand that... and then we'll take a look for KDC support for claims, compound authentication and Kerberos armoring. So double click and we're going to check Enable. And make sure that says Supported. And then click Apply. And then we can click OK.
After that we're going to close our Group Policy Management editor and our Group Policy Management. Now that we've made change to Group Policy, let's go back to Server Manager, and go back to our Tools menu and choose Active Directory Administrative Center. Once we're back in our Administrative Center, let's click on Dynamic Access Control once again, and then click on Claim Types. Now we're going to create the department claim type.
just right-click and choose New Claim Type.
And from here you'll see a list of preset Claim Types that you can choose and edit.
And we're going to right-click and choose Enable ”department”. And then we're going to go to Properties. At the bottom, we're going to check the box that says The following values are suggested. Just go ahead and ignore where it says Suggested Values.
From here we're going to put in Executives. Cause that's who's going to have access to our confidential files. We're going to put in the Value: Executives. And the Display name: Executives. Very good.
Now you see in our middle part of the screen, User and Computer is selected. You need to choose which you want to be selected to be affected by this claim. We're just going to choose User because that's the thing that makes sense when it comes to department.
Let's go ahead and click OK. Alright, our Claim Type is ready
We are back in our domain controller in Server Manager, and from here we're going to go up to our Tools menu and open up Active Directory Administrative Center. On the left-hand side you can see Dynamic Access Control, and when we click on that we see our five different roles in Dynamic Access Control. Earlier we took care of Claim Types, now we're going to look at Resource Properties. So let's double-click on Resource Properties, and you can see a whole bunch of predetermined resource properties.
These resource properties can be edited, you can create new ones. I like to use the ones that are already here, especially when it comes to our particular demonstration of confidentiality. So what we're doing is we're going to make it so any document that has the word confidential in it can only be opened by the Executives group. So, let's take a look at Confidentiality by double-clicking on it. And we can see all the different setups already in this particular confidentiality resource.
So, we're going to leave this just the way it is, because it's set up so perfect for us that all we have to do is just enable it. So let's go ahead and click Cancel, and right-click and choose Enable. And you can see that the little dot, the black dot that was there is now gone, so we know that it is enabled. If we wanted to we could go to New, and go to Resource Property, and we could just set one up from scratch to put in any particular thing that we would like to put in, that will fit our criteria.
You can also change from Single-valued Choice to all these different options such as Date and Time, Multi-valued, Numbered, Yes or No, all these different things can help determine whether a person has access to a file or not. We can also click Add, and choose additional values, and click OK. But we're going to go ahead and cancel that, because we've got our Confidentiality resource property ready to go.
We're also going to install File Server Resource Manager. This will allow us to classify the files as we create our central access rules and policies.
We are back in our Server Manager on our domain controller, so let's go ahead and Add roles and features. We'll click Next, Next, Next. Now let's expand File and Storage Services. From here we're looking for File Server Resource Manager. Click that and add the related features. Next, Next, and Install.
So what File Server Resource Manager will give us is the ability to classify our files, so we can say which files are confidential so our executives can be the only ones that can access those files.
Looks like we have succeeded our installation, so we'll close that. And we'll go ahead and open up File Server Resource Manager. Now we're gonna use this to choose Classification Management. But for now, let's go ahead and close FSRM and let's take a look at our Tools, Active Directory Users and Computers. So we need to create an executive. Now we're not gonna create an executive group. We're going to just create a user with the properties under organization as being in executive.
So let's go ahead and choose New, User, and we'll call this person Boss. And the logon will be Boss, and we'll click Next. And we'll put in our Password for our Boss. And choose Next, and Finish. Now let's double click on Boss and go to Organization.
Under Department, which we created as a claim type in a previous video, we're gonna go ahead and put in Executives, and Apply. Let's go ahead and minimize, and now we'll go back to our Tools and Active Directory Administrative Center, and we will complete our Property List.
Let's double click on Property Lists, choose New, Resource Property List. Now that we're in our list, let's go ahead and call this particular list Confidential. And in a previous, we went ahead and enabled the confidentiality resource property. So there it is. Let's go ahead and click add to the right, click OK, click OK, and now we're all set with our Resource Property List.
let's go back to our server and make our access rule. We are back in our server, in Active Directory Administrative Center. And we're going to create a Central Access Rule. So let's go ahead and double-click on the Rule. And from here, we're going to go ahead and create a new Rule called Central Access Rule.
And we're going to call it Confidential Rule.
Now, we're going to go down to where it says Target Resources and click Edit. From here, we're going to add a Condition. The Condition is going to state that our Resource, under our Confidentiality that we created earlier, in our Property list, is going to Equal the Value of High. Let's click OK.
Now we're going to go down to Permissions. And you can see there's already Permissions for the Administrators.
You can choose whether or not you would like to keep the Administrators in there or remove the Administrators Group. But let's go ahead and add our Executives by selecting a principal. Click OK. And we'll give our Executives Full Control. Now we'll click on Add a condition. We have Users, we have Groups. And we're going to change that to department Equals Value Executives.
Now we'll click OK. And we'll click Apply. And OK again. And OK. Now we've created our Central Access Rule. And we're going to apply that Rule to a Polic. And then we're going to make sure that our executives have the access they need to any documents that have the word "confidential" in the document.
We are in Dynamic Access Control where we are creating a new policy that will allow only executives to access files that have the name confidential somewhere in the text. This is a new type of security, that allows us to use something other than the previous shared and security tabs that we are used to using.
now we're going to take that rule and put it into a Central access policy.
Then we're going to update group policy to make that all work. So, let's go back to our server. We are in our server in Server Manager. Let's go up to Tools and go back into Active Directory Administrative Center. Now let's click on Dynamic Access Contol on the left-hand side, and at this time we're going to go ahead and double click on Central Access Policies. So, there is no policy. We're going to go ahead and create it using all the previous steps that we took earlier.
So let's go ahead and click New, Central Access Policy and we'll call it Confidential Policy. Now we'll go ahead and click on Add and we'll add the rule that we added in previous. And now we'll go ahead and click OK.
So to make this rule work we have to go into Group Policy and edit Group Policy in order to apply this new Confidential Policy we just created. So let's go ahead and close our Administrative Center, go to Tools in Server Manager, and go to Group Policy Management.
Now, in previous we went ahead and edited our Domain Controller Policy. We're not going to do that this time. This time we're going to edit our Default Domain Policy because we want this to be affected to users not to the Domain Controller necessarily. So let's right click on our Default Domain Policy, and click Edit.
And from here we're going to go to our Computer Configuration at the top. Expand Policies, go to Windows Settings, Security Settings, File System, Central Access Policy.
And there's our policy we just created earlier. Let's go ahead and apply that. Click OK.
And now we can close our Group Policy Editor and Management. Let's go ahead and go back into our PowerShell or Command prompt. Type gpupdate /force. This applies the changes that we just created. Now, once that is done, we can take the last couple of steps.
Let's go ahead and create a folder and we're going to share that folder so let's call it Shared, makes sense. And instead of sharing it the usual way by right clicking and going to Properties, let's go back into our Server Manager and do this through the File and Storage Services. And then click on Shares and then we're going to click on Tasks, and create a New Share. Let's go ahead and choose our SMB Share - Quick, and of course we're choosing it on the local server.
We're going to go to a custom path. Click on Browse and locate the shared folder we just created. Click Next and make sure that information is correct, which it is,
and click Next. Let's check the box for Enable Access-based enumeration.
This allows us to see additional properties in our folders that we wouldn't otherwise see. Let's click Next. Now you can customize the permissions, you can simply just go ahead and double click on any of the users and you could give them full access but it doesn't really matter because our Dynamic Access Control is going to override anything that's in here anyway.
Let's go ahead and click Next. And Create, and now our folder shared is shared. Next we're going to go to our File Server Resource Manager and make a couple of changes. We need to classify our files. So we go to the Classification Properties, and we need to right click and choose Refresh. Now we see our confidentiality file classification.
Let's go back to our folder and right click on our shared folder that we created earlier and choose Properties.
From here we now see a Classification tab. Go ahead and click on that. And we see that Confidentiality has been applied which is great. Go ahead and make sure that High confidential is applied, and then click OK.
By default the value will be none.
Very good. Now in our confidentiality classification we can see that it is set to High. So that concludes our Dynamic Access Control feature setup.
We went through all different stages. We went through Claim types, Resource properties, Property lists, as well as Access rules, and then we just took those rules and we applied to them to policies which we then applied to the folders themselves. So ultimately what this does for us is, if there are any documents in that shared folder that have the word confidential in them, then the only people that will be able to access those files are executives and administrators. So this is a complex setup that's not necessarily for everybody, but it is an alternative way, besides the traditional security groups, shared and NTFS security tabs.