CTE Solutions- Dynamic Access Control Webinar
Slides from the live webinar on October 18th, 2012 Throughout the years, IT administrators have sought many ways to protect file server data. As organizations mature, so does their security policies, data governance, and data leakage prevention capabilities. Technology has played a key role to assist with the simple goal of preventing unauthorized access to corporate data. However, preventing unauthorized access is only a part of the equation. Granting authorized access, whilst minimizing the effort in doing so is the tricky part. Microsoft’s new Dynamic Access Control capability, built into Windows Server 2012, greatly improves Compliance and leverages Data Leakage Prevention to enable Data Governance. Administrators now have greater control over file server data by taking advantage of Active Directory claims, an improved access control technology over standard ACLs, Active Directory centralized authorization/auditing policy, and data classification. This webinar provides a quick peek at Dynamic Access Control and how it can greatly reduce the micromanagement of Active Directory groups and Access Control Lists. If you would like to view the full presentation, please visit: https://skydrive.live.com/redir?resid=B5F6C9912573B947!374&authkey=!AE8C9JEOEJv9VmQ
Recomendados
Recomendados
Más contenido relacionado
Más de CTE Solutions Inc.
Más de CTE Solutions Inc. (15)
Último
Último (20)
CTE Solutions- Dynamic Access Control Webinar
- 1. DYNAMIC ACCESS CONTROL Windows Server 2012
- 2. YOUR PRESENTER Gérald F. Tessier Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since „89 MCSA: Windows Server 2008, MCSE: Security MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+
- 3. WHAT PROBLEM IS DAC TRYING TO SOLVE?
- 4. ACCESS CONTROL, AS WE KNOW IT
- 10. DECENTRALIZED & DELEGATED? ProjectX
- 11. DECENTRALIZED & DELEGATED? ProjectX
- 13. HOW MANY GROUPS DO YOU HAVE?
- 15. IN A NUTSHELL
- 17. PART 1: FILE CLASSIFICATION INSTRUCTURE
- 18. AUTOMATED CLASSIFICATION In-box 3rd party content classification classifier plugin Resource Property Definitions See modified / created file Save classification FCI Match file to policy File Management Task
- 20. PART 2: CENTRAL ACCESS POLICIES
- 21. EXPRESSION-BASED ACCESS POLICY Resource properties User claims Device claims Resource.Department = User.Department = Finance Device.Department = Finance Finance User.Clearance = High Device.Managed = True Resource.Impact = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
- 22. CAP SELECTION
- 23. CAP RULES
- 24. CENTRAL ACCESS RULES Classifications on File Being Accessed Department Engineering Sensitivity High Permission Type Target Files Permissions Engineering Engineering Sales FTE Vendor FTE Share Everyone:Full Full Full Full Central Access Rule 1: Dept=Engineering Engineering:Modify Modify Modify Read Engineering Docs Everyone: Read Rule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None Modify Rule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed] NTFS FTE:Modify Read Modify Modify Vendors:Read Effective Rights: Modify None Read
- 25. STAGING POLICY User claims Resource properties Clearance = High | Med | Low Department = Finance | HR | Eng Company = Contoso | Fabrikam Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)
- 26. SAMPLE STAGING EVENT (4818) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Subject: Security ID: CONTOSODOMalice Account Name: alice Account Domain: CONTOSODOM Object: Object Server: Security Object Type: File Object Name: C:FileShareFinanceFinanceReportsFinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
- 27. THANK YOU FOR YOUR PARTICIPATION! Presentation has been recorded and will be made available on skydrive Of ficial Microsoft Courses Available: 20410 - Installing and Configuring Windows Server 2012 20411 - Administering Windows Server 2012 20412 - Configuring Advance Windows Server 2012 Services * Contact Gerry – gerry@ctesolutions.com Connect with CTE on Twitter - @CTESolutions
Notas del editor
- All Directory Service Admins have to do now is stay on top of it!
- But that can be hard to do!
- Especially if you have decentralized HR and IT.
- Especially if you have decentralized HR and IT.
- And if your anything like most organizations, communication is not your forte.
- How long before you end up with an unmanageable number of groups? How long before you reach the tipping point? How long before we lose control and access control starts slipping?
- A claim is an assertion of an object, also known as a user or a device, that is issued from a “Trusted Identity Provider”. In Windows, this Trusted Identity Provider is a DOMAIN CONTROLLER running Windows Server 2012. These assertions, or claims map to a user or computer account attributes in Active Directory. These are then store in a Kerberos ticket at logon.