Windows Dynamic Access Control (DAC)

  • Active Directory management enhancements
    • Active Directory Administrative Center
      • Active Directory Recycle Bin management
      • Fine-Grained Password Policy management
      • Windows PowerShell History Viewer
      • Dynamic Access Control
    • Group Policy enhancements
    • Kerberos constrained delegation changes
  • Active Directory deployment enhancements
    • Remote DCPromo and built-in troubleshooting
    • ADPrep integration
    • Improved virtualization support
      • Domain controller cloning
      • Active Directory snapshots
  • Active Directory-based activation
    • Active Directory Federation Services 2.1 built in

In this post we will concentrate on Dynamic Access Control (DAC). DAC allows administrators to create and manage central access and audit policies in Active Directory, which can be managed through the AD Administrative Console to help organizations reach data compliance.

**NOTE: DAC is the amalgamation of different features working together. It leverage AD, GPO, File Servers … It is one the more involved Labs we have tackled so far.

Microsoft has focused on the following areas:

  • Identify the information that needs to be managed to meet business and compliance requirements
  • Apply appropriate access policies to information
  • Audit access to information
  • Encrypt information

You can now create and managed Central Access and Audit Policies in Active Directory through the ADAC . These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control:

  • Who the user is
  • What device they are using, and
  • What data is being accessed

Dynamic Access Control integrates claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: “User is from the Finance department” and “User’s security clearance is High”

Here is a sample usage of DAC

Policy Type Usage
Organization-wide authorization policy
  • Most commonly initiated from the information security office
  • Driven by compliance or a high-level organization requirements
  • Relevant across the organization.
  • Example: HBI files are accessible to only full-time employees
Departmental authorization policy
  • Each department in an organization has some special data-handling requirements that they want to enforce
  • Example: the finance department might want to limit access to finance servers to the finance employees
Specific data-management policy
  • Usually relates to compliance and business requirements, and is targeted at protecting the correct access to the information that is being managed
  • Example: financial institutions might implement information walls so that analysts do not access brokerage information and brokers do not access analysis information
Need-to-know policy
  • Typically used in conjunction with the previous policy types
  • Example: vendors should be able to access and edit only files that pertain to a project they are working on

You king find different scenarios of DAC usage here.

What we will do in this post is setup DAC and create a rule to show the flexibility and the value you can get from this technology.

Step-by-Step: enabling and configuring DAC

DAC is a claim based security feature.

Claims are Active Directory attributes defined to be used with Central Access Policies. The claims can be set for both users and devices. Microsoft added a new container to the Active Directory Administrative Center to implement this new feature.

To configure centralized file-access policies through Dynamic Access Control, we need to configure the following parts.

  1. Claim Type
  2. Resource properties for files
  3. Resource property lists ( add resource property to global)
  4. Create new central access rule
  5. Create central access policy

First, we logged on our domain controller ITCamp-DC1 and created some accounts for this lab.

  1. Create the following users with the attributes indicated:
 User Username Email address Department Country/Region
Myriam Delesalle MDelesalle MDelesalle@ITCAMP.Local Finance Canada
Miles Reid MReid MReid@ITCAMP.Local Finance United States
Esther Valle EValle EValle@ITCAMP.Local Operations Canada
Maira Wenzel MWenzel MWenzel@ITCAMP.Local HR Canada
Jeff Low JLow JLow@ITCAMP.Local HR United States

It’s now time to enable Dynamic Access Control for ITCamp.Local

  1. Open the Group Policy Management Console, click ITCamp.Local, and then double-click Domain Controllers.
  2. Right-click Default Domain Controllers Policy, and select Edit.
  3. In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.
  4. Double-click KDC support for claims, compound authentication, and Kerberos armoring and select the option next to Enabled. You need to enable this setting to use Central Access Policies.
  5. Open an elevated command prompt, and run the following command:

gpupdate /force

Configure Claim Type

In this step we will configure Claim type for Users. We will add existing Active Directory attributes to the list of attributes that we can use when evaluating dynamic access control. In our case, the user’s department and his country

1- After login to the DC , you can just open the Active Directory Administrative Center to start configuring the Dynamic Access Policy (DAP).

image

2- In the Claim Type Section, click “New” and “Claim Type” in the task pane,

image

3- Select the attribute you want to use, in our case “c” and in the suggested value section define the countries you want to define. In our Lab we will look for Canada and United States.

image

4- Repeat for the department attribute with the following suggested value. (HR, Finance, Operations)

Configure Resource properties for files

1- In this step, we will configure the properties which will be downloaded by file servers and used to classify files or directories or shares. The DAC rules will compare user attribute values with resource properties. You can enable existing properties or create new ones.

image

2- Click on resource property and here you can select the existing resource properties or also you can create the new ones, I have selected Country and Department.

image

Resource property lists (add resource property to global)

1- Each resource property must be added to at least one resource property list. It will then be downloaded by file servers in your environment. The global resource property list is downloaded by all file servers.

image

Our properties are already part of the global list.

Create new central access rule

This is when we create a Rule that uses the properties we have defined earlier. This describes which conditions must be met in order for file access to be granted.

1- In the Central Access Rule section, click “New” and “Central Access Rule”

image

2- Give it a name in the Create Central Access Rule form.

image

3- In the Permission section, click “Use Following Permissions” and click “Edit”

image

4- Click “Add” and in the following “permission Entry for Permissions” select The “Authenticated User” as the principal and set the following conditions.

image

5- Click “OK” you are back to the DAC configuration screen.

Create central access policy

This part is very straight forward.

1- In the Central Access Policy, click “New” and “Central Access Policy” and give the new policy a name in the “Create Central Access Policy” form. We named our CAP. You also need to Add the Central Access Rule you created earlier to the policy.

image

2- Once that is created we need to tell AD about the policy. In the “Group Policy Management Console” we edited the “Default domain policy” but you can apply a different policy as you see fit. And in the Computer ManagementàPoliciesàWindows SettingsàSecurity settingsàFile SystemàCentral Access Policy, right-click the right pane and select manage Central Access Policy.

image

3- Add the Policy you created to the Applicable Central Access Policies.

image

We are done configuring the DAC… well… not quite. We still need to configure our shares and share properties.

To configure the shares the File Server Resource Manager must be installed on the server that will be used as the files server. In our case the file server we are using is VMHost10B.itcamp.local.

  1. Logon VMHost10B.itcamp.local as itcamp\administrator
  2. In Server Manager, click Add Roles and Features.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Next.
  5. On the Select destination server page, click Next.
  6. On the Select Server Roles page, expand File and Storage Services, select the check-box next to File and iSCSI Services, expand, and select File Server Resource Manager.
  7. In the Add Roles and Features Wizard, click Add Features, and then click Next.
  8. On the Select features page, click Next.
  9. On the Confirm installation selections page, click Install.
  10. On the Installation progress page, click Close

On the VMHost10B machine we created 2 SMB Shares-Advanced shares. (HR, Finance) select all defaults to complete this part.

Once the shares have been created, we need to go the location where the directory has been created and modify the properties of each folders.

image

To include the classification of these folders.

image

And in the advanced Security Settings, in the Central Policy Tab, change the “No central Access Policy” to “CAP” the policy we defined.

You can test to see if everything worked well by using the effective Access tab.

image

That is that start of the value that DAC can bring