Implementing Microsoft Dynamic Access Control (DAC)

By | May 21, 2014

Understanding DAC:

  • New access control method for file system resources used for Access Control, Auditing , and FCI (File Classification Infrastructure).  Still based off of (Authentication/Authorization/Auditing).
  • Works as a layer on top of NTFS and Share permissions.
  • Multiple benefits including Protecting (encrypting) sensitive information, compliance and data analysis, and access denied remediation.
  • Windows 7 can work with DAC, File Server performs claims lookups (requires Kerberos v5).

Practical Example:

Traditionally user groups are what get assigned NTFS permissions.  However with DAC you set a Central Access Policy that classifies files as a specific classification (confidential in this example) and will allow access only to users located in a specific location (Nashville) that are part of a specific department (R&D).

User Claims are pulled from the AD schema attributes where you would set the user is located in Nashville and is in the R&D department.  The claims are  looked at as a claim to a specific resource.

Resource properties are assigned to specific folders/files.  In this example, any folder/file given the resource property of Confidential and a location of Nashville would match the Central Access Policy and allow a user with the correct claims to access it.

Claims:

  • Identity – Published information about an entity from a trusted data store.  Published infromation would be schema properties for users/computers.
  • Claims are statements made about users and devices in AD DS (only supports Win 8 device claims).  Schema attributes (name + data type + suggested values).
  • Relied on Kerberos v5 and armoring.  You may have to extend your active directory schema.  This will extend the security principle access tokens and allow the extra attributes to be used for authentication.  These are considered claims extensions.

Resource Properties and Resource Property Lists:

  • These are assigned to folder and files and are considered metadata tags.  They get stored in AD DS, are available globally, and get ingested by the file servers hosting the specific resource.
  • Properties are name and data pairs which can have multiple data types including Boolean, strings, etc.
  • Resource properties are done individually then turned into Resource property lists for the classifications can be done manually or through File Server Resource Manager (FRSM).  These allow you to use classification rules and scheduled tasks to find files that should have specific classifications and manipulate them in any way, including encryption.

The Central Access Policy:

  • This ties the claims and resource properties together.
  • CAPs consist of one or more of Central Access Rules.  They are conditional logic to scope access and permissions.  First you scope out the target resources then create your conditional statements to pull in claims and resource properties.  The ACL is created based on these results.
  • Deploy a CAP to assign to specific folders once the policy is complete.
  • There are multiple permission options to see the proposed changes and generates event IDs in your event logs only to see the effects of the new policies.  You can push into production once you are confident in the proposed changes.

Access-Denied Assistance and Auditing:

  • This is only available to Windows 8 clients.
  • This provides users with support options and custom error messages.
  • This will also notify admins/file owners with detailed access metadata to determine the reasoning behind the block.
  • Now we can create conditional based auditing to only see relevant audit logs as opposed to the flood of data seen in the based with Group Policy based NTFS auditing.
  • Audits are now far more detailed and allow you to view very specific audit logs.  More information can be found here.

 Steps to implement this:

  1. First, ensure the users that will be assigned the claims have the appropriate schema attributes assigned to them in Active Directory Administrative Center.
  2. Next, go into Dynamic Access Control in AD-AC and create a new Claim Type.  The Claim Type should include the attribute you want the claim based on, a display name that makes sense, and suggested values for admins assigning claim values to the users.  (Ideally keep the Suggested Values consistent if you’re using them).
  3. Once the Claim Types are populated, it is suggested to have your File Servers located in their own OU for group policy scoping down the road.
  4. Now we need to configure Resource Properties.  There are built in ones that describe characteristics of particular resources.  They must be enabled in order to be used by the File Servers.  Create a new Resource Property if need be with the appropriate Value Type (Yes/No, True/False, Ordered List, etc.) and create the actual values if needed.
  5. Next, create a Resource Property List and select the needed resource properties from the list (both built in ones and and custom ones will appear here.  Be sure the property is enabled.  This allows the File Server to classify files using the resource properties assigned to this resource property list.
  6. Login to the File Server and ensure your files are shared that will be assigned a resource property list.  Also, ensure Share and NTFS permissions are permissive enough since the DAC privileges will narrow it down.
  7. Open FSRM and ensure the resource property lists are reflected under Classification properties.  If they do not appear, run a manual sync by running Update-FSRMClassificationPropertyDefinition from PowerShell.
  8. You can create a classification rule with the appropriate scope and location of your files and have the rule configure the property value from classification properties.  You can even use RegEx matching to find things like SSN’s or other confidential information within these files.
  9. Once the rule completes, you will get notified in a report on which files were changed.  These rules can be ran multiple times and merge/replace existing classifications if need be.  The classification properties can be found under the classification tab by right-clicking the file and choosing Properties.
  10. Once you have the property classifications assigned via the rules, you can use File Management Tasks to manipulate the files as needed (including moving them to a different location).
  11. On the domain controllers, the Central Access Rule and Policy must be created under AD-AC > Dynamic Access Control > Central Access Rules.
  12. Be sure to name this and specify the resource targets (e.g.  all files where the resource name equals the value specified earlier in your resource properties).  You can also stage permissions from the Central Access Rule form.
  13. Once you have your rules in place, go to Central Access Policies and add in the Rules you have created.
  14. Lastly, Group Policy must be configured.  First, enable Kerberos Armoring, claims, and compound authentication.  This must be done in two places, one for domain controllers (under KDC) and one for the domain (under Kerberos).
  15. Group policy must also be done for your File Servers under Windows Settings > Security Settings > File System > Manage Central Access Policies.  This is where the Central Access Policies get pushed to the File Servers in your organization.  Advanced Audit Policy configuration should also be done in these policies tied to the File Servers.
  16. Finally, you can go into the directory properties on the File Server for security and go to Advanced.  A new tab to assign a Central Access Policy will appear here and allow you to select it out of the ones assigned via Group Policy earlier.  This is where you define the ACLs related to the Central Access Policy.
  17. If you want to configure access denied assistance, also do so under Group Policy or FSRM.  Doing it with Group Policy will allow you to standardize it across File Servers.