In today's complex IT environments, file servers play an increasingly important role, storing tons of data and information and making it available to any individual in an organization. Additionally, all of this data needs to be secure and accessible across varied networks, devices, and applications and needs to enact with strategies like Bring Your Own Device (BYOD), Direct Access, and the different cloud scenarios.
For system administrators, this starts quite often with building groups for controlling access to the company's internal file servers. For example, Jack works on a project called Ikarus and he needs some information from the Marketing department, but Jack is not really a member of that department. Therefore, you are going to build some security groups to solve this request and a complex group scenario starts to exist. Since the groups and their memberships will grow and in each case become more and more complex; just think about the Kerberos token bloat, which brings problems of user authentication.
In addition, it is always a challenge to audit and monitor solutions. You might be familiar with situations such as "Who had access to the sensitive finance information on June 1, 2013?" or the wonderful "Access denied" message that leads a user to come to you to ask you for access to a particular information. Or, immediately you will start searching to provide the Chief Information Security Officer (CISO) of the organization with the right information for evidence or who is the owner of this information to decide whether to give the user the proper access or not.
Furthermore, a common challenge is to decide how to provide infrastructure or services on a cloud. The main reason is that the companies don't really know what information is sensitive and what is not. Classifying the information helps in this case and can allow different cloud scenarios.
Dynamic Access Control (DAC) is a complete end-to-end solution to secure information access and not just another single new feature of the Windows Server 2012. DAC can really help you to solve some daily problems you may face in giving access to data on distributed file servers. These are a few points that we will discuss in this book:
Classify your information
Define and implement Access Control Policies based on classification
Define and implement Central Audit Policies
Provide additional information protection with Rights Management Services
Dynamic Access Control is the right tool to use if you need control over the data level so that the data stay with the files even if they are leaving the file server. Furthermore, DAC is useful if you care about many attributes, and you need device information for the authorization process in your own or a partner Active Directory forest—at least if you need an automated process to classify information based on attributes or resource properties.
Chapter 1, Getting in Touch with Dynamic Access Control, will cover the business needs, purposes, and benefits of Dynamic Access Control. We will discuss and study the architecture in detail and start by building the test lab and our first simple solution.
Chapter 2, Understanding the Claims-based Access Model, will explain the idea of identities and claims especially in the use of Windows 8 and Windows Server 2012. It will also suggest how Kerberos Armoring and Compound Authentication works and about how to manage claims and resource properties. The test lab will guide you deeper into the functionality of DAC.
Chapter 3, Classification and the File Classification Infrastructure, will review the required information to map the business and security requirements to classify information. We will also explain the different methods to classify information and how the File Classification Infrastructure and the Data Classification Toolkit can support your implementation.
Chapter 4, Access Control in Action, will focus on Central Access Policies. The Central Access Policies are one of the most important components, and we will explain how to define, configure, and manage them with a staging and productive environment. The chapter will also discuss access-denied assistance.
Chapter 5, Auditing a DAC Solution, will cover the usage of conditional expressions and the global object access auditing settings and options that System Center Suite provides you with to build an efficient and comprehensible solution.
Chapter 6, Integrating Rights Management Protection, will discuss the important aspects of the Active Directory Rights Management Services integration in a complete information protection context.
Chapter 7, Extending the DAC Base Solution, will cover methods and tools to get the necessary data quality in Active Directory for using Dynamic Access Control. We will also provide an overview of important third-party tools, SharePoint, and Bring Your Own Device strategy integration.
Chapter 8, Automating the Solution, will cover the automation possibilities such as the Forefront Identity Manager, System Center Suite, and Data Classification Toolkit for Dynamic Access Control. The chapter also gives you an idea of different architectures to fulfill the different requirements in actual projects.
Chapter 9, Troubleshooting, will discuss common problems and how to address them. It gives you a tutorial from the general to the advanced troubleshooting strategies for Dynamic Access Control. The chapter will also offer a collection of external resources such as blogs, wikis, and articles.
You will need at least a Windows 2012 R1 or R2 Domain Controller and File Server with a domain-joined Windows Client to use all the described functionality. The Windows Server Operating System is available as a trial or licensed version, and you can download it from the Microsoft download center or from the public website of Microsoft. Additionally, if you want to extend the solution, you will need System Center Suite, Forefront Identity Manager, Data Classification Tool, and Security Compliance Manager.
This book is intended for IT consultants/architects, system engineers, system administrators, and security engineers who are planning to implement Dynamic Access Control in their organization or have already implemented it and want to discover more about its abilities and how to use them effectively. To use the book efficiently, you should have some understanding of security solutions, Active Directory, access privileges / rights, and authentication methods. Programming knowledge is not required but can be helpful for using PowerShell or the APIs to customize your solution. Advanced automation and development of extensions are not in the scope of this book. The book also requires a fundamental understanding of Microsoft technologies.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "You can also use the command gpudate /force, which forces the computer to update its group policy right away."
Any PowerShell input or output is written as follows:
Set-ADUser -CompoundIdentitySupported:$true or $false
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Follow the wizard and click on Work Folders under File and Storage Services | File and iSCSI Services."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.