www.it-ebooks.info Learning Microsoft Windows Server 2012 Dynamic Access Control Take control of securing sensitive information whilst learning about architecture and functionality Jochen Nickel BIRMINGHAM - MUMBAI www.it-ebooks.info Learning Microsoft Windows Server 2012 Dynamic Access Control Copyright © 2013 Packt Publishing All rights reserved No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews Every effort has been made in the preparation of this book to ensure the accuracy of the information presented However, the information contained in this book is sold without warranty, either express or implied Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals However, Packt Publishing cannot guarantee the accuracy of this information First published: December 2013 Production Reference: 1191213 Published by Packt Publishing Ltd Livery Place 35 Livery Street Birmingham B3 2PB, UK ISBN 978-1-78217-818-7 www.packtpub.com Cover Image by Aniket Sawant (aniket_sawant_photography@hotmail.com) www.it-ebooks.info Credits Author Project Coordinator Jochen Nickel Sageer Parkar Reviewers Proofreaders Marin Frankovic Maria Gould Khaled Laz Paul Hindle Dario Liguori Indexer Priya Subramani Acquisition Editor Kevin Colaco Production Coordinator Commissioning Editor Shantanu Zagade Priyanka S Cover Work Shantanu Zagade Technical Editors Menza Mathew Rahul U Nair Nachiket Vartak Copy Editors Roshni Banerjee Sarang Chari Karuna Narayanan Kirti Pai Shambhavi Pai Alfida Paiva www.it-ebooks.info About the Author Jochen Nickel is an Identity and Access Management Solution Architect working for inovit GmbH in Switzerland, and every day he tries to understand new business needs of his customers, to provide better, more comfortable, and more flexible Microsoft Identity and Access Management Solutions He has been working on a lot of projects, proof of concepts, reviews, and workshops in this field of technology Furthermore, he is a Microsoft V-TSP Security, Identity and Access Management, Microsoft Switzerland, and uses his experience for the directly managed business accounts in Switzerland He has also been an established speaker at many technology conferences Jochen is very focused on Dynamic Access Control, Direct Access, Forefront UAG/TMG, ADFS, Web Application Proxy, AD RMS, and the Forefront Identity Manager Committed to continuous learning, he holds Microsoft certifications such as MCT, MCSE/A, MCTS, MTA, and many other security titles He enjoys spending as much time as possible with his family to get back the energy to handle such interesting technologies For more information about Microsoft Windows Server 2012 Dynamic Access Control, you can visit my blog at http://blog.idam.ch Thanks to my dear colleagues from Microsoft and my business partner for supporting me and helping me to handle this great technology Also, thanks to my lovely family for giving me the time to realize such projects www.it-ebooks.info About the Reviewers Marin Frankovic was born in Makarska in 1976, where he completed his elementary schooling and part of high school He graduated from high school in the USA, where he attended his senior year as an exchange student In 2003, he earned a Mag oec degree from Faculty of Economics, Zagreb, majoring in Business Computing As a student, he volunteered in the faculty's IT department for a year as technical support After obtaining his degree, Marin started as a Microsoft MOC and an IBM ACE instructor in the largest private IT education company, Algebra There, he also started as a consultant for infrastructure, virtualization, and cloud computing based on Microsoft technologies Later on, when Algebra opened a private college for Applied Computing, he took on the position of Head of the Operating Systems department, and undertook the responsibility of creating the course curriculums and managing several lecturers and assistants He also does lectures on several key courses in the system administration track For five years in a row, Microsoft honored him with an MVP title for System Center and Datacenter Management Marin is a regular speaker on all regional conferences, such as Windays, KulenDayz, MobilityDay, NT Konferenca, MS Network, DevArena, and so on In 2011, he was awarded the Microsoft ISV award for his contribution to the Microsoft community Marin regularly writes technical articles for IT magazine Mreža His main interests today are cloud computing, virtualization as its core component, and resource consolidation based on Microsoft technologies, such as Windows Server and System Center applications www.it-ebooks.info Khaled Laz is an IT professional working for CCC, the largest construction company in the Middle East His experience focuses on troubleshooting and maintenance of IT networks He holds more than a dozen certificates in the IT field, such as CCNA, MCITP, MCSE, MCSA, and many others Together with his extensive experience, he is a qualified expert in the area of System and Network Administration Dario Liguori is an MCTIP, MCSE, MCT, CCNA Security, VCP, Network+, Server+, and ITIL certified professional He has over 20 years of experience as an IT consultant/trainer He started working in the IT field using MS-DOS and Windows 1.01 Over the years, his experience has covered a broad range of products, including NetWare, Lotus Domino, Windows NT, Exchange Server, IIS, Proxy Server, and so on He currently works for one of the most important Microsoft UC Gold Partners in Italy and the UAE as a senior consultant He has been involved in a wide range of projects in several countries for medium/ large organizations Dario's primary focus is design and delivery of Microsoft infrastructure (SCCM, SCOM, SCVMM, TMG, SQL, Lync, Exchange, Hyper-V, AD DS, AD CS, AD FS, AD RMS, RDS, Cluster, NLB, Office 365, and so on) www.it-ebooks.info www.PacktPub.com Support files, eBooks, discount offers and more You might want to visit www.PacktPub.com for support files and downloads related to your book Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy Get in touch with us at service@packtpub.com for more details At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library Here, you can access, read and search across Packt's entire library of books. Why Subscribe? • Fully searchable across every book published by Packt • Copy and paste, print and bookmark content • On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books Simply use your login credentials for immediate access Instant Updates on New Packt Books Get notified! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page www.it-ebooks.info www.it-ebooks.info Table of Contents Preface 1 Chapter 1: Getting in Touch with Dynamic Access Control Business needs, purpose, and benefits Inside the architecture of DAC Building blocks 11 11 Building your smart test lab Configuring Dynamic Access Control Summary 21 23 24 Infrastructure requirements User and device claims Expression-based access rules Classification enhancements Central Access and Audit policies Access-denied assistance Chapter 2: Understanding the Claims-based Access Model Understanding claims Claims support in Windows 8/2012 and newer Kerberos authentication enhancements Kerberos Armoring and Compound Authentication Kerberos Armoring Compound Authentication Managing Claims and Resource properties Naming conventions Authoritative system and data validation Administrative delegation Resource properties Using Claim Transformation and Filtering Groups or DAC, let's extend our first solution Summary www.it-ebooks.info 12 14 15 16 18 21 25 26 29 29 34 34 35 36 37 37 39 40 41 42 43 Chapter You can use the following PowerShell command to find the claims information for a device: $(new-object System.Security.Principal.WindowsIdentity ("cli01@inovit.ch")) The previous command will produce the following example output: Domain connectivity To apply Group Policies, resolve user accounts, and so on, you need connectivity to a Domain Controller in your environment The nltest /sc_query:inovit.ch command allows you to check the connectivity and a NERR_Success message is expected for valid connectivity, as shown in the following screenshot: [ 119 ] www.it-ebooks.info Troubleshooting Advanced Security Editor In order to use graphical user interfaces to work on Dynamic Access Control problems, we need a functioning Domain Controller connectivity and service availability To use Kerberos, the Effective Access and Share tabs in Advanced Security Settings require a connection to the remote server You can use the following klist command to check this connectivity and see the actual Kerberos tickets: klist tickets To verify if a ticket exists, check the following: • The Client portion of the ticket contains the principal name of the current user • The Server portion of the ticket reports the Service Principal Name (SPN) with the prefix, cifs/, followed by a fully qualified computer name, as shown in the following screenshot: Furthermore, the Share tab depends on the communication with the file server using the Windows Remote Management RPC: [ 120 ] www.it-ebooks.info Chapter You can use the SC \\fis01 query winmgmt command to get the following output: The order of entries in the Permissions tab In this section we will list the rules which are to be used while ordering the entries in the Permissions tab The rules for canonical ordering are: • Explicit Deny type permission entries • Explicit Allow type permission entries • Inherited Deny type permission entries from the parent • Inherited Allow type permission entries from the parent • Inherited Deny type permission entries from the grandparent • Inherited Allow type permission entries from the grandparent • Allow and Deny inheritance continue to traverse upward until they reach the root of the volume The Central Policy tab The Central Policy tab won't be visible unless the Group Policies are applied to the server Use the gpupdate /force command to force the policy update, and using the gpresult /R command, check whether your desired policy is applied FCI - resource conditions and resource properties The Classification tab reads the resource property information from Active Directory and caches the information locally This information is updated every hour If you cannot see your freshly defined resource properties, refresh the locally cached classification information by using the following command: Update-FsrmClassificationPropertyDefinition [ 121 ] www.it-ebooks.info Troubleshooting You can also force the Classification tab to update its local cache, by using the following command: reg delete HKLM\Software\Microsoft\ FileClassificationInfrastructure /v AdLastSync /f If you are not able to see the Classification tab in Windows Explorer, there are two possible reasons: • The Desktop Experience Feature is not installed • The File Server Resource Manager role is not installed To show this tab on Windows or 8.1 devices, configure the following two Computer Group Policies: • File Classification Infrastructure: The Display Classification tab in File Explorer • File Classification Infrastructure: Specify the list of classification properties Access Control Lists To get the current ACL for a share, you can use the get-acl PowerShell command: get-acl \\fis01\shares | fl This will produce the following output: Advanced troubleshooting We will take a closer look into the Claim Transformation Policies (CTPs) for troubleshooting because you will work over Active Directory forest boundaries [ 122 ] www.it-ebooks.info Chapter Domain function level First, you need to check your domain function level to be sure you meet the requirements for CTPs by using the following command: (Get-ADDomain).DomainMode The command will produce the following output: Active Directory trust Next, we need to check the Active Directory trust between the two forests You can use the Get-ADTrust PowerShell command as shown in the following screenshot: Claim Transformation Policy (CTP) After you check the trust between the both forests, we will take a closer look at the CTPs themselves by using the following command: Get-ADClaimTransformPolicy –Filter * In our example, the policy limits claims to the company claim The following directory services event logs help you to identify problems: Event IDs 2923, 2924, 2925, 2926, or 2950 [ 123 ] www.it-ebooks.info Troubleshooting These events indicate that the claims transformation engine drops claims if there is a problem with the transformation rule or policy Summary After going through this chapter, you should be able to troubleshoot the most common problems in a Dynamic Access Control scenario The samples mentioned in this chapter comprise only a small portion of the many troubleshooting tips available So go ahead and read the Dynamic Access troubleshooting guide available at http://www.microsoft.com/en-us/download/details.aspx?id=36830 [ 124 ] www.it-ebooks.info Index A Access Control Entry (ACE) 26 Access Control Lists See ACL Access-denied assistance 21 Access Denied Remediation See ADR ACL 122 ACS ACS Collector 83 ACS Database 83 ACS Forwarders 83 ACS Collector 83 ACS Database 83 ACS Forwarders 83 Active Directory updating 97, 98 Active Directory Administrative Center (ADAC) 12 Active Directory Federation Services (ADFS) 86 Active Directory Rights Management Services See AD RMS Active Directory trust 123 ADfind URL 98 administrative delegation 39 ADR about 73, 74 E-Mail model 74 implementing 76 URL 74 Web Service model 74 AD RMS about 85 in SAP environment 96 URL 88 Advanced Security Editor Central Policy tab 121 Permissions tab entries 121 Advanced troubleshooting Active Directory trust 123 CTP 123 domain function level 123 Alternate Data Stream (ADS) 53 application, tag 49 auditing about 101 configuring 83 auditing solution configuring 81, 82 audit policy 82 Authentication Service (AS) 34 authoritative system 37, 38 automatic classification, tag 49 B Base Windows 2012 R2 Test Lab Guide URL 22 BHOLD suite about 109 URL 110 Bring Your Own Device See BYOD business benefits 8-11 mapping 46, 47 needs 8-11 purpose of 8-11 BYOD about Dynamic Access Control, using 103-106 www.it-ebooks.info C Central Access Policy about 9, 18-20, 99 applying 73 configuring 70-72 deploying 67, 68 legal department information, protecting with 68, 69 misconfiguration issues 115, 116 Central Policy tab 121 Chief Information Security Officer (CISO) 77 claims 26-29 claim transformation using 41 Claim Transformation Policy See CTP claim type-based filtering 42 claim type-based transformation 42 classification configuring 60 designing 60 Classification-based encryption 91 classification enhancements 16, 17 classification tool 98, 99 complete solution identifying 107, 108 Compound Authentication 35, 36 conditional expressions auditing with 77, 78 containers permissions, delegating 111 conventions naming 37 CTP 13, 41, 122, 123 D Dameware AD Management Tools URL 98 Data Classification Toolkit 111 Data Classification Toolkit 2012 57, 58 Data Classification Toolkit Claims Wizard 60 Data Classification Toolkit wizard 58, 59 data quality in Active Directory 117, 118 data validation 37, 38 DCT URL 111 Department attribute 28 device claims about 14, 15, 26 checking 118, 119 domain connectivity 119 Domain Controller count 116, 117 Domain Functional Level (DFL) 41 domain function level 123 Dynamic Access Control about 7, 25 Access-denied assistance 21 auditing 101 Central Access Policy 18-20, 99 classification enhancements 16, 17 classification tool 98, 99 components 11 configuring 23 device claims 14, 15 expression-based access control 15, 16 infrastructure requirements 12-14 monitoring 80 RMS Protection 100 third party tools 98 used, for BYOD 103-106 user claims 14, 15 using, in SharePoint 102, 103 E encryption rule creating 93 expression-based access control 15, 16 expression-based access policy defining 64-67 F FCI about 40, 100, 121, 122 configuring 70-72 URL 90 [ 126 ] www.it-ebooks.info file-based management agent URL 110 File Management Task (FMT) 90 file retention 94, 95 File Server Resource Manager (FSRM) 13, 70, 94 filtering claim type-based filtering 42 claim type-based transformation 42 using 41 value-based filtering 42 FIM 109 FIM 2010 R2 Synchronization Service installing, URL 110 FIM QuickStart Tool URL 110 Finance Data Classification Rule 70 Finance Data Sensitive Data Classification Rule 70 Flexible Authentication Secure Tunneling (FAST) 34 Forefront Identity Manager 2010 R2 See FIM information access testing 93 information classification manual classification 50, 51 Information Protection architecture 112, 113 Information Worker (IW) 48 infrastructure requirements 12-14 Internet Information Services (IIS) 86 J JiJi AuditReporter 101 K G Global Object Access Auditing about 78, 79 Dynamic Access Control, monitoring 80, 81 global object access policy configuring 81 group policy identifying 69, 70 group policy settings requisites 69 KDC AS (KDC Authentication Service) 32 Kerberos URL 36 Kerberos Armoring 34 Kerberos authentication enhancements about 29-33 Kerberos Security Support Provider 29 Key Distribution Center (KDC) 29 NT Token sections 30-33 Privilege Attribute Certificate (PAC) 30 Kerberos Security Support Provider 29 Key Distribution Center (KDC) 29 klist command 120 L Halocore URL 96 High Business Impact (HBI) 46 LDAP Administrator commercial URL 98 Left-hand-side (LHS) Conditional Expression 64 legal department information protecting, with Central Access Policy 68, 69 Location-based, tag 48 Low Business Impact (LBI) 47 I M IFilters URL 52 Ikarus manual classification 50, 51 Manual, tag 48 Microsoft SharePoint 102 Moderate Business Impact (MBI) 46 H [ 127 ] www.it-ebooks.info N OK button 68 rights management template creating 92 Rights Protected Folder See RPF Rights Protected Folder Explorer URL 17 RMS Protection 100 RPF about 90 building 93 P S National Institute of Standards and Technology (NIST) 57 NT Token sections 30-33 O Payment Card Industry Data Security Standard (PCI-DSS) 57 performance monitoring counters 116 permissions URL 87 Permissions tab entries 121 Personally Identifiable Information (PII) 56 Personally Identifiable Information property 57 Power Shell native URL 98 Privilege Attribute Certificate (PAC) 30 proposed permissions used, for building staging environment 72 Q Quest PowerGui URL 98 R Reference Resource Property object 40 Regex Buddy URL 69 registry settings identifying 69, 70 Remote Server Administration Tools (RSAT) 12 resource properties 40 Resource Property object 40 Right-hand-side (RHS) Conditional Expression 64 Rights Management Services installing 88, 89 Security Compliance Manager URL 113 Security Identifier (SID) 12, 26 security requirements mapping 46, 47 Service Principal Name (SPN) 120 SharePoint Dynamic Access Control, using 102, 103 smart test lab building 21, 22 Solarwinds AD admin tools URL 98 solution extending, with System Center 83, 84 staging environment building, proposed permissions used 72 Supported file types URL 89 syntax for claims, URL 37 for resource properties, URL 37 System Center solution, extending with 83, 84 T tags application 49 automatic classification 49 Location-based 48 Manual 48 TechNet article URL 88 Ticket Granting Service (TGS) 34 TITUS 102 [ 128 ] www.it-ebooks.info Transformation claims 26 troubleshooting ACL 122 Advanced Security Editor 120 data quality, in Active Directory 117, 118 device claims, checking 118, 119 domain connectivity 119 Domain Controller count 116, 117 FCI 121, 122 user claims, checking 118, 119 U user claims about 14, 15, 26 checking 118, 119 V value-based filtering 42 W Web Service model 74 Windows 2012 AD RMS 85-88 Windows File Classification Infrastructure using 52-57 Windows Server 2008 R2 URL 106 Windows Sysinternals suite URL 98 Work Folders URL 105 [ 129 ] www.it-ebooks.info www.it-ebooks.info Thank you for buying Learning Microsoft Windows Server 2012 Dynamic Access Control About Packt Publishing Packt, pronounced 'packed', published its first book "Mastering phpMyAdmin for Effective MySQL Management" in April 2004 and subsequently continued to specialize in publishing highly focused books on specific technologies and solutions Our books and publications share the experiences of your fellow IT professionals in adapting and customizing today's systems, applications, and frameworks Our solution based books give you the knowledge and power to customize the software and technologies you're using to get the job done Packt books are more specific and less general than the IT books you have seen in the past Our unique business model allows us to bring you more focused information, giving you more of what you need to know, and less of what you don't Packt is a modern, yet unique publishing company, which focuses on producing quality, cutting-edge books for communities of developers, administrators, and newbies alike For more information, please visit our website: www.packtpub.com About Packt Enterprise In 2010, Packt launched two new brands, Packt Enterprise and Packt Open Source, in order to continue its focus on specialization This book is part of the Packt Enterprise brand, home to books published on enterprise software – software created by major vendors, including (but not limited to) IBM, Microsoft and Oracle, often for use in other corporations Its titles will offer information relevant to a range of users of this software, including administrators, developers, architects, and end users Writing for Packt We welcome all inquiries from people who are interested in authoring Book proposals should be sent to author@packtpub.com If your book idea is still at an early stage and you would like to discuss it first before writing a formal book proposal, contact us; one of our commissioning editors will get in touch with you We're not just looking for published authors; if you have strong technical skills but no writing experience, our experienced editors can help you develop a writing career, or simply get some additional reward for your expertise www.it-ebooks.info Instant Migration from Windows Server 2008 and 2008 R2 to 2012 How-to ISBN: 978-1-84968-744-7 Paperback: 84 pages A step-by-step guide to installing, configuring, and updating to Windows Server 2012 Learn something new in an Instant! A short, fast, focused guide delivering immediate results Install and configure Windows Server 2012 and upgrade Active Directory Decommission old servers and convert your environment into the Windows Server 2012 native environment Microsoft Windows Server AppFabric Cookbook ISBN: 978-1-84968-418-7 Paperback: 428 pages 60 recipes for getting the most out of WCF and WF services, including the latest capabilities in AppFabric 1.1 for Windows Server Gain a solid understanding of the capabilities provided by Windows Server AppFabric with a pragmatic, hands-on, results-oriented approach Learn how to apply the WCF and WF skills you already have to make the most of what Windows Server AppFabric has to offer Includes step-by-step recipes for developing highly scalable composite services that utilize the capabilities provided by Windows Server AppFabric including caching, hosting, monitoring and persistence Please check www.PacktPub.com for information on our titles www.it-ebooks.info Windows Server 2012 Automation with PowerShell Cookbook ISBN: 978-1-84968-946-5 Paperback: 372 pages Over 110 recipes to automate Windows Server administrative tasks using PowerShell Extend the capabilities of your Windows environment Improve the process reliability by using well defined PowerShell scripts Full of examples, scripts, and real-world best practices CentOS Linux Server Cookbook ISBN: 978-1-84951-902-1 Paperback: 374 pages A practical guide to installing, configuring, and administrating the CentOS community-based enterprise server Delivering comprehensive insight into CentOS server with a series of starting points that show you how to build, configure, maintain and deploy the latest edition of one of the world's most popular community based enterprise servers Providing beginners and more experienced individuals alike with the opportunity to enhance their knowledge by delivering instant access to a library of recipes that addresses all aspects of CentOS server and put you in control Please check www.PacktPub.com for information on our titles www.it-ebooks.info ... pre -Windows 2012 file server access solution, where no claims are used in accessing a file server and traditional access controls apply The default configuration of Windows / Windows Server 2012. .. Claims-based Access Model If device claims are enabled in a Dynamic Access Control solution, Windows Client or Windows Server 2012 and newer will always use Windows 2012 or newer domain controllers.. .Learning Microsoft Windows Server 2012 Dynamic Access Control Take control of securing sensitive information whilst learning about architecture and functionality