in exercise 6.1, to use dynamic access control, what two components are created?
What is Dynamic Admission Control (DaC)?
Dynamic Access Control, also called DaC, is a Windows Server feature that fabricated its beginning appearance in Windows Server 2012. It remains a central component of nearly security deployments because it allows a college degree of conditional admission controls based on whatever criteria you'd similar applied. In this mail service, we'll encompass what Dynamic Access Control is, when you'd want to use information technology, and briefly encompass some of the more basic parts of implementing it. To learn nearly DaC and more, check out our Avant-garde Windows Server preparation .
What Exactly Is Dynamic Access Control (DaC)?
Quick Definition: Dynamic Access Command is a Windows Server feature that allows conditional access command. Equally the proper name suggests, administrators have the control to grant or restrict access to network resources based on dynamic variables. Perhaps your company works with sensitive data that needs to be protected; you determine who tin access information technology, but is that enough?
Maybe that sensitive data is rubber with that user while they're in the function, just what about when they're working from the café downwards the street? With DaC, a network ambassador has fine-tuned control over who has admission to resources, when, and what parameters make that decision.
An Overview of Dynamic Access Control [VIDEO]
In this video, Tim Warner covers a brief demonstration of configuring claims with dynamic access control in Windows Server 2012. This version of Windows Server provides numerous new features, but this video focuses specifically on exploring DAC, what it is, and what it can do for you.
What is Dynamic Access Control Skilful For?
DaC is a information-governance technology that works along with NTFS permissions and shared folder permissions. Historically with Windows, we provided say-so to file organisation resources past using a combination of shared and NTFS permissions. Shared permissions were used to make a folder available on your network, NTFS permissions, which apply to both folders and files and grant or block users based on their identity in Active Directory.
That comes with two big problems, problems that Microsoft sought to solve with Dynamic Access Command. Kickoff is what to practice virtually sizing upward. Equally companies become larger and larger, they calibration up & out. That makes it more and more than cumbersome to juggle Active Directory groups in their Discretionary Access Control Lists (DACLs).
The 2nd problem is that but using NTFS and shared permissions along with traditional Windows Server auditing (which is object-admission auditing) doesn't always provide sufficient particular. Some shops are subject to regulations that impose pregnant auditing and reporting demands – without fine-tuned controls, satisfying those regulations tin exist fourth dimension-intensive and challenging.
Many of those regulations are industry standards. But many could be regulations put in identify by a government — and sometimes not fifty-fifty from the country the organisation is headquartered in. When yous're talking about those kinds of regulations, information governance is a common term. Data governance more or less means that a network administrator is able to track the access that users have to server resources at a highly granular level. Many regulations require proof that your network tin provide an audit trail, tracking who in the arrangement accessed what, when, where, etc..
Not only that, Dynamic Access Control provides network administrators with however another tool that gives them farther command over their networks: Least Privilege. If yous're unfamiliar with information technology, the principle of Least Privilege is more or less what it sounds like: users on your domain should always have plenty privilege to become to the files that they need to while having the level of access necessary to make the operations on those files that they need to, but no more than. Least Privilege sounds like common sense, but the actual time and effort that it takes to restrict access without hampering productivity is significant.
How Does Dynamic Access Control Actually Work?
We've got a sense of what DaC does, but nosotros're left with the question of what is DaC? Dynamic Access Control tin be thought of as a triangle with three sides: classification, claims and policy. Let's get more into each of those.
Commencement, classification. Dynamic Access Control allows network administrators to classify data. With DaC, it's possible to write taxonomic tags that assign semantic meaning to your file system resources. If you know what taxonomic tags are, you probably appreciate how powerful that is. If y'all're not familiar with them, they're basically a way to add relationships to your data. With good taxonomies and tags, you can connect things to one some other that a estimator wouldn't realize are related.
Related to that is data classifications and scrubs. If you lot follow this blog, watch for a futurity post in which we'll be showing the File Server Resource Director, and how we can actually accept it schedule automated scrubs and automatic classification for your shared folders – really powerful stuff.
The 2nd office of the DaC triangle is on the other side of the coin of nomenclature. On that side, we have users and computers for which we can configure claims. A claim is basically an attribute from Active Directory. Claims are sourced in Active Directory schema, and Dynamic Access Control lets a network administrator present the claim with the user'south access token alongside their AD group memberships, proper noun and countersign.
Doing that does crave enabling Kerberos armoring. Without Kerberos armoring, you couldn't enable the user's admission token on your domain. Kerberos armoring makes it possible to extend the token and bring in those additional claim backdrop.
The third side of the DaC triangle is the Central Access Policy. This is where we tin utilise conditional logic to tie together our taxonomic tags that we've placed on our shared folders and the claims that nosotros've associated with our users and computers. When those come together, you should exist able to imagine that that we can provide very granular access in auditing.
Not only that, only because nosotros can audit using provisional statements means that there'southward, overall, a lower auditing volume. It as well provides more bang for our cadet with our auditing infrastructure.
How to Configure Claims in Dynamic Access Control (DaC)
We won't get into the weeds too far, just side by side permit'due south accept a moment and demonstrate how to configure claims in Dynamic Access Command. For starters, in order to configure DaC, we'll demand to use either PowerShell or Agile Directory Administrative Center (dsac.exe).
If y'all're notwithstanding tied to Active Directory users and computers, yous'd best go used to the DSAC. For the remainder of this post, we're assuming that you lot take access to DSAC and have a network environment you lot tin can explore in it. Nosotros'll commencement with DSAC, and we tin can open up it up by going to a command prompt and typing:
This window should already exist fairly familiar to you lot, so we'll use the navigation tree to select Dynamic Access Command. This'll give us a good view of the three sides of our triangle: Claims, Resource Properties (which refer to the metadata tags for our files and folders), and the Central Access Rules and Policies.
For now, nosotros'll double-click Claims. In our instance, we happen to have already created one. If you lot take any already, you'll see them displayed in the center of the screen. We named ours "Department", and information technology maps to the Department schema attribute. But where are these attributes coming from?
Earlier, nosotros mentioned that attributes are derived from Active Directory. We accept to sidetrack briefly, simply we can explore exactly what it means that those attributes derive from AD. Since you lot're in the DSAC, you lot should accept many users available to you. If you go ahead and open up a user account, we can see how piece of cake it is to identify attributes.
Navigate to one of your users and open up their user backdrop sheet. This opens an interface that would let us drill into any of their displayed properties. We could even become beyond what's shown here in the user'due south properties sheet – as long as you know what a item attribute is named in AD, in the schema, you lot can get to it.
And then, if we wanted to create conditional admission — in our case, claims based on section — we'd check to see if the user has that field populated. Presumably, the user nosotros clicked into does have a value in the "Department" field. Only peradventure rather than assign dynamic command based on what section they're a part of, we instead wanted to classify based on their location, their city, their state. All these are right at that place waiting for you.
So, now if we go dorsum to Claim Types, we can right-click, select "New" and then "Claim Blazon". This window provides us with all the schema attributes. You tin filter the list if yous know – basically – what yous're looking for. There's a search menu available that provides contextual feedback, then you could search for – for instance – "country" and the results update as you type.
Note: the Display Name for your attribute may not be intuitive, comprehensible, or what you desire information technology to be. If that's the case, y'all tin can select it in this menu and then on the right side, you can update it.
On the same screen, yous'll accept the option to acquaintance this update with a user, with a computer, or both. Non only that, but you can optionally advise values in advance. All this makes it a lot easier subsequently – when you're making your central access policies – to avoid data entry errors.
Something to notation is that anything you create within this Claim Type menu is protected from adventitious deletion. What that means is that if while working in the carte, you tried to delete an entry, a window interrupts the action. It'll cease the deletion, and depending on permissions, it'll inform the user they don't accept permissions to delete.
Wrapping Up
That's not an in-depth exploration of Claim Types within the Active Directory Authoritative Center, merely if you've got a network and DSAC at your disposal, hopefully it gives you a sense of what you're looking at as you lot click around. At this point, we're trying to go you thinking of Ad properties for your users and even your devices that you may desire to utilize in Dynamic Access Command Access Control Lists.
There are more steps, like configuring our Resource Properties and Resource Belongings Lists, but for now, we'll leave you lot with this understanding of what DaC is and how some of its options can be configured. If configuring and optimizing Dynamic Access Control is something you need more than in-depth study on, consider CBT Nuggets' Microsoft Windows Server 2012 MCSA training.
Download
Source: https://www.cbtnuggets.com/blog/technology/networking/what-is-dynamic-access-control-dac
0 Response to "in exercise 6.1, to use dynamic access control, what two components are created?"
Enviar um comentário