Dynamic Access Control represents several feature enhancements introduced with Windows Server 2012 Server that work together to improve authorization management for Windows Server 2012
In Windows Server 2012, you will be able to apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access
This feature set is based on infrastructure investments that can be further leveraged by partners and line-of-business applications and provide great value for organizations that use Active
Directory. This infrastructure includes:
Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by introducing a conditional access permission entry. Windows Server 2012 takes advantage of conditional access
permission entries by inserting user claims, device claims, and resource properties, into conditional expressions. Windows Server 2012 security evaluates these expressions and allows or denies access based on results of the evaluation. Securing access to
resources through claims is known as claims-based access control. Claims-based access control works with traditional access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment.
Windows Server 2008 R2 introduced File Classification Infrastructure (FCI). FCI provides:
With Windows Server 2012, the File Classification Infrastructure is claims aware. This enhancement allows FCI to present resource properties as classification properties. Administrators
can choose classifications manually using Windows Explorer. Alternatively, they can use the File Server Resource Manager (FSRM) to perform continuous classification. Resource properties allow claims-based access control to evaluate how claims about the user
relate to claims about the resource. Windows accomplishes this evaluation through conditional access control entries, which is an additional layer to traditional authorization. FCI in Windows Server 2012 also supports:
Central Access policy is a new feature of Windows Server 2012. Central Access Policies allow administrators to create access policies that apply to Windows Server 2012 file servers using
Group Policy. Each Central Access Policy object can contain one or more Central Access rules. Administrators can configure applicability, and permissions within each Central Access policy rule. Windows stores Central Access policies and rules centrally
in Windows Server Active Directory. This provides a centralized approach to manage authorization on Windows Server 2012 file servers.
Dynamic Access Control focuses on four main end-to-end scenarios:
Dynamic Access Control is not a single feature, but rather a file server solution built using a Windows Server 2012 infrastructure to provide a versatile and flexible end-to-end authorization
scenario. Windows Server 2012 enhancements that make up Dynamic Access Control include
Claims-based authorization and auditing requires:
• Windows Server 2012
• At least one Windows Server 2012 domain controller accessible by the Windows client in the user's domain
• At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust
Dynamic Access Control relies on many technologies. Dynamic Access Control combines many different Windows Server 2012 technologies to provide a robust, flexible, and granular authorization
and auditing experience. Some of the fundamental technologies used by Dynamic Access Control include:
Dynamic Access Control provides a flexible way to apply and manage access and auditing to domain-based file servers. Dynamic Access Control accomplishes flexibility by leveraging claims
in the authentication token, resource properties on the resource, and conditional expressions within permission and auditing entries. With this combination of features, you can now grant access to file and folders based on Active Directory attributes. For
example, the user Alice is granted access to the file server share because the department attribute on her user object in Active Directory contains the value Accounting.
Ease of management is accomplished by creating Central Access Policy objects. Each Central Access Policy object includes one or more linked Central Access Rule objects. Each Central Access
Rule object contains one or more permission entries. Central Access Policy objects allow you to define access for files and folder one time, and then deploy that access to multiple shares on multiple file servers through Group Policy.
One feature of Dynamic Access Control is to use claims-based access control for authorization and auditing. You use a pragmatic approach when deploying claims-based access control to file
servers. The following overview provides the order in which you deploy claim-based authorization and auditing, but also serves as the order in which you troubleshoot claims-base access control.
Claims-based authorization and auditing requires
Claims-based authorization and auditing requires Windows Server 2012 and Windows 8 for a few reasons.
The first requirement is a Windows Server 2012 domain controller. This new authorization and auditing mechanism requires extensions to Active Directory. These new extensions build Windows
claim types, which is where Windows stores claims for an Active Directory forest.
Another dependency upon which claims authorization relies in the Kerberos Key Distribution Center (KDC). The Windows Server 2012 KDC contains Kerberos enhancements required to transport
claims within a Kerberos ticket and compound authentication. Windows Server 2012 KDC also includes an enhancement to support Kerberos armoring.
Your environment only requires a Windows Server 2012 KDC when you base authorization decisions on claims that are sourced from Active Directory attributes or
certificates. Authorization decisions based on group memberships, including conditional expressions that use the memberOf operator do not require a Windows Server 2012 KDC.
Lastly, the Security Accounts Manager (SAM) portion of the Windows Server 2012 domain controller understands claim types, where they are stored, and claims transformation. The KDC relies on the SAM to retrieve claim information
that it uses in Kerberos tickets.
Claim-based authorization and auditing does not have a forest functional or domain functional requirement. You can implement and configure claims with a mixture of Windows Server 2008
and 2008 R2 domain controllers provided the domain has an adequate number Windows Server 2012 domain controllers to support authentication requests that include claim information.
The next requirement for claim-based authorization and auditing is a Windows Server 2012 file server. When a user connects to a file share, the file server performs an access check to
the share using the credentials of the incoming connection. This means the file server determines access to share. This also means that various components on the file server must be claims aware, such as the Local Security Authority and the Kerberos application
server. The file server hosting the share must be a Windows Server 2012 file server to read claims and device authorization data from a Kerberos ticket, translate those security identifiers (SIDs) and claims from the ticket into an authentication token, and
compare the authorization data in the token against conditional expressions included in the security descriptor.
Windows 8 member computers are required for claim-based authorization and auditing when using device claims. A Windows Server 2012 domain controller issues claims in Kerberos tickets when
the Kerberos client requests claims in its request. Domain joined Windows 8 computers request claim information when they make Kerberos requests and, these computers understand how to locate a claims-aware domain controller. Also, Kerberos client requests
from Windows Server 2012 member computers include the device’s (computer) ticket-granting ticket (TGT) when the domain controller supports Dynamic Access Control.
You can use claim-based authorization with member computers running previous versions of Windows provided the file server hosting the files is running Windows Server 2012, you configured
the Microsoft network server: Attempt S4U2Self to obtain claim information local security policy setting to default or enabled, and the file server can successfully communicate with a Windows Server 2012 domain controller. Windows Server
2012 file servers automatically enable S4U2Self when you deploy one or more Central Access policies to the file server.
Enable support for Dynamic Access Control
You must enable Windows 8 computers and Windows Server 2012 file servers to support claims and compound authentication.
You enable claim support by creating a Group Policy object that includes the Group Policy setting
KDC support for claims, compound authentication and Kerberos armoring. You apply this Group Policy object to the
Domain Controllers organization unit (OU) to apply this setting to all domain controllers in the OU. Windows Server 2012 domain controllers read this configuration while other domain controllers ignore this setting.
You enable claim support in the Windows 8 and Windows Server 2012 Kerberos client by creating a Group Policy object that includes the Group Policy setting
Kerberos client support for claims, compound authentication and Kerberos armoring.
The Windows 8 and Windows Server 2012 Kerberos clients do not request claims, armor Kerberos requests, or perform compound authentication by default--
you must enable it.
After you enable claim support on the KDC and the Kerberos client, reboot domain-joined Windows Server 2012 member servers and Windows 8 computers to ensure these computers use Kerberos
armoring and request claims. You should not need to reboot the domain controllers.
The domain controllers can now issue claims; however, you need to configure claim types before the domain controller can issue claims. Using the Active Directory Administrative Center,
you create attribute-based claim types that source their information from user and computer attributes. You can create certificate-based claim types using the Active Directory module for Windows PowerShell. Also, you can create transformation-based claim
types, which are used exclusively for the purpose of transforming claims across forest trusts.
Windows stores the claim types you create in the configuration partition of Active Directory. All domains within that forest share the claim types and domain controllers from those respective
domain issue claim information during user and computer authentication.
It is important that information contained in Active Directory attributes used to source claim types contain accurate information, or remain blank. Incorrect
attribute information can lead to unexpected access to information using claims-based authorization. As a best practice, validate the accuracy of attribute information or clear the values of attributes that you intend to use a source attributes for claim
Populate attributes used as claim sources
The Active Directory forest partition stores claim types that domain controllers can issue. You source these claims types based on Active Directory attributes such as department or country.
You need to configure your computer and user accounts in Active Directory with the information that is correct for the respective user or computer. Windows Server 2012 domain controllers do not issue a claim for an attribute-based claim type when the attribute
for the authenticating principal is empty. Therefore, ensure you configure attributes that source claim types with correct information.
Dynamic Access Control enables you to use user and computer attribute data for authorization information. Therefore, you need to secure these attributes as
appropriate for your environment.
Create Resource Property objects
The Windows access check needs information included on files and folders to validate claims. The way to configure this information on these resources is to create Resource Property objects.
Resource property objects define the additional properties that appear on file and folders. Windows uses these properties for compliancy and reporting as well as authorization and auditing. Use the Active Directory Administrative Center to create and manage
global resource properties and the Resource Property lists to which they belong.
Creating Resource Property objects provides you the ability to select properties to include on the files and folders. Now, you must configure the resource properties you want to apply
to those files and folders and the values for those properties. Windows uses the values in these properties with the values from user and device claims when evaluating file authorization and auditing.
With user and device claims, and resource properties configured, you then need to protect the file and folders using conditional expressions that evaluate user and device claims against
values within resource properties, or constant values. You do this one of two ways. You can create conditional expressions directly in the security descriptor using the advanced security settings editor. Alternatively, you can create Central Access rules
and link those rules to Central Access Policy objects. Then, you can deploy Central Access policy objects to file servers using Group Policy and configure the share to use the Central Access Policy object. Central Access Policies is the most efficient preferred
method of securing files and folders.
You can add conditional expression directly in the security descriptor for auditing purposes. Or, you can use Windows Security policy and deploy claim-based auditing to files and folders
using Global Object Access Auditing.