(For more resources related to this topic, see here.)
Dynamic Access Control is not just a single feature, but an end-to-end file server solution based on the following features in Windows Server 2012:
The Dynamic Access Control solution can be logically divided into the following main components to get a better, granular overview:
You need to get a quick overview of the most important facts of Dynamic Access Control. We will start the overview with the infrastructure requirements.
For basic deployment of Dynamic Access Control, you do not need to put in a big effort. To use claims for authorization and auditing, there is only a need for the following components:
A Claim is something that Active Directory states about a specific object (user or computer). A Claim may include the user, a unique Security Identifier (SID), department classification of a file or other attributes of a file, user, or computer.
However, what’s happens if you don’t use Windows 8 clients?
For non-Windows 8 / Windows Server 2012, such as XP, Vista or Windows 7, the user doesn’t need to worry about claims. In that case, the 2012-based file server will query the Active Directory services and forward the claims request to get information about the claims the user or the machine provides.
As you can see in the previous figure, DAC works between different Active Directory Forests (Active Directory instance of an organization), and Claims Transformation Policies will provide the functionality to translate the claims definitions between two or more organizations. To prepare for this scenario, you need to establish a Forest Trust between the Active Directory Forests and the Domain Function Level (DFL), which in both the Forest Root domains must be Windows 2012 or higher. Right now, this is a challenge but also a necessary requirement. There is no need for Claim Transformation Rules inside a Forest., This works fine out of the box because Dynamic Access Control objects are stored in the configuration part of the Active Directory and the whole Forest knows the relevant information.
Traditionally, you may have secured access to files by using NTFS file permissions and security groups. With this configuration, we were restricted to making policy decisions based on the user’s group membership and the number of groups will explode. Therefore, if we wanted to include the device to control access, there was no chance to do this in an earlier version of the Windows Server. Another limitation was the requirement for folder or file access based on a certificate. Before Windows 2012 Dynamic Access Control, there was no way for the built-in functionality to include devices or certificates. DAC now integrates claims into Windows Authentication so that we can use Active Directory attributes from users and computers to control access to our information stored on file servers such as a location, department, or project.
DAC will only be used as complementary technology and is not a replacement for security groups.
The following figure shows the new combinations you can use for authorization:
This opens new ways of giving permissions on files and folders, such as:
Allow | Read, Write | If (@User.Department == @File.Department) AND (@Device.Managed == True)
There is no development knowledge required to implement a Dynamic Access Control solution.
In this article we saw the benefits and the main components of DAC. We saw the Microsoft DAC 2012 as an end-to-end file server solution, which provides a better granular overview of the file servers.
Further resources on this subject:
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…