Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi.

Similar presentations


Presentation on theme: "Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi."— Presentation transcript:

1 Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi. Please do not redistribute, and thanks for respecting my copyrights!

2 Dynamic Access Control 2

3 High-Level Benefits 3

4 4

5 Approach 5

6 DAC Examples 6

7 DAC Joins Share and NTFS Perms 7

8 DAC Appears in Two Places 8

9 DAC New Notions 9

10 New Concepts/Skills 10

11 New Concepts/Skills 11

12 "And's" in Permissions 12

13 Making "And" Work 13

14 Our Opening Situation 14

15 15 Click Add…

16 16 Now for the interesting part… click Add a condition

17 17 In "Add Items," choose the two groups (the UI's not good at showing this)

18 18 Choose the groups with this dialog box: And then the new permission will look like this: Click OK/Apply and …

19 New Permission 19

20 20 Click "Effective Access" to try it out

21 21 Note "include group membership" (what if-ing,) "select device"

22 Next, Consider Claims 22

23 Making an AD Attribute a Claim 23

24 Promoting AD Attribs to Claims 24

25 Example: Make "Office" a Claim Type 25

26 Giving “Office” a Suggested Value (1) 26

27 Giving “Office” a Suggested Value (2) 27

28 Giving “Office” a Suggested Value (3) 28

29 Giving “Office” a Suggested Value (4) 29

30 Using Claims 30

31 Creating a Claims-Based ACE 31

32 Using Claims 32

33 33 Here you see that now Effective Access lets me give Mark a claim for "what if-ing"

34 How Does the File Server Know? 34

35 One More Thing for Claims… 35

36 Seeing Claims and Setting Values 36 We haven’t enabled the Kerberos settings yet, so whoami can’t help Another example, now that we’ve got everything enabled…

37 37

38 Sidebar: You Might Not See Claims 38

39 Is Using Claims Secure? 39

40 Now Your Workstation Counts, Too 40

41 DAC Talk: Review 41

42 File Classification 42

43 How to Classify Files? 43

44 ADAC and DAC 44

45 Enabling an Existing Property 45

46 Choosing Two Built-in Properties 46

47 And Once You’ve Chosen Them… 47

48 Tell the File Server 48

49 Example ACE with Resources 49

50 How Do You Set a Property? 50

51 Classification UI 51 Right-click any NTFS folder or file and you'll see the new "Classification" tab

52 If You Classify a Folder… 52

53 Home-Grown Properties 53

54 54

55 Automatic Classification 55

56 Create the Rule (1) 56

57 Create the Rule (2) 57

58 Create the Rule (3) 58 “Content Classifier” means “match a given string or a regular expression” Click this to specify what to look for

59 Specifying Expression to Match 59

60 Re-Evaluation Rules 60

61 Apply the Rule 61 Run this and all of the frightening stuff is immediately marked

62 FSRM Classification Report 62

63 FSRM Classification Report 63

64 When You Run the Classifier… 64

65 Regular Expression Example 65

66 When Does it Happen? 66

67 Back to the Big Picture 67

68 Contrived but Complete Example 68

69 Central Access Rules and Policies 69

70 To Follow Along… 70

71 More Specific Task List 71

72 Central Access Rules and Policies 72

73 73

74 Where To Make the Conditions 74

75 Creating a Resource Condition 75

76 Creating a Resource Condition 76

77 The Resource Condition is Visible 77

78 Create the User Condition 78

79 This Part Should Look Familiar 79 As before, click "Add a condition"

80 As Should This One… 80

81 A CAR is Born 81

82 Next, Create the CA Policy 82

83 Making a CAP 83

84 Adding a CAR 84

85 The new CAP 85

86 Deploy/Publish the CAP 86

87 87

88 Installing the CAP in the GPO 88

89 Deploy the GPO 89

90 CAP Installed 90

91 Testing CAPs 91

92 92

93 Using the Staged Permissions 93

94 Sample

95 Thanks for Coming! 95


Download ppt "Dynamic Access Control the file server, reimagined Presented by Mark on twitter 1 contents copyright 2013 Mark Minasi."

Similar presentations


Ads by Google