CTE Solutions- Dynamic Access Control Webinar
-
Upload
cte-solutions -
Category
Education
-
view
239 -
download
3
description
Transcript of CTE Solutions- Dynamic Access Control Webinar
![Page 1: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/1.jpg)
Windows Server 2012
DYNAMIC ACCESS
CONTROL
![Page 2: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/2.jpg)
YOUR PRESENTER
Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since ‘89 MCSA: Windows Server 2008, MCSE: Security
MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+
Gérald F. Tessier
![Page 3: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/3.jpg)
WHAT PROBLEM IS DAC TRYING TO SOLVE?
![Page 4: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/4.jpg)
ACCESS CONTROL, AS WE KNOW IT
![Page 5: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/5.jpg)
TRADITIONAL APPROACH
A G L P
A G DL
P
![Page 6: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/6.jpg)
DIRECTORY SERVICE ADMINS
HRrocks
G-SalesG-Marketing
G-Engineering
![Page 7: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/7.jpg)
RESOURCE ADMINS
G-MarketingG-EngineeringG-SalesManagers
L-MarketingPrinterUsersL-SalesDocAuthors
L-EngineeringDBEditors
PrintReadWriteCreate
ReadWrite
![Page 8: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/8.jpg)
UPDATE GLOBAL GROUPS
G-BloodServicesTechnician
s
![Page 9: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/9.jpg)
DILIGENCE, PERSEVERENCE, ADHERENCE
• Special Assignments• Changing Business• Legal Requirements
• Resource Evolution
![Page 10: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/10.jpg)
DECENTRALIZED & DELEGATED?
G-CanadaEngineeringUsers
ProjectX
L-ProjectXAdmins
![Page 11: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/11.jpg)
DECENTRALIZED & DELEGATED?
G-CanadaEngineeringU
sersProjectX
L-ProjectXAdmins
G-CanadaProjectXEngineeringUsersG-CanadaProjectXFinanceUsers
G-CanadaProjectXSalesUsers
• 500 Projects• 100 Countries• 10 Divisions
500 000 Groups
![Page 12: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/12.jpg)
PROCESS INTEGRATION, ANYONE?
ITHR
![Page 13: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/13.jpg)
HOW MANY GROUPS DO YOU HAVE?
1000?
10000?
100000?
![Page 14: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/14.jpg)
DYNAMIC ACCESS CONTROL
CAP
FileClassifications
Claims
Remediation
![Page 15: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/15.jpg)
IN A NUTSHELL
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
![Page 16: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/16.jpg)
UNDERSTANDING EXPRESSIONS
ALLOW MODIFY IF MEMBEROF (PROJECTX)
AND MEMBEROF (CANADA) AND MEMBEROF (ENGINEERING)
• 500 Projects
• 100 Countries
• 10 Divisions
610 Groups
![Page 17: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/17.jpg)
PART 1:FILE CLASSIFICATION INSTRUCTURE
![Page 18: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/18.jpg)
AUTOMATED CLASSIFICATION
Resource Property Definitions
FCI
In-box content classifier
3rd party classificatio
n plugin
File Management
Task
See modified / created file
RMS Encryp
t
Save classificatio
n
Match file to policy
![Page 19: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/19.jpg)
MANUAL CLASSIFICATION
![Page 20: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/20.jpg)
PART 2:CENTRAL ACCESS POLICIES
CAP
![Page 21: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/21.jpg)
EXPRESSION-BASED ACCESS POLICY
User claimsUser.Department =
FinanceUser.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department ==
@File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department =
FinanceDevice.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
![Page 22: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/22.jpg)
CAP SELECTION
![Page 23: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/23.jpg)
CAP RULES
![Page 24: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/24.jpg)
CENTRAL ACCESS RULES
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:Full
Central Access Rule 1: Engineering Docs
Dept=Engineering
Engineering:Modify
Everyone: Read
Rule 2: Sensitive Data
Sensitivity=High
FTE:Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify
NTFS FTE:ModifyVendors:Read
Effective Rights:
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
![Page 25: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/25.jpg)
STAGING POLICY
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Resource propertiesDepartment = Finance | HR |
EngImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == Contoso
Staging policyApplies to: @File.Impact = High
Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)
![Page 26: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/26.jpg)
SAMPLE STAGING EVENT (4818)
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
![Page 27: CTE Solutions- Dynamic Access Control Webinar](https://reader033.fdocuments.net/reader033/viewer/2022061304/5496ec99b479596a4d8b507a/html5/thumbnails/27.jpg)
Presentation has been recorded and will be made available on skydrive
Offi cial Microsoft Courses Available: 20410 - Installing and Configuring Windows Server 2012 20411 - Administering Windows Server 2012 20412 - Configuring Advance Windows Server 2012
Services *
Contact Gerry – [email protected]
Connect with CTE on Twitter - @CTESolutions
THANK YOU FOR YOUR PARTICIPATION!