What is Dynamic Access Control (DaC)?
Dynamic Access Control, also called DaC, is a Windows Server feature that made its first appearance in Windows Server 2012. It remains a central component of most security deployments because it allows a higher degree of conditional access controls based on whatever criteria you'd like applied. In this post, we'll cover what Dynamic Access Control is, when you'd want to use it, and briefly cover some of the more basic parts of implementing it.
What Exactly Is Dynamic Access Control (DaC)?
Quick Definition: Dynamic Access Control is a Windows Server feature that allows conditional access control. As the name suggests, administrators have the control to grant or restrict access to network resources based on dynamic variables. Maybe your company works with sensitive information that needs to be protected; you decide who can access it, but is that enough?
Maybe that sensitive information is safe with that user while they're in the office, but what about when they're working from the café down the street? With DaC, a network administrator has fine-tuned control over who has access to resources, when, and what parameters make that decision.
An Overview of Dynamic Access Control [VIDEO]
In this video, Tim Warner covers a brief demonstration of configuring claims with dynamic access control in Windows Server 2012. This version of Windows Server provides numerous new features, but this video focuses specifically on exploring DAC, what it is, and what it can do for you.
What is Dynamic Access Control Good For?
DaC is a data-governance technology that works along with NTFS permissions and shared folder permissions. Historically with Windows, we provided authorization to file system resources by using a combination of shared and NTFS permissions. Shared permissions were used to make a folder available on your network, NTFS permissions, which apply to both folders and files and grant or block users based on their identity in Active Directory.
That comes with two big problems, problems that Microsoft sought to solve with Dynamic Access Control. First is what to do about sizing upward. As companies get larger and larger, they scale up & out. That makes it more and more cumbersome to juggle Active Directory groups in their Discretionary Access Control Lists (DACLs).
The second problem is that just using NTFS and shared permissions along with traditional Windows Server auditing (which is object-access auditing) doesn't always provide sufficient detail. Some shops are subject to regulations that impose significant auditing and reporting demands – without fine-tuned controls, satisfying those regulations can be time-intensive and challenging.
Many of those regulations are industry standards. But many could be regulations put in place by a government — and sometimes not even from the country the organization is headquartered in. When you're talking about those kinds of regulations, data governance is a common term. Data governance more or less means that a network administrator is able to track the access that users have to server resources at a highly granular level. Many regulations require proof that your network can provide an audit trail, tracking who in the organization accessed what, when, where, etc..
Not only that, Dynamic Access Control provides network administrators with yet another tool that gives them further control over their networks: Least Privilege. If you're unfamiliar with it, the principle of Least Privilege is more or less what it sounds like: users on your domain should always have enough privilege to get to the files that they need to while having the level of access necessary to make the operations on those files that they need to, but no more. Least Privilege sounds like common sense, but the actual time and effort that it takes to restrict access without hampering productivity is significant.
How Does Dynamic Access Control Actually Work?
We've got a sense of what DaC does, but we're left with the question of what is DaC? Dynamic Access Control can be thought of as a triangle with three sides: classification, claims and policy. Let's get more into each of those.
First, classification. Dynamic Access Control allows network administrators to classify data. With DaC, it's possible to write taxonomic tags that assign semantic meaning to your file system resources. If you know what taxonomic tags are, you probably appreciate how powerful that is. If you're not familiar with them, they're basically a way to add relationships to your data. With good taxonomies and tags, you can connect things to one another that a computer wouldn't realize are related.
Related to that is data classifications and scrubs. If you follow this blog, watch for a future post in which we'll be showing the File Server Resource Manager, and how we can actually have it schedule automatic scrubs and automatic classification for your shared folders – really powerful stuff.
The second part of the DaC triangle is on the other side of the coin of classification. On that side, we have users and computers for which we can configure claims. A claim is basically an attribute from Active Directory. Claims are sourced in Active Directory schema, and Dynamic Access Control lets a network administrator present the claim with the user's access token alongside their AD group memberships, name and password.
Doing that does require enabling Kerberos armoring. Without Kerberos armoring, you couldn't enable the user's access token on your domain. Kerberos armoring makes it possible to extend the token and bring in those additional claim properties.
The third side of the DaC triangle is the Central Access Policy. This is where we can use conditional logic to tie together our taxonomic tags that we've placed on our shared folders and the claims that we've associated with our users and computers. When those come together, you should be able to imagine that that we can provide very granular access in auditing.
Not only that, but because we can audit using conditional statements means that there's, overall, a lower auditing volume. It also provides more bang for our buck with our auditing infrastructure.
How to Configure Claims in Dynamic Access Control (DaC)
We won't get into the weeds too far, but next let's take a moment and demonstrate how to configure claims in Dynamic Access Control. For starters, in order to configure DaC, we'll need to use either PowerShell or Active Directory Administrative Center (dsac.exe).
If you're still tied to Active Directory users and computers, you'd best get used to the DSAC. For the rest of this post, we're assuming that you have access to DSAC and have a network environment you can explore in it. We'll start with DSAC, and we can open it up by going to a command prompt and typing:
This window should already be fairly familiar to you, so we'll use the navigation tree to select Dynamic Access Control. This'll give us a good view of the three sides of our triangle: Claims, Resource Properties (which refer to the metadata tags for our files and folders), and the Central Access Rules and Policies.
For now, we'll double-click Claims. In our case, we happen to have already created one. If you have any already, you'll see them displayed in the middle of the screen. We named ours "Department", and it maps to the Department schema attribute. But where are these attributes coming from?
Earlier, we mentioned that attributes are derived from Active Directory. We have to sidetrack briefly, but we can explore exactly what it means that those attributes derive from AD. Since you're in the DSAC, you should have many users available to you. If you go ahead and open a user account, we can see how easy it is to identify attributes.
Navigate to one of your users and open their user properties sheet. This opens an interface that would let us drill into any of their displayed properties. We could even go beyond what's shown here in the user's properties sheet – as long as you know what a particular attribute is named in AD, in the schema, you can get to it.
So, if we wanted to create conditional access — in our case, claims based on department — we'd check to see if the user has that field populated. Presumably, the user we clicked into does have a value in the "Department" field. But maybe rather than assign dynamic control based on what department they're a part of, we instead wanted to classify based on their location, their city, their state. All these are right there waiting for you.
So, now if we go back to Claim Types, we can right-click, select "New" and then "Claim Type". This window provides us with all the schema attributes. You can filter the list if you know – basically – what you're looking for. There's a search menu available that provides contextual feedback, so you could search for – for example – "country" and the results update as you type.
Note: the Display Name for your attribute may not be intuitive, comprehensible, or what you want it to be. If that's the case, you can select it in this menu and then on the right side, you can update it.
On the same screen, you'll have the option to associate this update with a user, with a computer, or both. Not only that, but you can optionally suggest values in advance. All this makes it a lot easier later – when you're making your central access policies – to avoid data entry errors.
Something to note is that anything you create within this Claim Type menu is protected from accidental deletion. What that means is that if while working in the menu, you tried to delete an entry, a window interrupts the action. It'll stop the deletion, and depending on permissions, it'll inform the user they don't have permissions to delete.
That's not an in-depth exploration of Claim Types inside the Active Directory Administrative Center, but if you've got a network and DSAC at your disposal, hopefully it gives you a sense of what you're looking at as you click around. At this point, we're trying to get you thinking of AD properties for your users and even your devices that you may want to use in Dynamic Access Control Access Control Lists.
There are more steps, like configuring our Resource Properties and Resource Property Lists, but for now, we'll leave you with this understanding of what DaC is and how some of its options can be configured. If configuring and optimizing Dynamic Access Control is something you need more in-depth study on, consider CBT Nuggets' Microsoft Windows Server 2012 MCSA training.