Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
20 Cards in this Set
- Front
- Back
|
ties together Claims and folder classifications for the purpose of auditing or creating conditional access list
|
• Deploying Central Access Policy
|
|
|
AAA- not Microsoft created, this is a way of looking at security with three main touch points
|
-*Authentication- validating a user’s credentials and determining that they are in fact a legitimate user in our organization.
-*Authorization- given an authenticating security principal ( users or computer in Active Directory), what are the limits of this security principal access to resources in the domain. -*Accounting- many companies have compliance requirements, and require documenting that ensures confidentiality to either secure access or privacy. |
|
|
DAC- this is a “New Access Control Method” for file system resources, our Windows 2012 File Servers, that provide 3 main functions
|
-1.Access Control- specific authorization to resources, implementing least privilege, making sure that only users that authorized to view and make changes to files are allowed to do so, and everybody else should be denied.
-2.Auditing- ties Dynamic Access Control with traditional windows auditing -3.FCI |
|
|
Dynamic Access Control Benefits
|
-*Ability to Protect sensitive information and encrypt them through RMS (AD RMS) and provide application specific restrictions to data.
-*Keeps compliance and provides much more granular data analysis in terms of the auditing capabilities with DAC -*Access Denied Remediation-this only works with “Windows 8” |
|
|
: refers to published information about an entity from a trusted data store; Trust relates to ADFS; In this scenario it’s going to relate to Active Directory and the published information will refer to Active Directory schema properties for user and computer accounts
|
Identity
|
|
|
have a function very similar to columns in a database table; These consists of a “Name + data type-constrains the type of data that can fit into that particular attrib; +suggested values (DAC allows you to do this)
|
Schema Attributes
|
|
|
Claims rely upon_____________? ; A prequisite to deploy DAC, requires that you extend your AD Schema, which is done through group policy
|
Kerberos v5 and Kerberos Armoring
-This extends user/computer accounts access tokens |
|
|
is what we configure for our user population, we determine what attributes are important for my users and computers that would fit into Dynamic Access Control
|
Claims
We also have to keep in mind the Shared Folder infrastructure, and this is where we have resource properties and resource property lists. |
|
|
These are MetaData tags that are stored in ADDS, available globally, and ingestible by your file servers
|
Resource Properties: are name and data pairs and they support multiple data types
|
|
|
allows you to manually assign tags or automatically with FSRM
|
Classification
|
|
|
-This ties the Claims and the Resource Properties, together,is an AD object that consist of one or more individual Central Access Rules(CARs)
|
Central Access Policy (CAP)
|
|
|
is one or more statements of Conditional logic to scope access + permissions
|
Central Access Rule
|
|
|
Q? What if we build a CAP and deploy it to our users and then the users can’t access files that they could access before?
|
A- We can create permission lists and stage them or actually release them.
-*Proposed Permissions(staged)- as our users access CAP protected folders, instead of the user getting an Access Denied, it will generate an Event IDs can monitor and see if there are any problems and resolve them. -*Current Permissions(production)-releases the CAP live. |
|
|
provides a way of dynamically assigning access permissions to content based upon the properties of the content and information about the user and device attempting to access that content
|
Dynamic AccessControl
|
|
|
provides a way of securing content through encryption and through rules applied to the operating system and applications on what actions the user can perform with that content.
|
Active Directory Rights Management Service
|
|
|
What group policies have to be enabled to implement DAC?
|
1. KDC: KDC Support for Claims, Compound Authentication, and Kerberos Armoring
2. Kerberos: Kerberos client Support for Claims, Compound Authentication, and Kerberos Armoring |
|
|
includes a set of a permissions and the conditions under which those permissions are applied
|
Central Access Rule
|
|
|
enables you to configure a set of proposed rules rather than applied Permissions
|
Staging
|
|
|
What do you use to determine the results o staged permissions before implementing them
|
Audit Central Access Policy Staging Properties
AAPC>Object Access proposed permissions are enabled in CARs, the Event IDs are 4818 |
|
|
How do you configure Access Denied Assistance through Group Policy?
|
Cmp Cnf>Pol>Adm Tmp>Sys>"Access-Denied Assistance"
Enable it, and select Enable users to request Assistance |
