Access Control and Authorization with Windows Server 2012

WindowsServer2012Sta_Web Have you ever needed to set up permissions on a network resource and the only way to satisfy the conditions for permission was to create a brand new security group?  Windows Server 2012 is the answer.

Let’s say you have a file share (network resource) that should only be accessed by people who are both managers and members of the HR group.  You have a Managers group and an HR group, but the requirements specify a mix of the two groups.  I have run across situations similar to this many times and I am betting many other domain administrators have run across this as well.

Prior to Windows 2012, we might need to create another group that contains users who satisfy both conditions.  This generates the need to administer another group.  Too many situations like this, and you have a huge list of groups to cover every condition.  The more groups you have, more the need to manually control group membership.  To get around this situation, we may manually set unique permissions directly on the network resource.  So now the administrator must update individual access directly on the resource instead of in a group membership.  Either way, we now have another individual point to administer and document.  The larger the organization, the more complicated this gets.

Best practice is to use groups for access control as opposed to using an individual account.  This makes things easier because all you need to do to give someone access permissions is to join them in a group.  However, what happens to administration when we create a group to cover many, many situations of multiple conditions?  Server 2012 has a new feature that alleviates this situation and empowers the administrator.  Dynamic Access Control is part of the advanced authorization and access control technologies.  Dynamic Access Control includes the following new functionalities:

Given the example above of HR Managers, we could go about setting up access permissions to the network share in a few new ways.  We could do it directly on the network share where we would create an expression that has the conditions of being a member of both the Managers group and the HR group.  Or, we could do it on the domain where we would create a central access rule that contains the defined conditions for group membership.  We would then include the rule in a central access policy that we could apply across multiple servers in our domain.  To test this, we could use proposed permissions to see how this new policy affects our resources without actually applying the change.  We could take this one step further by using claims.  We could create a claim on individual user accounts that gives them a unique identifier.  We could then use the unique identifier to make an expression that specifies the user is a member of the HR security group and has the associated claim to determine access permissions.  Think about how many groups and cases of unique permission administration we could eliminate.

In order to support Dynamic Access Control, a new Access Control List (ACL) editor has been included in Windows 2012.  The Enhanced ACL Editor allows you to incorporate the expressions created with the access control/permissions of the network resource.  This is the tool that allows you to create and bring together all the topics presented above.

Put a 2012 domain controller in a test environment and kick the tires of this concept.  Afraid of what you might break?  That’s what we’re here for. Call or click today for your free, network assessment.



Sr. Network Consultant
© 2014 Custom Systems Corporation