Access Control and Authorization with Windows Server 2012
Let’s say you have a file share (network resource) that should only be accessed by people who are both managers and members of the HR group. You have a Managers group and an HR group, but the requirements specify a mix of the two groups. I have run across situations similar to this many times and I am betting many other domain administrators have run across this as well.
Prior to Windows 2012, we might need to create another group that contains users who satisfy both conditions. This generates the need to administer another group. Too many situations like this, and you have a huge list of groups to cover every condition. The more groups you have, more the need to manually control group membership. To get around this situation, we may manually set unique permissions directly on the network resource. So now the administrator must update individual access directly on the resource instead of in a group membership. Either way, we now have another individual point to administer and document. The larger the organization, the more complicated this gets.
Best practice is to use groups for access control as opposed to using an individual account. This makes things easier because all you need to do to give someone access permissions is to join them in a group. However, what happens to administration when we create a group to cover many, many situations of multiple conditions? Server 2012 has a new feature that alleviates this situation and empowers the administrator. Dynamic Access Control is part of the advanced authorization and access control technologies. Dynamic Access Control includes the following new functionalities:
- Central Access Rules – the expression of authorization that includes one or more conditions.
- Central Access Policies –used to bring together multiple rules of authorization to be applied across servers in a domain.
- Claims – a unique identifier for user, device, and resource objects in a domain. This identifier can be included in expressions.
- Expressions – joins multiple conditions of authorization together to define access permissions.
- Proposed Permissions – allows an administrator to predict the results of their conditional access expressions without actually applying the change.
Given the example above of HR Managers, we could go about setting up access permissions to the network share in a few new ways. We could do it directly on the network share where we would create an expression that has the conditions of being a member of both the Managers group and the HR group. Or, we could do it on the domain where we would create a central access rule that contains the defined conditions for group membership. We would then include the rule in a central access policy that we could apply across multiple servers in our domain. To test this, we could use proposed permissions to see how this new policy affects our resources without actually applying the change. We could take this one step further by using claims. We could create a claim on individual user accounts that gives them a unique identifier. We could then use the unique identifier to make an expression that specifies the user is a member of the HR security group and has the associated claim to determine access permissions. Think about how many groups and cases of unique permission administration we could eliminate.
In order to support Dynamic Access Control, a new Access Control List (ACL) editor has been included in Windows 2012. The Enhanced ACL Editor allows you to incorporate the expressions created with the access control/permissions of the network resource. This is the tool that allows you to create and bring together all the topics presented above.
Put a 2012 domain controller in a test environment and kick the tires of this concept. Afraid of what you might break? That’s what we’re here for. Call or click today for your free, network assessment.
Craig R. Kalty (CCIA, CCEE, CCA, MCITP:EA, MCITP:SA, VCP)
Sr. Network Consultant
© 2014 Custom Systems Corporation