Microsoft

MICROSOFT 70-412: OBJECTIVE 2.2.3 – Perform access-denied remediation

If a user doesn’t have access to a network resource, a file server has not historically given the most user-friendly response: an Access Denied message and an OK button. OK? No, this is not okay for the user and we can do better.

One of the improvements in Server 2012 is Access-Denied Assistance. When a user tries to access a resource that they don’t have access to, they can receive a custom message that can explain WHY they don’t have access as well as who to contact for further help…. or even a Request Assistance button to save the user from typing out an email.

This can be configured individually using File Server Resource Manager or centrally using Group Policy.

Setting Access-Denied Assistance with File Server Resource Manager

  1. Open up File Server Resource Manager, right-click on local (or connect to another server first) and select Configure Options.
  2. On the dialog that opens, select the Access-Denied Assistance tab on top:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Perform access-denied remediation
  3. Check the box next to Enable access-denied assistance
  4. If desired, you can configure email requests by selecting the button toward the top:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Perform access-denied remediation
  5. Notice the item Generate an event log entry for each email sent. This is checked by default, and we can use it to look for (and remediate) access issues.

Setting up Access-Denied Assistance using Group Policy

  1. Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.
  2. Right-click the appropriate Group Policy, and then click Edit.
  3. Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.
  4. Right-click Customize message for Access Denied errors, and then click Edit.
  5. Select the Enabled option.
  6. Configure the following options:
    1. In the Display the following message to users who are denied access box, type a message that users will see when they are denied access to a file or folder.

      You can add variables customized text:

      • [Original File Path] The original file path that was accessed by the user.
      • [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
      • [Admin Email] The administrator email recipient list.
      • [Data Owner Email] The data owner email recipient list.
    2. Select the Enable users to request assistance check box.

MICROSOFT 70-412: OBJECTIVE 2.2.1 – Configure user and device claim types

A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. These are very often attributes that you find if you open the properties of an object in Active Directory – things like a user’s title, department or location are claims that you can define, so is the department classification of a file, or the health state of a computer. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:

  • User claims   Active Directory attributes that are associated with a specific user.
  • Device claims   Active Directory attributes that are associated with a specific computer object.
  • Resource attributes  Global resource properties that are marked for use in authorization decisions and published in Active Directory.

Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.

Creating a Claim:

  1. Open up the Active Directory Administrative Center. Select Dynamic Access Control from list on left:

    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims

  2. Right-Click on Claim Types and select New:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  3. Select the attribute you want to use for the claim – If we keep the example used when I introduced Dynamic Access Controls, we should create a claim based on the department the user works in…. Finance.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  4. To keep with the scenario, I’m going to add a claim for office location (Office) and the AD VDI container:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  5. ???
  6. Profit!

You would create claims to meet the business objectives for securing data- the actual attributes that you use to achieve that goal will likely be very different than what I’m using in this scenario, but I hope I’m showing you the power and flexibility afforded with setting up claims.

PowerShell:
The relevant PowerShell cmdlet for setting/reading/creating/deleting claims is ADClaimType:
Set/Get/New/Remove ADClaimType

MICROSOFT 70-412: OBJECTIVE 2.2 – Dynamic Access Controls

Dynamic Access Control is the story of file access rules (called..access rules believe it or not) based on user and device criteria (Called claims).

These rules function as logical if-then statements built on the attributes of files, users, and devices. An example:
IF a user is an employee in the finance department AND has an office at the main campus AND is connecting from a device that is located on the main campus, then s/he can access the Payroll directory”

In order to lock down access with DAC in the above scenario, the administrator will need to set up claims for each of the objects, and a corresponding access rule on the Payroll folder.
Sub-Objectives:

1) Configure user and device claim types
2) Implement policy changes and staging
3) Perform access-denied remediation
4) Configure file classification
5) Create and configure Central Access rules and policies
6) Create and configure resource properties and lists

Microsoft 70-412: Objective 2.1 – Configure Advanced File Services

Hey everyone! I’m just getting over a few days of being pretty sick, so I apologize for the delay in getting the next post of the series out to you. The content in this post was pretty deep, so it was a good post to get back in the swing of things!

Table Of Contents

1) Configure Network File System (NFS) data store
2) Configure BranchCache
3) Configure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM)
4) Configure file access auditing

(more…)