Dynamic access control: what resources are
You should see it yourself. Not late to refuse. Then there will be no going back.
Take the blue pill - and the tale is over.
You will wake up in your bed and believe that it was a dream.
Take the red pill and enter the wonderland.
I'll show you how deep the rabbit hole is.
C / f. "Matrix"
In the two previous articles in this series, we have begun to analyze the rich functionality of dynamic access control technology, which allows you to take your entire resource management model directly on file servers to a substantially new level. By and large, for two articles we had quite a bit of time to consider, namely: I cited basic scenarios for using this technology, and you also learned what statements are and how you can manage unique types of statements. But it’s obvious that the knowledge obtained from these articles is not enough to have a clear understanding of this technology and to start developing unique scenarios in organizations.
In this article, we will dig deeper and look at what the resources and property properties lists of resources represent in the DAC concept, which is also an integral part of the dynamic access control technology. That is, most likely, this article will be the last but one before we begin to create centralized access policies and move on to the scenarios that I talked about so much in the first article of this cycle. Well, then, I suggest we check "how deep is this rabbit hole" ...
I believe that almost everyone who has worked with file servers running under the Windows Server 2008 R2 operating system has already managed to evaluate the capabilities of the file classification infrastructure or, as it sounds in the original, the File Classification Infrastructure (FCI). If you did not have time to get acquainted with this opportunity, the file classification infrastructure is the infrastructure responsible for automating the classification processes, which, as a result, allows you to specify the levels of importance, duration, generate various reports, and create custom tasks, thereby reducing possible risks of storing files on their servers. This classification could be managed directly using an administrative tool such as File Server Resource Manager ( FSRM ), and this classification can only be used after installing this console. In other words, using file classification, you can create file management policies specifically so that you can more effectively manage your data. However, despite the fact that we can talk about the capabilities of the file classification infrastructure for a long time, we will gradually move directly to the resources themselves, Windows Server 2012 and, of course, to the dynamic access control technology.
Now, how is dynamic access control technology related to file classification? Since the release of the Windows Server 2012 operating system, authorization capabilities have been further enhanced by adding resource properties to the existing infrastructure for file classification. As I said in the previous article of this series, you can safely use several conditional expressions to implement complex scripts related to authorization, for flexible use of dynamic access control. If we talk a little more in detail, now administrators are provided by means of conditional expressions the ability to customize file access authorization based on one or several values of resource properties.
And what do the properties of the resources? Consider a simple basic example: you have, on file servers, suppose you have hidden documentation from most users, which is classified as FinanceSecret. This means that the Windows Server 2012 operating system needs to provide access to such files based on secret financial information that appears in the metadata of the files themselves or in the resource properties of the file itself. It turns out that if the file classification includes FinanceSecret, but the user does not have permission to view such data, he will be denied access to the latter, as a result. Now back to the very properties of the resources. Actually, they are of two types, and more specifically, they are directly the property of the resource , as well as the property of the reference resource . Literally in two words, what is what:
At this stage, I believe, you can pause the theoretical part and proceed to the creation of the object itself of the properties of the resource.
As is the case with assertions, you can manage resource properties and resource reference properties using the tools of the Active Directory Administrative Center , and to implement automated scripts using the rich features of Windows PowerShell. Due to the fact that this cycle of articles implies a thorough study of dynamic access control technology, later in this article we will consider the management of the properties of a resource using both methods. And again, we will begin again with the Active Directory administration center. So:
')
In principle, in order not to delay the step-by-step procedure, we will immediately begin the process of creating a resource property object using Active Directory central administration tools. So now we need to do the following:
The process of creating a resource reference property is somewhat different from creating a regular resource property object. First of all, the naming of such objects is initially based on the naming of the types of statements that you created earlier. Such objects can have only one of two existing types of values. Why so? Since the resource reference properties directly depend on the assertion types you select in the corresponding control element, the value type is often a regular string (as seen in the following illustration), and as a result, Single-Valued Choice is defined as the value type of such an object. , which is, as mentioned earlier, a clear choice. As an alternative to this type of value, you can still select the type of Multi-Valued Choice .
Now, regarding these types of statements, which I mentioned several times in the previous paragraph. You can select existing types of statements as the proposed values directly using the “ Choose a claim to share suggested values ” control element. This element contains a list of assertion types that were initially configured with suggested values. After selecting an assertion type, its distinguished name is written to the msDS-ClaimSharePossibleValuesWith attribute of the resource reference property object. And since such an attribute is referential, it is updated using the associated msDS-ClaimSharePossibleValuesWithBL attribute type of assertion, according to the distinguished name of the object of the resource reference property that includes such a link.
About all other options, that is, " Description ", " Assign the semantically identical property of a resource from a trusting forest to an identifier in order to simplify the use of assertions in forests connected by trust relationships ", " Used for authorization " and " Protection against accidental deletion " the previous section of this article, and they are no different from the same parameters of the usual object property of the resource.
Fig. 4. The process of creating a resource reference property
In addition, you can immediately find out that all the preset properties of the resource are disabled. Each such object has two states: disabled and enabled. Naturally, only those objects that were previously included in advance will be processed, and those objects that you have with a “ Disabled ” status will never be displayed in the advanced security settings dialog box. Therefore, in order to enable them, you can either from the context menu, or in the “Tasks” area, select the “ Enable ” option.
As in the case of claims types, and practically with any functionality of Windows Server 2012, you can manage resource property objects not only by Active Directory Administrative Center tools, but also you can use the richest features of Windows PowerShell to write scripts and automate your actions. To manage resource properties, use the ADResourceProperty cmdlets, that is, New-ADResourceProperty to create them, Set-ADResourceProperty to modify existing objects, and Remove-ADResourceProperty , which is responsible for deleting the latter.
So, now let's try to create a resource property object called Depart , where various positions (in this example, Marketing, Accountancy, Financiers) will be listed, which should appear when the conditional expression changes. So you should use this cmdlet:
In principle, the structure of this cmdlet is very similar to the structure of the New-ADClaimType cmdlet . That is, here you can find the Description and DisplayName parameters, which are responsible for the display name and description. However, here you should pay attention to several of the following parameters:
The process of creating this object is depicted in the following illustration:
Fig. 5. Creating a resource property using Windows PowerShell
Actually, this article is coming to an end. Today we have examined the properties of resources: you learned about what objects of this type are, what they are for, and also what types of properties of resources are. In addition to the theoretical part, you also learned how to create and manage such objects using the user interface, namely using the Active Directory Administrative Center console, and using the rich functionality of Windows PowerShell.
In the next, fourth article of this cycle, I will continue to acquaint you with the possibilities of dynamic access control, or more precisely, we will discuss the lists of properties of resources, as well as the classification of files. Colleagues, what properties of resources did you create in your environment to implement DAC?
Take the blue pill - and the tale is over.
You will wake up in your bed and believe that it was a dream.
Take the red pill and enter the wonderland.
I'll show you how deep the rabbit hole is.
C / f. "Matrix"
In the two previous articles in this series, we have begun to analyze the rich functionality of dynamic access control technology, which allows you to take your entire resource management model directly on file servers to a substantially new level. By and large, for two articles we had quite a bit of time to consider, namely: I cited basic scenarios for using this technology, and you also learned what statements are and how you can manage unique types of statements. But it’s obvious that the knowledge obtained from these articles is not enough to have a clear understanding of this technology and to start developing unique scenarios in organizations.In this article, we will dig deeper and look at what the resources and property properties lists of resources represent in the DAC concept, which is also an integral part of the dynamic access control technology. That is, most likely, this article will be the last but one before we begin to create centralized access policies and move on to the scenarios that I talked about so much in the first article of this cycle. Well, then, I suggest we check "how deep is this rabbit hole" ...
What are resources for dynamic access control?
I believe that almost everyone who has worked with file servers running under the Windows Server 2008 R2 operating system has already managed to evaluate the capabilities of the file classification infrastructure or, as it sounds in the original, the File Classification Infrastructure (FCI). If you did not have time to get acquainted with this opportunity, the file classification infrastructure is the infrastructure responsible for automating the classification processes, which, as a result, allows you to specify the levels of importance, duration, generate various reports, and create custom tasks, thereby reducing possible risks of storing files on their servers. This classification could be managed directly using an administrative tool such as File Server Resource Manager ( FSRM ), and this classification can only be used after installing this console. In other words, using file classification, you can create file management policies specifically so that you can more effectively manage your data. However, despite the fact that we can talk about the capabilities of the file classification infrastructure for a long time, we will gradually move directly to the resources themselves, Windows Server 2012 and, of course, to the dynamic access control technology.Now, how is dynamic access control technology related to file classification? Since the release of the Windows Server 2012 operating system, authorization capabilities have been further enhanced by adding resource properties to the existing infrastructure for file classification. As I said in the previous article of this series, you can safely use several conditional expressions to implement complex scripts related to authorization, for flexible use of dynamic access control. If we talk a little more in detail, now administrators are provided by means of conditional expressions the ability to customize file access authorization based on one or several values of resource properties.
And what do the properties of the resources? Consider a simple basic example: you have, on file servers, suppose you have hidden documentation from most users, which is classified as FinanceSecret. This means that the Windows Server 2012 operating system needs to provide access to such files based on secret financial information that appears in the metadata of the files themselves or in the resource properties of the file itself. It turns out that if the file classification includes FinanceSecret, but the user does not have permission to view such data, he will be denied access to the latter, as a result. Now back to the very properties of the resources. Actually, they are of two types, and more specifically, they are directly the property of the resource , as well as the property of the reference resource . Literally in two words, what is what:
- A resource property is an entity that describes a specific characteristic feature of a resource that can be objects like, say, files or folders. In fact, this property plays a role in creating centralized access rules, namely, it serves to determine the target resources themselves, as well as the permissions themselves. These resource properties contain the estimated values that are defined for the object itself, and they are stored in the object's msDS-ClaimPossibleValues attribute. In addition, by the way, the resource property is also used to classify the resource itself;
- A property of a reference resource , or — as it is also commonly called, a reference property of a resource , in turn, is, roughly speaking, a property of a resource that uses the existing type of statement as its proposed values. What does this mean? In essence, objects of referential properties of a resource are different from objects of properties of a resource in that they do not store their values, but use them from the DN of the referring assertion object in the msDS-ClaimSharesPossibleValuesWith attribute. It turns out that using the reference property of the resource, the properties of the resource themselves will always be valid for comparison with the type of assertion in the centralized access rules to which they refer, thereby reducing the manual support for data consistency.
At this stage, I believe, you can pause the theoretical part and proceed to the creation of the object itself of the properties of the resource.
Creating a resource property object
As is the case with assertions, you can manage resource properties and resource reference properties using the tools of the Active Directory Administrative Center , and to implement automated scripts using the rich features of Windows PowerShell. Due to the fact that this cycle of articles implies a thorough study of dynamic access control technology, later in this article we will consider the management of the properties of a resource using both methods. And again, we will begin again with the Active Directory administration center. So:
')
Managing Resource Property Objects with Active Directory Central Administration Tools
In principle, in order not to delay the step-by-step procedure, we will immediately begin the process of creating a resource property object using Active Directory central administration tools. So now we need to do the following:
- On the domain controller, open the Active Directory Administration Center window, where in the list area, highlight the Dynamic Access Control node, and then select the Resource Properties node ( Dynamic Access Control > Resource Properties );
- In the displayed node, right-click in the details pane and select the New and Resource Property commands from the context menu, as shown in the first illustration of this step-by-step procedure, or go to the home page of the Active Directory Administrative Center to the tile of dynamic access control and in the Active Directory group of actions select the second action allowing to create new properties of the resource. Both in the first and in the second case, the dialog box for creating a new resource property will open.
Fig. 1. Creating a new resource property - In the dialog box that appears, it is simply impossible not to notice that when creating objects of resource properties there are significantly fewer different “tricky” options, since in the “General” group you can find, roughly speaking, only 3 changeable parameters, namely:
- Display Name . In the current text field, you must specify a unique display name for the resource property you are creating. Therefore, this name will appear in the Resource Properties node and in other elements of the Active Directory Administrative Center console. Of course, you can call your resource properties in alphanumeric format. For example, let's call our property of the resource “ Region ” and move on to the next parameter;
- Value type . It is a drop-down list from where you can select logical data types that the operating system will already use to describe the data, and which, in fact, will be stored in the properties of resources. When creating a resource property, you can select any of the eight available value types, namely:
- Date time . Allows you to create resource properties based on the logical type of the value, which is the date and time. Here it is worth noting that when using this type of value you cannot use this resource property directly for authorization (you will learn more about this option in just a few paragraphs). The “ Retention Start Date ” property, which determines the start date of the retention period, is used as the predefined resource properties with this value type. In principle, this is not the most common type of resource property value;
- Multi-Valued Choice . Resource property objects that are based on the current logical type of a value may contain several suggested values, allowing you to select one or several valid values from the generated list. In the event that for a specific object in the conditional expressions editor of additional security parameters you need to select several such values, they should be specified using the operator equal. In all other cases, it is sufficient to specify only one such value. An example is the preset property of the Projects resource, with which you can choose the projects your users are working on;
- Multi-Valued Text . In turn, the objects of the properties of the resource of the current logical type of values may include several text entries. There are no predefined resource property objects for this type;
- Number . The current logical types of values for resource property objects only allow you to create such objects, which can include only one number. A rather primitive type of values, so it is not much in demand and, by default, no resource property objects are created using this type;
- Ordered List . Those properties of a resource that are based on this logical type of values provide a single choice of suggested values that can be compared with other properties of a resource of the same type. An example of this is the preset Confidentiality resource property object, which is responsible for the level of resource confidentiality and subsequent interaction with security principals;
- Single-Valued Choice . The next logical type of value, on the basis of which resource property objects can be created, which also allows you to create several suggested values so that in the future you can choose only one such value from the corresponding list. As an example, you can take a predefined object of the resource property Department , which includes a list of potential departments to which the target resource may be related;
- Text . The logical type of the value that allows you to create a single entry for the resource property object with text. It is much simpler than the previous type, therefore, as in the case with the Number type, it is used very rarely, and among the pre-installed properties of resource properties, an object with this type cannot be detected;
- Yes / No. Last but not least, the logical type of the value allows you to create resource property objects with values that are boolean true or false. An example is the property object of the Personal Use resource, which is responsible for whether the target object is a worker or a personal document (a positive answer means personal use of the latter).
As an example, since in our first example we will indicate the only region whose users will be able to use the resource, select the type of value Single-Valued Choice ;
- Description (Description) . A text field that allows you to specify a comment to the created property of the resource. Since it is far from being possible in each case to immediately understand what exactly the resource property object you are creating is responsible for, I strongly recommend not to ignore this field. It is best of all not to accelerate with comments, as the maximum number of characters of the current text field is 1024. In our case, we will write the following: “Region in which the owners of this object are located”;
- Assign a semantically identical property of a resource from a trusting forest to an identifier in order to simplify the use of assertions in forests that are related by trust relationships ( Set ID to a semantically identical forest ). As with assertion types, this checkbox is responsible for how exactly Active Directory Administrative Center will create the identifier of your resource property object. Again, in the event that you did not set such a flag, the identifier will be generated automatically. However, unlike assertion types, this identifier looks a little different. First of all, there is no ad: // here , but instead the relative name of the resource property you create is substituted for the first part of the identifier. After that, an underscore is specified, and then, as a suffix, a value in hexadecimal format is added in random order, which, like in the case of assertion type identifiers, is similar to GUIDs. This option also differs from the similar assertion type in that these assertion types must contain up to 15 characters in the first part of the identifier, as well as up to 15 characters in the suffix. Otherwise, everything works on the same technology. In this example, this option will not be enabled;
- Used for authorization (Is a secure Resource Policy) . This option, I think, should be a little more detailed. I mentioned above that Windows operating systems use resource properties for both file classification and authorization. So, to use the properties of resources for authorization, they must be configured properly. In principle, all resource property objects that are created are initially configured directly for authorization. If you look at the resource property object itself, then the msDS-IsUsedAsResourceSecurityAttribute attribute with the value true or false is responsible for this opportunity. So, this option is responsible for deciding whether to use the resource property for authorization. In order for the resource property you create to be used in conditional expressions to determine the type of access to different files and folders, you, as a result, need to set the current check box. In this case, let this checkbox remain selected;
- Protection from accidental deletion (Protect from accidental deletion) . A checkbox that could also be detected when creating claim types protects the resource property object you are creating from unintentional deletion. Despite the fact that by default, only administrators can create, modify, and delete these objects, just in case, this option should not be neglected.
The current dialog box page with all configured values is shown below:
Fig. 2. The General page of the new resource property dialog - As mentioned above, when creating objects of a resource property with some types of values specifically for conditional expressions, you will definitely need to specify predefined values for such objects. These preset values, as in the case of the assertion types discussed in the previous article, are configured on the Suggested Values page of the dialog box of the resource property object being created. Therefore, in order to add such values, you will need to click on the appropriate button, that is, the "Add" button. The dialog box for adding the suggested value is very similar to the one we discussed in the previous article in this series. That is, here you can in the “ Value ” text field define the recommended value for the corresponding text field of the conditional expression; the Display Name field is responsible for the name that will appear when selecting the value you create, and in the Description field you can add the required comment for that value. For example, you can add a new region of Los Angeles , as shown in the following illustration:
Fig. 3. Adding a suggested value to a resource property - After I added 5 more values (San Antonio, New York, Miami and Phoenix), you can click on the “OK” button to permanently save the new property of the resource. Resource property created.
Creating a resource reference property
The process of creating a resource reference property is somewhat different from creating a regular resource property object. First of all, the naming of such objects is initially based on the naming of the types of statements that you created earlier. Such objects can have only one of two existing types of values. Why so? Since the resource reference properties directly depend on the assertion types you select in the corresponding control element, the value type is often a regular string (as seen in the following illustration), and as a result, Single-Valued Choice is defined as the value type of such an object. , which is, as mentioned earlier, a clear choice. As an alternative to this type of value, you can still select the type of Multi-Valued Choice .
Now, regarding these types of statements, which I mentioned several times in the previous paragraph. You can select existing types of statements as the proposed values directly using the “ Choose a claim to share suggested values ” control element. This element contains a list of assertion types that were initially configured with suggested values. After selecting an assertion type, its distinguished name is written to the msDS-ClaimSharePossibleValuesWith attribute of the resource reference property object. And since such an attribute is referential, it is updated using the associated msDS-ClaimSharePossibleValuesWithBL attribute type of assertion, according to the distinguished name of the object of the resource reference property that includes such a link.
About all other options, that is, " Description ", " Assign the semantically identical property of a resource from a trusting forest to an identifier in order to simplify the use of assertions in forests connected by trust relationships ", " Used for authorization " and " Protection against accidental deletion " the previous section of this article, and they are no different from the same parameters of the usual object property of the resource.
Fig. 4. The process of creating a resource reference property
In addition, you can immediately find out that all the preset properties of the resource are disabled. Each such object has two states: disabled and enabled. Naturally, only those objects that were previously included in advance will be processed, and those objects that you have with a “ Disabled ” status will never be displayed in the advanced security settings dialog box. Therefore, in order to enable them, you can either from the context menu, or in the “Tasks” area, select the “ Enable ” option.
Managing resource property objects when using Windows PowerShell
As in the case of claims types, and practically with any functionality of Windows Server 2012, you can manage resource property objects not only by Active Directory Administrative Center tools, but also you can use the richest features of Windows PowerShell to write scripts and automate your actions. To manage resource properties, use the ADResourceProperty cmdlets, that is, New-ADResourceProperty to create them, Set-ADResourceProperty to modify existing objects, and Remove-ADResourceProperty , which is responsible for deleting the latter.
So, now let's try to create a resource property object called Depart , where various positions (in this example, Marketing, Accountancy, Financiers) will be listed, which should appear when the conditional expression changes. So you should use this cmdlet:
New-ADResourceProperty -Description:", " -DisplayName:"Depart" -IsSecured:$true -PassThru:$null -ResourcePropertyValueType:"CN=MS-DS-SinglevaluedChoice,CN=Value Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=biopharmaceutic,DC=local" -Server:"DC.biopharmaceutic.local" -SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("", "", " ")) , (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry ("", "", " ")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry ("", "", " ")))In principle, the structure of this cmdlet is very similar to the structure of the New-ADClaimType cmdlet . That is, here you can find the Description and DisplayName parameters, which are responsible for the display name and description. However, here you should pay attention to several of the following parameters:
- First of all, this is the –IsSecured parameter, which is responsible for determining whether the resource property object being created is used for authorization. Naturally, the value of $ true is considered true and allows you to use this object for authorization, and the value of $ false, in turn, creates an object solely for classification;
- The –ResourcePropertyValueType parameter, using which you can determine the type of value for the object being created. The value of this parameter should be the distinguished name of the msDS-ValueType object. These values are logical data types, which were discussed earlier in this article, and for the entire forest they are located in the Active Directory directory service configuration section, or more precisely, in CN = Value Types, CN = Claims Configuration, CN = Services. That is, in my case, this is CN = MS-DS-SinglevaluedChoice, CN = Value Types, CN = Claims Configuration, CN = Services, CN = Configuration, DC = biopharmaceutic, DC = local . By default, you can select one of the following types of values: MS-DS-DateTime, MS-DS-MultivaluedChoice, MS-DS-SinglevaluedChoice, MS-DS-MultivaluedText, MS-DS-Number, MS-DS-OrderedList, MS-DS- Text, as well as MS-DS-YesNo. In principle, their names in the user interface are obvious, and I already spoke about the purpose in several sections above, so there is simply no point in repeating;
- And also parameter - SuggestedValues . As in the case of statements, this parameter is responsible for the proposed values, in which, in fact, even the syntax is identical.
The process of creating this object is depicted in the following illustration:
Fig. 5. Creating a resource property using Windows PowerShell
Conclusion
Actually, this article is coming to an end. Today we have examined the properties of resources: you learned about what objects of this type are, what they are for, and also what types of properties of resources are. In addition to the theoretical part, you also learned how to create and manage such objects using the user interface, namely using the Active Directory Administrative Center console, and using the rich functionality of Windows PowerShell.
In the next, fourth article of this cycle, I will continue to acquaint you with the possibilities of dynamic access control, or more precisely, we will discuss the lists of properties of resources, as well as the classification of files. Colleagues, what properties of resources did you create in your environment to implement DAC?
Source: https://habr.com/ru/post/203592/
All Articles