In the following thought experiment, apply what you’ve learned about this objective to predict what steps you need to take. You can find answers to these questions in the “Answers” section at the end of this chapter.
You are a network administrator for Tailspin Toys. Tailspin Toys designs revolution- ary remote control aircraft. Recently Tailspin Toys suffered a security breach and details of their new secret remote control aircraft were leaked to a rival company. This was traced to incorrectly applied NTFS permissions. With this in mind, you want to use Dynamic Access Control to manage access to sensitive files and folders. Specifically you want to accomplish the following:
■
■ Ensure that users have access only to projects that they are associated with. ■
■ Have the projects that users are associated with represented as a user account
property in Active Directory rather than security group membership.
■
■ Have files classified automatically based on the projects they are associated with
when project keywords are contained within the file text.
■
■ Provide information to users on why they have been blocked from accessing
specific files.
With the preceding information in mind, answer the following questions. You can find the answers to these questions in the “Answers” section at the end of the chapter.
1. How can you ensure that files are assigned a classification that associates them with a specific project based on keywords within the file?
2. After configuring Active Directory attributes to represent projects that users are associated with, what do you need to configure so that you can use this information in a rule?
3. What method do you use to deploy a central access policy to a file server?
4. How can you provide users with a way to automatically request access to files they are unable to open?
Objective summary
■■ Dynamic Access Control is a new option for setting access permissions to file and
folder objects in Windows Server 2012 and Windows Server 2012 R2. DAC works by assigning file classifications to target resources, configuring user and device claims, and then creating rules that describe conditions for access.
■
■ DAC relies on a modified form of Kerberos in which user tokens are expanded to
include extra information called claims about the user and the device from which the user is connecting. To support this functionality, you need to enable Key Distribution Center (KDC) support for claims-based authentication in Group Policy at the Domain Controllers OU level. You also need to define the claims types that you will include in the Kerberos token for each user.
■
■ To assign file classifications, first enable chosen resource properties in Active Directory
and then add the properties to a property list. Afterward, run the Update-FSRMClassi- ficationPropertyDefinition cmdlet. Then configure classification values of desired file or folder objects on the Classification tab of the Properties dialog box. You can also use File Server Resource Manager (FSRM) to configure file classification rules that classify files automatically, for example, on the basis of an expression found in the contents of the file.
■
■ A central access rule includes one or more conditional expressions that match target
resources and one or more conditional expressions that match users or devices and defines permissions to the target resources. One or more central access rules must be added to a central access policy before it can be deployed to file servers.
■
■ You use Group Policy to make central access policies available to file and folder ob-
jects. A central policy must be selected and enforced manually on a file or folder.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of the chapter.
1. You are a network administrator for Adatum.com. The Adatum.com network consists of a single domain that spans branch offices in New York and London. Within the Adatum.com domain, the users and computers within the New York office are con- tained in an OU named US; the users and computers within the London office are contained in an OU named UK.
You want to be able to classify data as originating from either the New York office or the London office. You create a resource property named Country/Region and con- figure the suggested values “US” and “UK.” You want administrators in both the New
York and London offices to see the Country/Region resource property appear on the Classification tab of files and folder properties.
What should you do next?
A. Run the Update-FSRMClassificationPropertyDefinition cmdlet. B. Enable the Country/Region resource property.
C. Create a classification rule.
D. Add the Country/Region property to a resource property list.
2. Your organization’s network consists of a single Active Directory domain. All servers are running Windows Server 2012 R2 and all clients are running Windows 8.1.
You want to enable claims-based access authorization for users in your domain. Which of the following steps should you take to take to achieve this goal?
A. Enable the policy setting KDC Support For Claims, Compound Authentication And Kerberos Armoring in a GPO at the domain controllers OU level.
B. Enable the policy setting KDC Support For Claims, Compound Authentication And Kerberos Armoring in a GPO at the domain level.
C. Enable the policy setting Kerberos Support For Claims, Compound Authentication And Kerberos Armoring in a GPO at the domain controllers OU level.
D. Enable the policy setting Kerberos Support For Claims, Compound Authentication And Kerberos Armoring in a GPO at the domain level.
3. You are a network administrator for Proseware.com. The Proseware.com network consists of a single Active Directory domain. All servers in the network are running Windows Server 2012 R2 and all clients are running Windows 8.1
On a file server named FileSrv1, your manager has created five new file shares named Finance, Marketing, Sales, Operations, and Legal. On each share, your manager has assigned Full Control to Authenticated Users for both the NTFS and share permissions. Your manager now asks you to configure permissions to the contents of each
departmental file share so that Full Control access is restricted to members of the corresponding department and that no other users are allowed any access. Your man- ager also wants you to ensure that files within each departmental share can be traced to their origin even when they are moved from their original share location.
B. On each new shared folder, remove all currently configured share permissions and then grant Full Control share permissions to a security group that includes all the members of the corresponding department only.
C. On each department’s shared folder, configure a Department classification property value that corresponds to the name of the department.
D. On each department’s shared folder, apply a central access policy that assigns to members of the appropriate department Full Control permissions on files assigned with a matching Department value classification.
Objective 2.3: Configure and optimize storage
This objective relates to certain advanced features that allow you to optimize the use of stor- age in Windows Server 2012 and Windows Server 2012 R2. This involves the topics of iSCSI, Features on Demand, Data Deduplication, and storage tiering.
This objective covers how to:
■
■ Configure iSCSI Target and Initiator ■
■ Configure Internet Storage Name Service (ISNS) ■
■ Implement thin provisioning and trim ■
■ Manage server free space using Features on Demand ■
■ Configure tiered storage