Evaluate This – Dynamic Access Control

Managing users access to the right files is a pain on any OS, the best that’s going ot happen is that no one will complain about not having access to a file while none of your sensitive company data gets into the wrong hands.  In a traditional hierarchical business life was pretty easy you had a group called finance, a folder with their finance documents in you set up permissions form one to the other and you were done.  However in a virtual taming, outsourcing home working organisation all sort of rules are needed to keep third parties at arms length from confidential data  and allow users to have different roles on different teams.  Also very few of us are good at filing, for example how many of properly tag our holiday photos so that we can track down our friends in all the photos we have?

Windows Server 2012 has several components in it to make this work, but key to this is Dynamic Access Control (DAC)  which itself plugs into Active Directory (AD) , Group Policy and File Server Resource Manager (FSRM). The Dynamic in DAC refers to the fact that whenever a user tries to access a file their claim to do so is evaluate at the time of access.  There are several parts to DAC to make this work  and in my screencast you can see this in action..


However there’s a lot going on here and so I also wanted to describe the moving parts of DAC in more detail.

Claim Types these are the things we know about our users and the devices they are using based on querying what’s in AD for example here I have defined the Country a user in it..


Resource Properties are the things I know about what the user is trying to access such as a file, for example I could setup a tag of Country and tag each file with one or more Countries..


Resource Property Lists are optional groups of Resource Properties that you want to keep together for a purpose, so a subset of the Global Resource Property List that is there by default in DAC. Here’s the Global Property List..



Central Access Rules allow you to define how to evaluate a claim against a Resource Property and assign permissions of the back of this.  At the top of this dialog you are asked about which resources (Target Resources)  the rule will apply to in my demo I have set this up so that my rules are only applied to objects that have the resource properties I am interested in already set..



Further down the dialog under Current Permissions I can then set the rule that I want to enforce. Here I have said the device the user on must be running Windows 8 Enterprise to get full permissions to the resource.  For this to work AD must know the computer I am on and in Windows Server 2012 AD this property is actually only set if I am on a Windows 8 or a Windows Server 2012 machine .  So I can’t get in from on an older windows machine or if my machine is not domain joined.

I also have a rule (User-Country-Department) which says that the user’s country and department must match the country and department of the resource being accessed. This is great I don't have to create groups for each user or folders to categorise departments and fiddle with ACLs this one rule makes that work and provided the users data in AD is kept up to date and files are tagged correctly that’s all I have to do.

Central Access Policies. Several Rules can then be combined into a single policy. In my case I have a Central Access Policy I have called Default and this references my two rules..



This is now a policy object that can be applied like any group policy.  So If I look at group policy you can see a policy called DA-FileServer-Policy that is filtered to only apply to Server1 ...



If I edit that and expand Computer Configuration  –> Windows Settings –> Security Settings –> File System –> Central Access Policy you can see where I have referenced my Default policy..


Things to note:

DAC requires the AD functional level to be at Windows Server 2012.

This can work in concert with traditional ACLs but remember that the principal of least privilege applies so if there’s and explicit deny somewhere in DAC or in an ACL that is what will win.  You’ll want to test your scenarios and there’s two tools here to help:

  • You can set proposed permissions in a Central Access Rule as well as actually set permissions.
  • For a particular folder or file you can go into properties –> security tabs –> advance security to evaluate security. You can see what policy is applied and what is granting or blocking users’ access to objects.  You can also see there’s a classification tab from which you can see and set (depending on permissions Smile) the resource properties for that file/folder.


I will cover off how to automatically classify files rather then rely on manual tagging them in my next post.  In the meantime if you want to try this you’ll need a copy of Windows Server 2012 evaluation edition and use it to make a domain controller.