Setting claims-based permissions
Setting claims-based permissions
Claims-based access controls use compound identities that incorporate not only the groups of which a user and the user’s computer is a member, but also claim types, which are assertions about objects based on Active Directory attributes, and resource properties, which classify objects and describe their attributes. When resources are remotely accessed, claims-based access controls and central access policies rely on Kerberos with Armoring for authentication of computer device claims. Kerberos with Armoring improves domain security by allowing domain-joined clients and domain controllers to communicate over secure, encrypted channels.
You use claims-based permissions to fine-tune access by defining conditions that limit access as part of a resource’s advanced security permissions. Typically, these conditions add device claims or user claims to the access controls. User claims identify users; device claims identify devices. For example, you could define claim types based on business category and country code. The Active Directory attributes are businessCategory and countryCode, respectively. By using these claim types, you could then fine-tune access to ensure that only users, devices, or both that belong to specific business categories and have certain country codes are granted access to a resource. You could also define a resource property called Project to help finetune access even more.
MORE INFO With central access policies, you define central access rules in Active Directory and those rules are applied dynamically throughout the enterprise. Central access rules use conditional expressions that require you to determine the resource properties, claim types, and/or security groups required for the policy, in addition to the servers to which the policy should be applied.
Before you can define and apply claim conditions to a computer’s files and folders, a claims-based policy must be enabled. For computers that are not joined to the domain, you can do this by enabling and configuring the KDC Support For Claims, Compound Authentication And Kerberos Armoring policy in the Administrative Templates policies for Computer Configuration under SystemKDC. The policy must be configured to use one of the following modes:
? Supported Domain controllers support claims, compound identities, and Kerberos armoring. Client computers that don’t support Kerberos with Armoring can be authenticated.
? Always Provide Claims This mode is the same as the Supported mode, but domain controllers always return claims for accounts.
? Fail Unarmored Authentication Requests Kerberos with Armoring is mandatory. Client computers that don’t support Kerberos with Armoring cannot be authenticated.
The Kerberos Client Support For Claims, Compound Authentication And Kerberos Armoring policy controls whether the Kerberos client running on Windows 8.1 and Windows Server 2012 R2 requests claims and compound authentication. The policy must be enabled for compatible Kerberos clients to request claims and compound authentication for Dynamic Access Control and Kerberos armoring. You’ll find this policy in the Administrative Templates policies for Computer Configuration under SystemKerberos.
For application throughout a domain, a claims-based policy should be enabled for all domain controllers in a domain to ensure consistent application. Because of this, you typically enable and configure this policy through the Default Domain Controllers Group Policy Object (GPO), or the highest GPO linked to the domain controllers organizational unit (OU).
After you’ve enabled and configured the claims-based policy, you can define claim conditions by completing these steps:
1. In File Explorer, press and hold or right-click the file or folder with which you want to work, and then tap or click Properties. In the Properties dialog box, select the Security tab, and then tap or click Advanced to display the Advanced Security Settings dialog box.
If the user or group already has permissions set for the file or folder, you can edit their existing permissions. Here, tap or click the user with which you want to work, tap or click Edit, and then skip steps 3–6.
2. Tap or click Add to display the Permission Entry dialog box. Tap or click Select A Principal to display the Select User, Computer, Service Account, Or Group dialog box.
3. Enter the name of a user or a group account. Be sure to reference the user account name rather than the user’s full name. Only one name can be entered at a time.
4. Tap or click Check Names. If a single match is found for each entry, the dialog box is automatically updated and the entry is underlined. Otherwise, you’ll get an additional dialog box. If no matches are found, you either entered the name incorrectly or you’re working with an incorrect location. Modify the name in the Name Not Found dialog box and try again, or tap or click Locations to select a new location. When multiple matches are found, in the Multiple Names Found dialog box, select the name you want to use and then tap or click OK.
5. Tap or click OK. The user and group are added as the Principal. Tap or click Add A Condition.
6. Use the options provided to define the condition or conditions that must be met to grant access. With users and groups, set basic claims based on group membership, previously defined claim types, or both. With resource properties, define conditions for property values.
7. When you have finished configuring conditions, tap or click OK.
Because shared folders also have NTFS permissions, you might want to set claims-based permissions by using Server Manager. To do this, follow these steps:
1. In Server Manager, select File and Storage Services, select the server with which you want to work, and then Select Shares.
2. Press and hold or right-click the folder with which you want to work, and then tap or click Properties to display a Properties dialog box.
3. When you tap or click Permissions in the left pane, the current share permissions and NTFS permissions are shown in the main pane.
4. Tap or click Customize Permissions to open the Advanced Security Settings dialog box with the Permissions tab selected.
Users or groups that already have access to the file or folder are listed under Permission Entries. Use the options provided to view, edit, add, or remove permissions for users and groups. When you are editing or adding permissions in the Permission Entry dialog box, you can add conditions just as I discussed in steps 6–8 of the previous procedure.