William Stanek - Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant

8.When you are editing permissions, only basic permissions are listed by default. Tap or click Show Advanced Permissions to display the special permissions, as shown in Figure 4–3.

FIGURE 4–3Configure the special permissions that should be allowed or denied.

9.Use the Type list to specify whether you are configuring allowed or denied special permissions, and then select the special permissions you want to allow or deny. If any permissions are dimmed (unavailable), they are inherited from a parent folder.

NOTE You allow and deny special permissions separately. Therefore, if you want to both allow and deny special permissions, you need to configure the allowed permissions, and then repeat this procedure starting with step 1 to configure the denied permissions.

10.If the options in the Applies To list are available, choose the appropriate option to ensure that the permissions are properly inherited. The options include the following:

■ This Folder OnlyThe permissions apply only to the currently selected folder.

■ This Folder, Subfolders And FilesThe permissions apply to this folder, any subfolders of this folder, and any files in any of these folders.

■ This Folder And SubfoldersThe permissions apply to this folder and any subfolders of this folder. They do not apply to any files in any of these folders.

■ This Folder And FilesThe permissions apply to this folder and any files in this folder. They do not apply to any subfolders of this folder.

■ Subfolders And Files OnlyThe permissions apply to any subfolders of this folder and any files in any of these folders. They do not apply to this folder itself.

■ Subfolders OnlyThe permissions apply to any subfolders of this folder but not to the folder itself or any files in any of these folders.

■ Files OnlyThe permissions apply to any files in this folder and any files in subfolders of this folder. They do not apply to this folder itself or to subfolders.

11.When you have finished configuring permissions, tap or click OK.

Because shared folders also have NTFS permissions, you might want to set special NTFS permissions by using Server Manager. To do this, follow these steps:

1.In Server Manager, select File And Storage Services, select the server with which you want to work, and then select Shares. Next, press and hold or right-click the folder with which you want to work, and then tap or click Properties to display a Properties dialog box.

2.When you tap or click Permissions in the left pane, the current share permissions and NTFS permissions are shown in the main pane.

3.Tap or click Customize Permissions to open the Advanced Security Settings dialog box with the Permissions tab selected.

Users or groups that already have access to the file or folder are listed under Permission Entries. Use the options provided to view, edit, add, or remove permissions for users and groups. When you are editing or adding permissions in the Permission Entry dialog box, follow steps 8-11 of the previous procedure to display and work with special permissions.

Claims-based access controls use compound identities that incorporate not only the groups of which a user and the user’s computer is a member, but also claim types, which are assertions about objects based on Active Directory attributes, and resource properties, which classify objects and describe their attributes. When resources are remotely accessed, claims-based access controls and central access policies rely on Kerberos with Armoring for authentication of computer device claims. Kerberos with Armoring improves domain security by allowing domain-joined clients and domain controllers to communicate over secure, encrypted channels.

You use claims-based permissions to fine-tune access by defining conditions that limit access as part of a resource’s advanced security permissions. Typically, these conditions add device claims or user claims to the access controls. User claims identify users; device claims identify devices. For example, you could define claim types based on business category and country code. The Active Directory attributes are businessCategory and countryCode, respectively. By using these claim types, you could then fine-tune access to ensure that only users, devices, or both that belong to specific business categories and have certain country codes are granted access to a resource. You could also define a resource property called Project to help finetune access even more.

MORE INFO With central access policies, you define central access rules in Active Directory and those rules are applied dynamically throughout the enterprise. Central access rules use conditional expressions that require you to determine the resource properties, claim types, and/or security groups required for the policy, in addition to the servers to which the policy should be applied.

Before you can define and apply claim conditions to a computer’s files and folders, a claims-based policy must be enabled. For computers that are not joined to the domain, you can do this by enabling and configuring the KDC Support For Claims, Compound Authentication And Kerberos Armoring policy in the Administrative Templates policies for Computer Configuration under System\KDC. The policy must be configured to use one of the following modes:

■ SupportedDomain controllers support claims, compound identities, and Kerberos armoring. Client computers that don’t support Kerberos with Armoring can be authenticated.

■ Always Provide ClaimsThis mode is the same as the Supported mode, but domain controllers always return claims for accounts.

■ Fail Unarmored Authentication RequestsKerberos with Armoring is mandatory. Client computers that don’t support Kerberos with Armoring cannot be authenticated.

The Kerberos Client Support For Claims, Compound Authentication And Kerberos Armoring policy controls whether the Kerberos client running on Windows 8.1 and Windows Server 2012 R2 requests claims and compound authentication. The policy must be enabled for compatible Kerberos clients to request claims and compound authentication for Dynamic Access Control and Kerberos armoring. You’ll find this policy in the Administrative Templates policies for Computer Configuration under System\Kerberos.

For application throughout a domain, a claims-based policy should be enabled for all domain controllers in a domain to ensure consistent application. Because of this, you typically enable and configure this policy through the Default Domain Controllers Group Policy Object (GPO), or the highest GPO linked to the domain controllers organizational unit (OU).

After you’ve enabled and configured the claims-based policy, you can define claim conditions by completing these steps:

1.In File Explorer, press and hold or right-click the file or folder with which you want to work, and then tap or click Properties. In the Properties dialog box, select the Security tab, and then tap or click Advanced to display the Advanced Security Settings dialog box.

If the user or group already has permissions set for the file or folder, you can edit their existing permissions. Here, tap or click the user with which you want to work, tap or click Edit, and then skip steps 3–6.