Term
| Dynamic Access Control (DAC) controls file access in a third way dependent not on group membership or file location. What is it? |
|
Definition
| By object attributes cited in access rules. |
|
|
Term
| Dynamic Access Control (DAC) relies on what elements? |
|
Definition
| File classifications, user and device attributes called "claims" and rules and policies built from these elements. |
|
|
Term
| When DAC is combined with NTFS and share permissions, which permission dominates? |
|
Definition
| The most restrictive permission always applies. |
|
|
Term
User and device attributes are called what?
File attributes are called what? |
|
Definition
User & Device attributes = Claims
File Attributes = classifications (or resource properties) |
|
|
Term
| What are 3 advantages of DAC? |
|
Definition
| allows management of file access centrally, dramatically reduces the # of groups needed, allows rule creation based on attributes rather than access through ACLs |
|
|
Term
| What operating systems are required for the use of Dynamic Access Control (DAC)? |
|
Definition
| Server 2012 file server, Server 2012 Domain Controller, Windows 7. Access-denied assistance requires Windows 8. |
|
|
Term
| To configure a DAC policy what steps must be completed? |
|
Definition
Define the types of claims about users and devices to include in the Kerberos tokens
Configure AD DS to use the expanded Kerberos tokens |
|
|
Term
| How is Kerberos support enabled for claims-based access control? |
|
Definition
Through a GPO applied to the Domain Controllers OU
Computer Configuration/Policies/Administrative Templates/System/KDC/KDC Support for Claims, Compound Authentication, and Kerberos Armoring |
|
|
Term
| In DAC, what does "file classification" mean? |
|
Definition
| The process of adding attributes to the properties of files and folders. These attributes enable you to construct access rules that apply to these resources. |
|
|
Term
| Configuring file classification requires 4 steps. What are the steps? |
|
Definition
Enable or create selected resource properties - use ADAC
Add resource properties to a resource property list. use ADAC
Update AD file and folder objects - use Powershell cmdlet "Update-FSRMClassificationPropertyDefinition"
Classify files and folders - manually or Automatic (in FSRM) |
|
|
