Dynamic Access Control

Overview #

Dynamic Access Control (DAC) is an Access Control Model that aims to make it easier to enhance authorization and authentication by applying better security, risk-management and auditing policies in Microsoft Active Directory.

Helps control Token Bloat and some of the Microsoft Active Directory And Group Issues.

Key Appeal#

The key appeal of Dynamic Access Control is that it extends Group Policy Object and access-control functions applied to file shares managed by Microsoft Active Directory. It does so by integrating claims-based authentication using Kerberos tokens. Instead of describing users by which Security Groups they're assigned to, Dynamic Access Control also makes it possible to validate claims based on different Subject Attributes in Microsoft Active Directory, such as a user's department, location, role, title and security clearance, as well as the Data Classification.

No Need for all to be Windows Server 2012#

An organization doesn't need to upgrade all of its file servers to Windows Server 2012 in order to implement DAC. As long as there's one new file server running a Windows Server 2012 domain controller, the organization can implement DAC.

Dynamic Access Control also lets organizations apply more refined policies by which a user or device can access a file using claims-based authentication, says Patrick Gookin, product manager for AD products at NetIQ Corp. "The security system can have a rule that says: If the claim that someone is a VP is true, and the claim is that the department is finance, and the resource they're accessing it from is also within the finance department, then I'm going to give them access to this folder," Gookin explains. "Which is unbelievably more powerful than the group model, but it also has a lot of pieces and moving parts that need to be managed and understood."

New File Security Model#

Dynamic Access Control also integrates Rights Management Services (RMS), where files defined as sensitive are automatically encrypted, ensuring information is protected when it's moved from the file server. A file may be deemed sensitive if it has a Social Security number. Microsoft and many of its third-party partners believe this new approach to file management in Windows Server 2012 is among the most important new features in the OS. As organizations begin deploying Windows Server 2012, Dynamic Access Control promises to also change the way IT secures and audits various document types that reside on file servers.

More Information #

There might be more information for this subject on one of the following: