Notes on IT (mainly Microsoft)

Archive for the ‘security’ Category

Windows Server 2012: Planning for Active Directory Forest Recovery

leave a comment »

This guide has now been updated to include using virtualized domain controller cloning in Windows Server 2012 to expedite forest recovery.

Written by adamsync

May 2, 2013 at 22:30

Best Practices for Securing Active Directory

leave a comment »

Written by adamsync

May 2, 2013 at 22:24

Understand and Troubleshoot Dynamic Access Control in Windows Server 2012

leave a comment »

I have updated my post on Dynamic Access Control in Windows Server 2012 learning resources to include a link to the recently released update of the outstandingly good

Understand and Troubleshoot Dynamic Access Control in Windows Server 2012

guide by Mike Stephens of Microsoft. The doc was part of the Understand and Troubleshoot guides for the Windows Server 2012 beta program,  a very fine example of a technical guide.

Written by adamsync

March 1, 2013 at 21:47

New sign-in experience for Windows Azure AD services

leave a comment »

Written by adamsync

February 7, 2013 at 23:12

Identity Management in the Age of Hybrid IT

leave a comment »

Written by adamsync

February 1, 2013 at 00:28

Office 365 Single Sign-On with Shibboleth 2 whitepaper

leave a comment »

“This document is intended for system architects and IT professionals who are interested in understanding the basics of the single sign-on feature of Windows Azure Active Directory/Office 365 with Shibboleth 2 along with planning and deploying such a system in their environment.” Has an example of using AD LDS as the user account and attribute store.

Written by adamsync

November 4, 2012 at 23:08

Windows Server 2012 Dynamic Access Control

leave a comment »

The single, best reference by far on the Dynamic Access Control feature is the Understand and Troubleshoot Dynamic Access Control in Windows Server 2012 guide by Mike Stephens of Microsoft. The guide was updated February 2013 from the previous “beta” version.

The scenario guide for Windows Server 2012 Dynamic Access Control is on TechNet.

Three sessions at TechEd 2012 covered:

Windows Server 2012 Dynamic Access Control Overview

Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies

Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT

A Build 2012 conference session by Dave McPherson (who you may remember from such technologies as AzMan and “RBAC in the middle tier”) re-presented some of the deep dive content but with added insight into the internals of conditional expressions in Windows; the CALLBACK_ACE_TYPE was entirely new to me. Dave also discussed scalability with respect to security group rationalization and token bloat. There is more material on Extending & customizing Dynamic Access Control on MSDN and there’s information on what partners and ISVs are doing with this technology here. Changes to maximum token size in Windows Server 2012 are discussed here.

If you want to see more demos or walkthroughs of the key components of Dynamic Access Control then check out these, largely at the Microsoft Virtual Academy.

For information on using Dynamic Access Control in multi-forest scenarios see here.

For information on support for DAC in Windows Server 2012 DFSR see here.

A webinar covering “Using  Microsoft Dynamic Access Control for Electronic Export Compliance” (US ITAR and EAR) is here.

At a higher level of abstraction the functional specification and use cases for Dynamic Access Control are part of Microsoft’s Open Protocol Specifications, in particular see:

[MS-AZOD]: Authorization Protocols Overview

the PDF of which is most convenient for reading.