Posts

Microsoft Dynamic Access Control is a new way to deploy access rules to your file shares. For many moons now, System Administrators have had a tedious task of managing tens, hundreds, or thousands of security groups to control how files are accessed. Groups of users have always needed to maintain different sets of security rules to prevent people from accessing confidential files. Human Resources obviously doesn’t want people outside their department to have access to personnel files, separate office locations may not want to share data with other offices in the same domain, and countries or cities might have different restrictions about sharing files with each other. ...

In part 1 of the series we covered some generalities about Microsoft Dynamic Access Control and a few steps needed to prepare the domain and file servers. Now let’s look at creating claims. A claim is a user, device or resource property. A user in Active Directory will have properties such as Location, Department, manager, etc. Each of these properties is a claim but for any actions to be utilized by Direct Access, they have to be defined. ...

So far we’ve covered: Initial Setup of Dynamic Access Control Claims In this post we’ll look at Resource Properties. Resource Properties A resource property is a claim that describes the characteristics of an object in the file system. A claim is a descriptor of a user or a device whereas a resource property is a characteristic of a file or folder. As an example, we have a folder with HIPPA related information in it. A description can be added to this folder to indicate that it has Protected Health Information (PHI) contained in that folder. This PHI description is a resource property. ...

We’ve discussed Initial configuration steps, Claims, and Resource Properties and we’re starting to see the power of Microsoft’s Dynamic Access Control, but we need a better way to manage these and that’s why we’ve come to “Rules and Policies”. A Central Access Rule can be used to take claims such as users in a department and match them up with permissions on a filefolder with specific resource properties. This is where the real power comes into play because now we don’t have to go through and map these for each individual file. We’re setting a general policy for the entire organization all at once. ...

In the first four parts of the Dynamic Access Control Series we covered Initial Configurations, Claims, Resource Properties and Rules Policies. These are working great in our environment but we still have to go through and manage the classification tags. Wouldn’t it be easier to have some files automatically tagged with a certain resource classification? Enter File Server Resource Manager to the rescue! Classification Rules From within File Server Resource Manager (FSRM) go to Classification Rules and choose to “Create Classification Rule…” ...

There are two terms used in IT that are often used in conjunction when learning about how technologies are built. These two terms are “Control Plane” and “Data Plane”. A quick and dirty definition of these two terms would be: Control Plane - The decision making part of any system. Usually considered the brains of the system. Data Plane - The part of a system that carries out an operation. This would be the routine tasks needed to make the system work. Just as a sidebar, if you are looking for me to site my source on those definitions you’re out of luck. These are my basic definitions that I’ve made up for purposes of this post. If for some reason these definitions become common place, then I want some royalties. :) ...

VMware vCloud Networking and Security (vCNS) can provide Network Address Translation (NAT) services from the vCNS Edge appliance. There are two types of NAT that the edge appliance can provide. Destination NAT (DNAT) is used to provide access to a private IP Address from a (usually) public IP Address for incoming traffic. Source NAT (SNAT) is used to translate a private IP Address into a (usually) public IP Address for outgoing traffic. This type of NAT can also be called “masquerading”. (It’s a subtle difference that we won’t go into in this post.) ...

If you have an MCITP or similar certification from Microsoft on Server 2008 and want to keep your certifications up to date, chances are you will need to take the 70-417 exam. I recently sat this test and wanted to share some of my experiences with you. My certification background in Information Systems started with my journey to become an MCSE 2003 so Microsoft is kind of my first love when it comes to certs. I deal a little bit less with the day to day configuration and maintenance of Windows, but Windows Server will always have a certain place in my heart and I try to keep up to date with my credentials. ...

One of the most basic tasks that happens on a network is assigning IP Addresses. Once a VMware vCNS Edge appliance has been deployed, you can now hand out IP address through Dynamic Host Control Protocol (DHCP). In previous posts, I’ve walked through installing vCNS Manager and installing vCNS Edge appliances. These are prerequisites to setting up DHCP on the VMware vCloud Network and Security appliance. vCNS Edge DHCP Setup Log into your vShield Manager and click on the Datacenter. Click the “Network Virtualization” Tab where you’ll find the Edge appliance you’ve already deployed. Go to Actions and click “Manage”. ...

vCloud Networking and Security has the capabilities to provide edge services inside of your virtual environment. Edge firewalls, network address translation, DHCP, routing are all things that vCNS Edge can do for you. This post goes into the steps necessary to deploy vCNS Edge. I should mention that vCNS and the previous name vShield may be used interchangeably in this article. Logical Diagram The picture below is a diagram of what our environment will look like when we’re done. We have production VMs as you might expect, and our new vCNS Edge VM. We’ve also got our new Edge network and a Shielded VM which will not be connected to the production vSwitch directly. ...