Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

Similar documents
20411D D Enayat Meer

Deploying Windows 8.1 with ConfigMgr 2012 R2 and MDT 2013

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Implementing and Supporting Windows Intune

Implementing Hyper-V. Lab Exercises FINAL

Privileged Identity App Launcher and Session Recording

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

Privileged Access Agent on a Remote Desktop Services Gateway

Lab Answer Key for Module 1: Creating Databases and Database Files

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Integrating Terminal Services Gateway EventTracker Enterprise

SMB Live. Modernize with Hybrid Cloud. Lab 1: Exploring Windows Server 2012 R2 & Hyper-V

Netwrix Auditor. Virtual Appliance and Cloud Deployment Guide. Version: /25/2017

Speed Lab 2! System Center 2012 R2: Introduction to Automation, Service & Application Management

Integrate Veeam Backup and Replication. EventTracker v9.x and above

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

Centrify Infrastructure Services

Integrate Palo Alto Traps. EventTracker v8.x and above

x10data Application Platform v7.1 Installation Guide

Deploying Windows Server 2003 Internet Authentication Service (IAS) with Virtual Local Area Networks (VLANs)

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Integrating Barracuda SSL VPN

App Orchestration 2.0

Exclaimer Mail Archiver

Integrate Microsoft ATP. EventTracker v8.x and above

Integrate Dell FORCE10 Switch

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

Secure IIS Web Server with SSL

Installation and configuration guide

Windows Server 2008 Administration

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Managing Group Policy application and infrastructure

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

User Manual. Active Directory Change Tracker

AutomaTech Application Note July 2015

Test Lab Guide: Windows Server 2012 Base Configuration

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

MCSA Windows Server 2012

Integrate Saint Security Suite. EventTracker v8.x and above

Integrate NGINX. EventTracker v8.x and above

Module 5: Integrating Domain Name System and Active Directory

Tzunami Deployer Hummingbird DM Exporter Guide

INF204x Module 1, Lab 3 - Configure Windows 10 VPN

Managing Group Policy application and infrastructure

Centrify for Dropbox Deployment Guide

Integrating Microsoft Forefront Threat Management Gateway (TMG)

Integrate Symantec Messaging Gateway. EventTracker v9.x and above

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Xcalibur Global Version 1.2 Quick Configuration Guide Document Version 3.0

Privileged Identity App Launcher and Session Recording

Configure DHCP for Failover Step-by-Step.

Integrating Imperva SecureSphere

ForeScout Extended Module for MobileIron

Course CLD211.5x Microsoft SharePoint 2016: Search and Content Management

Symprex Out-of-Office Extender

Tzunami Deployer Confluence Exporter Guide

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

SOA Software Intermediary for Microsoft : Install Guide

Installation Guide Worksoft Analyze

VMware AirWatch Certificate Authentication for EAS with ADCS

Receive and Forward syslog events through EventTracker Agent. EventTracker v9.0

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Installing and Configuring vcloud Connector

OEM Preinstallation Kit Guide for Microsoft Office 2013

ThinManager and FactoryTalk View SE Deployment Guide

Integrate Salesforce. EventTracker v8.x and above

Novell Identity Manager

Installing and Configuring vcloud Connector

Yubico with Centrify for Mac - Deployment Guide

Workshop on Windows Server 2012

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Microsoft DirectAccess

Windows Server Course Outline

Deployment Guide for Avaya Scopia Add-in for IBM Lotus Notes

MCSA Windows Server 2012

Integrate Sophos Enterprise Console. EventTracker v8.x and above

Integrate Windows PowerShell

Tzunami Deployer Confluence Exporter Guide

Windows Server 2012 R2 RDS Role Installation

Windows Server 2012: Manageability and Automation. Module 1: Multi-Machine Management Experience

ForeScout Extended Module for MaaS360

Integrate Aventail SSL VPN

Integrate Check Point Firewall. EventTracker v8.x and above

Authlogics Forefront TMG and UAG Agent Integration Guide

VMware AirWatch Integration with Microsoft ADCS via DCOM

Administering Windows Server 2012

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Integrate Barracuda Spam Firewall

Course Content of MCSA ( Microsoft Certified Solutions Associate )

Getting Started with Tally.Developer 9 Alpha

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

VMware AirWatch Integration with RSA PKI Guide

Integrate Cisco VPN Concentrator

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Enable the Always Offline Mode to Provide Faster Access to Files

Application Launcher & Session Recording

Port Configuration. Configure Port of EventTracker Website

List of Virtual Machines Used in This Lab

Creating Domain Templates Using the Domain Template Builder 11g Release 1 (10.3.6)

Transcription:

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control Windows Server 2012 Hands-on lab In this experience, you will configure a secure remote experience for employees of Contoso, Inc. This experience begins by leveraging both RemoteApp and VDI to allow those users to work securely on remote applications from home computers. Next, you will grant those users access to corporate resources by enabling them to leverage DirectAccess. Finally, you will grant those users access to secure files via Dynamic Access Control by modifying properties of the user accounts. Produced by HynesITe, Inc Version 1.0 12/19/2012

This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet website references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright 2012 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Hyper-V, Internet Explorer, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Introduction Estimated time to complete this lab 60 minutes Overview In this experience, you will configure a secure remote experience for employees of Contoso, Inc. This experience begins by leveraging both RemoteApp and VDI to allow those users to work securely on remote applications from home computers. Next, you will grant those users access to corporate resources by enabling them to leverage DirectAccess. Finally, you will grant those users access to secure files via Dynamic Access Control by modifying properties of the user accounts. Virtual machine technology This lab is completed using virtual machines that run on Windows Server 2012 Hyper-V technology. To log on to the virtual machines, press CTRL+ALT+END and enter your logon credentials. Technical Architecture This experience uses eight servers and one workstation. Two of the servers are physical servers with dual network interfaces. Computer Role Configuration DC Domain controller, iscsi SAN Contains a virtual iscsi SAN to provide storage for cluster nodes on a STORAGE network. DAServer A server with DirectAccess components pre-installed Has Remote Access tools preinstalled but not configured. WLANRouter A NAT/router Contains DHCP and DNS for the home network. Server1 A file server A file server with file classification and RMS components installed. RDS1 A remote desktop services server A server on which you will install Remote Desktop Services. Admin A client workstation with Windows 8 with RSAT. RSAT DAClient A home computer which is unmanaged running Windows 8 Enterprise An unmanaged computer. Note regarding pre-release software Portions of this lab include software that is not yet released, and as such may still contain active or known issues. While every effort has been made to ensure this lab functions as written, unknown or unanticipated results may be encountered as a result of using pre-release software. Note regarding user account control Some steps in this lab may be subject to user account control. User account control is a technology which provides additional security to computers by requesting that users confirm actions that require Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 3

administrative rights. Tasks that generate a user account control confirmation are denoted using a shield icon. If you encounter a shield icon, confirm your action by selecting the appropriate button in the dialog box that is presented. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 4

Experience 1: Enabling Remote Application Access In this experience, you will enable a user to access a remote application via RemoteApp and Virtual Desktop Infrastructure (VDI). The VDI implementation will be based on session desktop using Remote Desktop Services. You will first enable RemoteApp and publish Microsoft Office 2013 applications. Next, you will configure the user with access to a full desktop located on the corporate network. Install and configure Remote Desktop Services In this step, you will use Server Manager to quickly establish session-based VDI and RemoteApp publishing. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Server Manager. Click Add roles and Features. On the Before You Begin page, click Next. On the Installation Type page, click Remote Desktop Services installation, and then click Next. On the Deployment Type page, click Quick Start, and then click Next. On the Deployment Scenario page, click Session-based desktop deployment, and then click Next. On the Server Selection page, click RDS1.contoso.com, click Add (the right arrow button), and then click Next. Check the Restart the destination server automatically if required check box, and then click Deploy. NOTE: The installation and configuration will take approximately 4 minutes. Please wait for this to complete before proceeding. When the installation has completed, click Close. Configure a publishing certificate In this step, you will review the results of Quick Setup and configure a publishing certificate. This will leverage a wildcard certificate which already exists and is stored on \\dc\sslcerts. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! In Server Manager, click Remote Desktop Services. NOTE: Server Manager is optimized for a minimum screen size of 1366x768. If possible, you may wish to adjust your desktop resolution to this value. In Server Manager, review the installed roles and services for Remote Desktop Services. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 5

Click Collections. On the Tasks menu, click Edit Deployment Properties. Click Certificates. Click RD Connection Broker Enable Single Sign-On. Click Select existing certificate. Click Browse. In File name, type \\dc\sslcerts, and then press ENTER. Click _.contoso.com, and then click Open. In Password, type Passw0rd! Check the Allow the certificate to be added check box, and then click OK. Click Apply. Repeat steps 6 through 12 for RD Connection Broker Publishing, and for RD Web Access. Test RemoteApp publishing In this step, you will test RemoteApp publishing to validate that it is functional. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Internet Explorer. Navigate to https://rds1.contoso.com/rdweb. Click Allow to run the RDS web add-on. Check the This is a private computer check box. Log on as Contoso\Administrator using the password Passw0rd! Click WordPad, and then click Connect. In the Connecting to RDS1.Contoso.com window, click OK. Close WordPad. Close Internet Explorer. Enable session-based VDI In this step, you will add session-based VDI to your Remote Desktop Services configuration. Since sessionbased VDI and RemoteApp programs cannot co-exist on the same RDS server, you will first remove the RemoteApp programs. If you wish to publish both session desktops and RemoteApp programs, you can simply add a second RDS server to the deployment. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 6

Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Switch to Server Manager. Click Collections. In the contents pane, right-click QuickSessionCollection, and then click Remove Collection. Click Yes. On the Tasks menu, click Create Session Collection. In Before You Begin, click Next. In Collection Name, in Name, type Session Desktops, and then click Next. Click RDS1.contoso.com, click Add, and then click Next. In User Groups, click Next. In User Profile Disks, in Location of user profile disks, type c:\userdisks, and then click Next. Click Create. When the process completes, click Close. Test session-based VDI In this step, you will test your session-based VDI configuration. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Internet Explorer. Navigate to https://rds1.contoso.com/rdweb. Click Allow to run the RDS web add-on. Check the This is a private computer check box. Log on as Contoso\Administrator using the password Passw0rd! Click Session Desktops, and then click Connect. On the RDP control toolbar, click Close, and then click OK. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 7

Experience 2: Implementing DirectAccess for Remote Users In this experience, you will implement DirectAccess to grant authorized remote users access to the internal network so they may gain access to applications published on Remote Desktop Services. Implement a DirectAccess server In this step, you will configure an existing DA server to accept client connections. This server has already had the minimum components for RemoteAccess installed by running Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Server Manager. On the Tools menu, click Remote Access Management. In Tasks, click Manage a Remote Server. Type DAServer, and then click OK. In the Remote Access Management console, click Run the Getting Started Wizard. Click Deploy both DirectAccess and VPN (recommended). On the Remote Access Server Setup page, verify that Edge is selected as the network topology. On the same page, type 206.10.15.1 as the IPv4 address that will be used by remote access clients to connect, and then click Next. NOTE: In addition to an IP address, you can also use a Fully Qualified Domain Name (FQDN), such as Daserver.contoso.com. NOTE: By default, the Getting Started Wizard deploys the DirectAccess settings to all mobile computers in the domain by applying a WMI filter to the client settings GPO. This may not be not appropriate for some environments; therefore you will perform the following steps to change the client security group setting for DirectAccess from Domain Computers to DA_Clients. On the Configure Remote Access page, click the here link to edit the wizard settings. In the Remote Access Review dialog box, next to Remote Clients, click Change. In the Select Groups window, clear the Enable DirectAccess for mobile computers only check box. NOTE: This setting allows the GPO to use a WMI filter to detect mobile clients and filter the application of the GPO only to them. Click Domain Computers (Contoso\Domain Computers), and then click Remove. Click Add, type DA-Clients, and then click OK. Click Next. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 8

In the DirectAccess Client setup window, double-click the white box next to the arrow with the asterisk. In the Type drop-down list, click Ping, and then in the text box, type dc.contoso.com. Click Validate. A green check mark will appear indicating a successful ping. Click Add. NOTE: In the DirectAccess Client setup window, note the friendly name, Workplace Connection, of the DirectAccess connection that will be created on clients. In the DirectAccess Client setup window, click Finish. On the Remote Access Review page, click OK, and then click Finish. NOTE: As the wizard runs, you can click the More details arrow to reveal the actions being performed. NOTE: The wizard will automatically provision self-signed certificates for IP-HTTPS and the network location server. You can configure DirectAccess to use certificates issued by a Public Key Infrastructure (PKI) Certificate Authority. The wizard will also automatically enable Kerberos proxy and enable NAT64 and DNS64 for protocol translation in the IPv4-only environment. NOTE: The wizard automatically creates two Group Policy objects (GPO) containing DirectAccess settings. One GPO is called DirectAccess Server Settings and is filtered to apply the settings only to the DirectAccess server computer account. The second GPO is called DirectAccess Client Settings and is filtered to apply settings to the DA_Clients global group previously created. Since the wizard detects that it is using Domain Admin credentials, it will also link both GPOs to the root of the domain. The GPOs can be created using Domain User credentials and later linked using Domain Admin credentials if necessary. After the wizard successfully completes applying the configuration, click Close. In the console tree of the Remote Access Management console, select Operations Status. Wait until the status of all monitors display the message Working. NOTE: You may have to refresh the display to see the change in status. To do so, in the Tasks pane, under Monitoring, click Refresh periodically to update the display. Leave the Remote Access Manager console open for use in subsequent exercises. Provision a computer account for DirectAccess In this step, you will provision a new computer account for DirectAccess access. This will be used to perform an offline domain join on a new remote computer, allowing users to connect via DirectAccess to access company resources. This step involves several complex tasks which have been consolidated in a simple Windows PowerShell script. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 9

Open the Windows PowerShell ISE. Open the script file c:\scripts\directaccess.ps1. Highlight Line 1, and then press F8 to run the line. Click Yes to enable scripts. Highlight all remaining lines (2 through 6), and then press F8 to provision the computer account. Configure the client using offline domain join To have a workgroup client be able to join the domain, a system administrator can create a file that contains all the information required to join the domain. This file will be used on the client to allow the client to configure itself to join the domain even though it is not in contact with a domain controller. In this step, you will use the previously created offline domain join file to join the client computer to the domain. Begin this task logged on to DAClient as BenSmith using the password Passw0rd! Open the Start screen. Click Internet Explorer. Please ensure that you open the version of Internet Explorer from the Start screen of the Windows 8 Formatted: Caution client and not version of Internet Explorer that you launch from the desktop. The instructions that immediately follow are specific to the Start screen version of Internet Explorer. Navigate to http://daserver.contoso.com/client.txt. In the Set up Internet Explorer dialog box, click No. Click Save to download the file. When the download is complete, click Close. Navigate to the Start screen. Type CMD. On the Start screen, right-click CMD. NOTE: A check mark will appear next to the icon. On the taskbar, click Run as administrator. In the User Account Control prompt, click Yes. At the command prompt, type the following commands, pressing ENTER after each one. copy c:\users\bensmith\downloads\client.txt c:\windows Cd.. Djoin.exe /requestodj /loadfile client.txt /windowspath %systemroot% /localos Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 10

At the command prompt, type the following command, and then press ENTER to restart the client. Shutdown /t 0 /r /f Wait one minute for the client to reboot. Access corporate resources using VDI over DirectAccess In this step, you will use DirectAccess to securely access the corporate VDI implementation to gain access to internal applications from a remote location. Begin this task logged on to DAClient as Contoso\BenSmith using the password Passw0rd! Ensure you are logged on to DAClient as Contoso\BenSmith using the password Passw0rd! IMPORTANT: The default logon will present the local user BenSmith. You must select Other User to log on as the domain BenSmith. NOTE: Wait for the initial introduction to complete. Navigate to the desktop. Open Internet Explorer. Navigate to https://rds1.contoso.com/rdweb. Click No. Click Ask me later. If prompted, Cclick Allow to run the RDS web add-on. Check the This is a private computer check box. Log on as Contoso\Bensmith using the password Passw0rd! Click Session Desktops, and then click Connect. On the RDP control toolbar, click Close, and then click OK. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 11

Experience 3: Securing Document Access with Dynamic Access Control and Rights Management In this experience, you will implement Dynamic Access Control to ensure that remote users can only access documents to which they have permission, based on the attributes of the document and the attributes of their user account. Note that much of this implementation has been completed to save time. You will review the specifics of the implementation before working with documents and rules. Review the Dynamic Access Control implementation In this step, you will review the existing Dynamic Access Control implementation which allows rules to be created based on the country and department of users. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! Open Server Manager. In Server Manager, on the Tools menu, click Active Directory Administrative Center. In Active Directory Administrative Center, switch to Tree View, and then expand Dynamic Access Control. Click Central Access Rules. Double-click User-Department-Country-Match-Resource-Department-Country. Review the bottom entry in the Current Permissions area. NOTE: This is an existing rule that matches the country and department of files with the country and department of user accounts to grant user access. Click Cancel. Click Central Access Policies. Double-click File-Server-Policy. NOTE: The existing rule is assigned to this policy, which is deployed to file servers via Group Policy. Click Cancel. Create a new personally identifiable information (PII) rule In this step, you will create a new rule which grants access to files containing personally identifiable information (PII) only to approved users. This rule will be applied to a user group called PII-Approved and will grant them read-only access. Begin this task logged on to Admin as Contoso\Administrator using the password Passw0rd! In Active Directory Administrative Center, click Resource Properties. Right-click Personally Identifiable Information (PII_MS), and then click Enable. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 12

Click Central Access Rules. In the Tasks pane, click New, and then click Central Access Rule. In Name, type Contains-PII. In Target Resources, click Edit. Add the condition [Resource] [Personally Identifiable Information] [Exists] In Permissions, click Use the following permissions as current permissions, and then click Edit. Double-click the entry Owner Rights, and then click Add a condition. Add the condition [Resource] [Personally Identifiable Information] [Any of] [Value] [Not PII, Public], and then click OK. Click Add. Click Select a principal. Type PII_Approved, add the account, and tand then click Add a condition. Add the condition [Resource] [Personally Identifiable Information] [Any of] [Value] [High, Low, Moderate]. Check the Full Control check box, and then click OK. Double-click File-Server-Policy. In Member Central Access Rules, click Add. Click Contains-PII, click Add (>>), and then click OK. Click OK to close File-Server-Policy. Review manual file classification on Server1 In this step, you will implement file classification on Server1 by classifying folders and testing the results of folder classification. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! NOTE: If available, you may log on directly to Server1, or you may use Remote Desktop to connect to Server1. Interactive logon is required as the property pages in question are only available locally. Open Windows PowerShell. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 13

Type the following commands, pressing ENTER after each one. Gpupdate /force Update-FSRMClassificationPropertyDefinition Open Windows Explorer. Navigate to C:\Shares\CorpData. Right-click CorpData, and then click Properties. Click the Classification tab. NOTE: The folder has been previously classified manually as United States and Sales. NOTE: Personally Identifiable Information classification has not been configured. Close all open windows. Implement automatic classification for files containing PII In this step, you will configure an automatic classification rule which will search for files containing a US social security number and then classify them as HIGH PII. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Open Server Manager. On the Tools menu, click File Server Resource Manager. Expand Classification Management, and then click Classification Properties. NOTE: Country, Department, and Personally Identifiable Information are all deployed via Group Policy as part of the global properties stored in Active Directory. Click Classification Rules. In the actions pane, click Create Classification Rule. In General, in Rule name, type SSN Classifier. In Scope, check the User Files check box, and then click Add. In the Browse for Folder window, navigate to C:\Shares\CorpData, and then click OK. In Classification, in Classification method, select Content Classifier. In Property, in Choose a property to assign to files, select Personally Identifiable Information. In Specify a value, select High. Click Configure. On the Parameters tab, in the first entry, in the Expression field, type the following regular expression, and then click OK. \d{3}-\d{2}-\d{4} Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 14

NOTE: This is a regular expression for a US SSN format. In Evaluation Type, check the Re-evaluate existing property values check box, and then select Overwrite the existing value. In the Actions pane, click Configure Classification Schedule. Check the Enable fixed schedule check box, and then check each of the 7 weekdays. Check the Allow continuous classification for new files check box. Leave File Server Resource Manager open. You will use this in the next experience. Validate Dynamic Access Control rules In this step, you will use the built-in Effective Access calculator to verify that the correct users can access the CorpData folder based on Dynamic Access Control rules. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Open Windows Explorer. Navigate to C:\Shares\CorpData. Right-click CorpData, and then click Properties. On the Security tab, click Advanced. Click Effective Access. Click Select a user. Type AliceCiccu, and then click OK. Click View effective access. NOTE: Alice is denied access because her user attributes do not match the requirements for the folder. Click Select a user. Type BenSmith, and then click OK. Click View effective access. NOTE: Ben is allowed access, because his user account is configured with the correct attributes. Close the Properties of the CorpData folder. Test Dynamic Access Control with automatic classification In this step, you will test access to files using Dynamic Access Control and file classification from your DirectAccess-connected computer. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 15

Begin this task logged on to DAClient as Contoso\BenSmith using the password Passw0rd! Open Windows Explorer. Navigate to \\Server1\CorpData. Using Microsoft Word, create and save a file named SecureData, with the following text in the CorpData folder. My SSN is 111-22-3333 When prompted to configure Word, select Ask me later, and then click Accept. Close Welcome screen for Office. Formatted: Additional Information Wait approximately 10 seconds. Open SecureData.docx. NOTE: You are now denied access because of the Personally Identifiable Information rule. Switch to Admin, ensuring you are logged on as Contoso\Administrator. Open Windows PowerShell. Type the following command, and then press ENTER. Add-ADGroupMember Identify Identity PII_Approved Members BenSmith Switch to DAClient. Log off and then log on as Contoso\BenSmith using the password Passw0rd! Open the file \\Server1\CorpData\SecureData.docx. Field Code Changed NOTE: You can now open the file because you have been approved to view PII. Implement Automatic Protection of PII Documents with RMS In this step, you will implement an Active Directory Rights Management Services policy which prevents printing of documents classified as PII. For the purpose of streamlining this experience, AD RMS has been installed on Server1 and configured using installation defaults. You will only be required to create the RMS policies. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Open Server Manager. On the Tools menu, click Active Directory Rights Management Services. Navigate to Server1.contoso.com\Rights Policy Templates. In the contents pane, click Create distributed rights policy template. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 16

Click Add. In Name, type Do Not Print, and then in Description, type Prevent printing. Click Add. Click Next. Click Add, click Anyone, and then click OK. In Rights for ANYONE, check the following rights. NOTE: Some rights will automatically include other prerequisite rights. 1. Export (Save As) 2. Reply 3. Reply-All 4. Forward Click Next until you reach the end of the wizard, and then click Finish. Close Active Directory Rights Management Services. Include RMS in file classification In this step, you will modify the file classification process to include the Do Not Print RMS template when files contain PII. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! Switch to File Server Resource Manager. Click File Management Tasks. In the Actions pane, click Create File Management Task. In Task name, type Apply RMS Policy for PII. On the Scope tab, click Add, select C:\Shares\CorpData, and then click OK. On the Action tab, in Type, select RMS Encryption. In Select a template, click Do Not Print. On the Condition tab, click Add. Configure the condition [Personally Identifiable Information] [Equal] [High], and then click OK. Repeat step 8 and 9 to add a condition for PII equal to Moderate and PII equal to Low. Test RMS Auto-Classification Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 17

In this step, you will verify that files are automatically classified Do Not Print if they contain a PII value of Low, Moderate, or High. Begin this task logged on to Server1 as Contoso\Administrator using the password Passw0rd! In File Server Resource Manager, click File Management Tasks. Select Apply RMS Policy for PII. Formatted: Intense Emphasis In the Actions pane, click Run File Management Task Now. Click Wait for the task to complete, and then click OK. Switch to DAClient, and the log on as Contoso\BenSmith using the password Passw0rd!. Navigate to \\Server1\CorpData. Open SecureData using Microsoft Word. NOTE: During the launch of Microsoft Word, RMS is configured. NOTE: You have the Do Not Print permission on this file. This is the end of this lab. Lab created by HynesITe, Inc. For questions or comments, send an e-mail message to labs@holsystems.com Page 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback