MVP: No more

MVP_Horizontal_BlackOnlyAlas, everything has its end. 2013 didn’t host TechEd Russia, I didn’t participate in MCP Club activities and even my own blog has been neglected. the result is obvious: I’m not an MVP anymore. 

Nevertheless, that were terrific 7 years. I hope I’ve helped many people. I am absolutely sure I came to know many great people and even hired some of them Winking smile 

But… As I’ve been a manager for a brilliant team of IT Pros, it’s plain contra-indicative for me to make something with my hands (my experience prove this), but it’s positively good for me to think and learn about management.

That is the blog will lean more to the management side with the lapse of time. Technical posts will appear from time to time (with tag, say, Technical), but they probably won’t make the most of the blog. So, you can leave if you want, but… Well… Stay, what if I say something clever? =)

Anyway, thanks for your support during all these years.

Posted in MVP | Leave a comment



Posted in Uncategorized | Leave a comment

Myths #3: Give without giving

no giftOne more mystery for me: how give everything without giving everything. This is exactly the question I see very often in various forums and other places. This is the question I hear personally from time to time. It can be in asked in several forms, the most frequent forms are:

1) How can I give a user local admin rights and be sure that they cannot do <put your own stuff here>?

2) How can I restrict my domain admin from accessing the <your very valuable information>?

Naturally, at this point I start boiling and all that stuff, but let’s look at it again.

Well, granting the user administrative rights in a system is going to give them administrative rights: that’s the point. And any administrative access means that the user can do everything. What it cannot do right now, they can grant themselves rights to do. Period.

In first case you can only audit the user’s actions, that’s all, you can do. Moreover, the audit collection and processing must be done on a remote system, which is not accessible (let alone administered) by the user in question. Any other variant, like granting local admin rights, but denying access to some aspects of the system… It just won’t work.

The second case is a bit more complicated, because system we are discussing are usually more distributed. However, even in such occurrence, you can do not much more then in previous one. Again: strict audit with no chances for the admin to tamper with it. The only exclusion for that rule is if you build the system, which, say, encrypts the data and which is not governed by the domain admin. But this is tricky, especially, considering the fact, that the admin can get the data from the computer of the user which decipher the data to work with it (pass-the-hash, or any other attack is possible if he has administrative access to any part of the “secure system”).

Therefore, really, only audit for critical data, including audit of access to backup and restore system.

Any other ideas?

Posted in Myths, Security | Leave a comment

#RutechEd: Answering the questions, part II

imageAt last, two remaining questions to be answered.

1) One of the attendees of the hands-on lab on Dynamic Access Control had read that a normal user (without administrative permissions) can classify files and folders. However, he hadn’t succeeded in achieving it. Here is what I tried and understood:

i. Any user cannot change classification via explorer remotely (or at least I failed to achieve this).

ii. Any user, which has full permissions on files can edit classification locally, e.g. from TS session.

As far as I can understand, the “non-administrative user can edit it” part was related to automated toolkits, which don’t need now to be run under administrative account.

2) And the last question was: can we use Orchestrator to manage classifications?

I’ve asked one of my friends, who specializes in Orchestrator, and here is what he answered me:

“i. Orchestrator can do everything that you can do in any other fashion with, say, PoSh.

ii. I bet there is more standard way to do it.

iii. It’s definitely better to use Data Classification Toolkit: Orchestrator will be a bottleneck if we have many files.”

So, the answer is “yes, but definitely not the best tool”

Posted in Dynamic Access Control, TechEd, Windows 8 | Leave a comment

#RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

imageAs I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As I’m not great with the replication, I had to beg for help and, luckily, I knew were to get it: the AskDS blog.

In no time a received the answer. The short one is: “everything will be ok with your files”. The long one I will just cite here:

“Let me clarify some aspects of your question as I answer each part

When enabling Dynamic Access Control on files and folders there are multiple aspects to consider that are stored on the files and folders.

Resource Properties

- Resource Properties are defined in AD and used as a template to stamp additional metadata on a file or folder that can be used during an authorization decision.  That information is stored in an alternate data stream on the file or folder.  This would replicate with the file, the same as the security descriptor

Security Descriptor

The security descriptor replicates with the file or folder.  Therefore, any conditional expression would replicate in the security descriptor.

All of this occurs outside of Dynamic Access Control– it is a result of replicating the file throughout the topology, for example if using DFSR.  Central Access Policy has nothing to do with these results.

Central Access Policy

Central Access Policy is a way to distribute permissions without writing them directly to the DACL of a security descriptor. So, when a Central Access Policy is deployed to a server, the administrator must then link the policy to a folder on the file system.  This linking is accomplish by inserting a special ACE in the auditing portion of the security descriptor informs Windows that the file/folder is protected by a Central Access Policy.  The permissions in the Central Access Policy are then combined with Share and NTFS permissions to create an effective permission.

If the a file/folder is replicated to a server that does not have the Central Access Policy deployed to it then the Central Access Policy is not valid on that server.  The permissions would not apply”.

Thanks, guys. You’re the best Winking smile

Posted in AD, Dynamic Access Control, Security, Tips'N'Tricks, Windows 8 | Leave a comment

#RutechEd: Lab Results


I have received survey results for my hands-on labs during TechEd Russia. And are they awesome! Both my labs are in top5, moreover, one of them is the first in the list!

I’m thrilled to bits =)

Many thanks to all visitors: you’ve created such an aim for me, that I’ve already started to think about what to show you next year.

My marks:

DirectAccess: 9 out of 9

Dynamic Access Control: 8.55 out of 9

Posted in TechEd | Leave a comment

MCPClub: DirectAccess explained

MCP Club moscow

13 Dec 2012 I finished the season at Microsoft MCP Club Moscow. I spoke about DirectAccess in 2012 and why is it worth to implement even if you haven’t done it with previous version.

As usual the audience was just excellent, they forgave me all the small mistakes I made, knew some of the material better than I did and so on. Therefore, it was sweet meeting: I like it very much and it was a success.

At the moment I’m processing the recording (I’ve lost video for the demonstration – chose a wrong mode for it), and thinking if I should make an English version.

Posted in DirectAccess, MCP Club | Leave a comment