Exam70-412 Ch06b

Fully encrypts Kerberos messages, Increases Kerberos processing time ***Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors. Although Kerberos armoring enhances security, it also increases processing time.

The Kerberos KDC ***Claims authorization relies on the Kerberos Key Distribution Center (KDC). Claims, the user's security identifier (SID), and group membership are all stored inside the Kerberos ticket.

A specific attribute in Active Directory ***To create a claim type, you specify a specific attribute from Active Directory.

Configure resource properties ***After you create the claim types, you must configure the resource property objects such as a folder or a file using the Active Directory Administrative Center.

Classification rules ***Classification rules can be created and then scheduled to be applied on a regular basis so that files are automatically scanned and classified based on the content of the file.

On the folder Properties dialog box, In the File Server Resource Manager console ***You can manually configure classification on a folder from its Properties dialog box, or you can create classification rules to automate the classification from within the File Server Resource Manager console.

A Central Access Policy ***A Central Access Policy contains Central Access Rules that grant permissions to objects for a defined group of resources. This is how access to files with certain classifications within a folder can be limited to a specific security group's members.

Translate the authorization policies into expressions, Identify the resources you want to protect, Define the authorization policies ***You should perform all the listed steps and then use that information to determine what claim types, resource properties, and device claims you must create to deploy the desired policies.

The schedule of disk defragmentation ***Before you attempt to perform file classification, you should know what classifications you wish to apply, how you will identify documents to be classified, and how often the classification should be performed by the system.

Staging ***To help you test implementing DAC or before making changes, Windows Server 2012 enables you to perform staging, which allows you to verify the proposed policy updates before enforcing them.

Global Object Access Auditing ***Global Object Access Auditing lets you define computer-wide system access control lists for either the file system or registry.

Access-Denied Assistance ***When a user is denied access to a shared folder or file, Windows Server 2012 provides Access-Denied Assistance, which helps users determine why they cannot access the folder or file and directs users to resolve the issue without calling the help desk.

Set-ADCentralAccessPolicy ***The Set-ADCentralAccessPolicy cmdlet modifies a Central Access Policy in Active Directory.

The share size where Access-Denied Assistance will be used ***You will need to plan for the denial message, the request message, and who should receive the request message (email) for further action.

Look in the Security logs for Event ID 4818 ***The Audit Event ID 4818 in the Security log shows the difference between the access check using the staged policy and the access check using the enforced policy.

Domain Controllers running Windows Server 2012 in the domain ***While technically you'll need all the items listed depending on the scope, size, and complexity of your claims-based authorization deployment, you must have Domain Controllers running Windows Server 2012 in the domain that claims-based authorization is to occur in. Windows 8 clients are not required for this specific scenario and Kerberos is available by virtue of having Active Directory.

Tasks for files and folders can be automate ***Though all the options represent benefits you would gain through file and folder classification, the real big win is in being able to perform the listed tasks in automated fashion using the results of the classification process.

Edit a domain Group Policy object to enable Audit Central Access Policy Staging ***The best option is to edit a domain Group Policy to enable Audit Central Access Policy Staging.

Claims-based access control ***Claims-based access control uses a trusted identity provider to provide authentication.

Claim ***Identity is based on a set of information. Each piece of information is referred to as a claim (such as who the user or computer claims to be) and is stored as a token, which is a digital key.

Security Token Service ***In Windows Server 2012, the identity provider is the Security Token Service (STS) and the claims are the Active Directory attributes assigned to a user or device (such as a computer).

Trusted identity provider ***The trusted identity provider issues a token to the user, which the user then presents to the application or service as proof of identity.