Myths #3: Give without giving

no gift

One more mystery for me: how give everything without giving everything. This is exactly the question I see very often in various forums and other places. This is the question I hear personally from time to time. It can be in asked in several forms, the most frequent forms are:

1) How can I give a user local admin rights and be sure that they cannot do <put your own stuff here>?

2) How can I restrict my domain admin from accessing the <your very valuable information>?

Naturally, at this point I start boiling and all that stuff, but let’s look at it again.

Well, granting the user administrative rights in a system is going to give them administrative rights: that’s the point. And any administrative access means that the user can do everything. What it cannot do right now, they can grant themselves rights to do. Period.

In first case you can only audit the user’s actions, that’s all, you can do. Moreover, the audit collection and processing must be done on a remote system, which is not accessible (let alone administered) by the user in question. Any other variant, like granting local admin rights, but denying access to some aspects of the system… It just won’t work.

The second case is a bit more complicated, because system we are discussing are usually more distributed. However, even in such occurrence, you can do not much more then in previous one. Again: strict audit with no chances for the admin to tamper with it. The only exclusion for that rule is if you build the system, which, say, encrypts the data and which is not governed by the domain admin. But this is tricky, especially, considering the fact, that the admin can get the data from the computer of the user which decipher the data to work with it (pass-the-hash, or any other attack is possible if he has administrative access to any part of the “secure system”).

Therefore, really, only audit for critical data, including audit of access to backup and restore system.

Any other ideas?

#RutechEd: Answering the questions, part II

imageAt last, two remaining questions to be answered.

1) One of the attendees of the hands-on lab on Dynamic Access Control had read that a normal user (without administrative permissions) can classify files and folders. However, he hadn’t succeeded in achieving it. Here is what I tried and understood:

i. Any user cannot change classification via explorer remotely (or at least I failed to achieve this).

ii. Any user, which has full permissions on files can edit classification locally, e.g. from TS session.

As far as I can understand, the “non-administrative user can edit it” part was related to automated toolkits, which don’t need now to be run under administrative account.

2) And the last question was: can we use Orchestrator to manage classifications?

I’ve asked one of my friends, who specializes in Orchestrator, and here is what he answered me:

“i. Orchestrator can do everything that you can do in any other fashion with, say, PoSh.

ii. I bet there is more standard way to do it.

iii. It’s definitely better to use Data Classification Toolkit: Orchestrator will be a bottleneck if we have many files.”

So, the answer is “yes, but definitely not the best tool”

#RuTeched: answering the questions. Does the Dynamic Access Control work over replication?

imageAs I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As I’m not great with the replication, I had to beg for help and, luckily, I knew were to get it: the AskDS blog.

In no time a received the answer. The short one is: “everything will be ok with your files”. The long one I will just cite here:

“Let me clarify some aspects of your question as I answer each part

When enabling Dynamic Access Control on files and folders there are multiple aspects to consider that are stored on the files and folders.

Resource Properties

– Resource Properties are defined in AD and used as a template to stamp additional metadata on a file or folder that can be used during an authorization decision.  That information is stored in an alternate data stream on the file or folder.  This would replicate with the file, the same as the security descriptor

Security Descriptor

The security descriptor replicates with the file or folder.  Therefore, any conditional expression would replicate in the security descriptor.

All of this occurs outside of Dynamic Access Control– it is a result of replicating the file throughout the topology, for example if using DFSR.  Central Access Policy has nothing to do with these results.

Central Access Policy

Central Access Policy is a way to distribute permissions without writing them directly to the DACL of a security descriptor. So, when a Central Access Policy is deployed to a server, the administrator must then link the policy to a folder on the file system.  This linking is accomplish by inserting a special ACE in the auditing portion of the security descriptor informs Windows that the file/folder is protected by a Central Access Policy.  The permissions in the Central Access Policy are then combined with Share and NTFS permissions to create an effective permission.

If the a file/folder is replicated to a server that does not have the Central Access Policy deployed to it then the Central Access Policy is not valid on that server.  The permissions would not apply”.

Thanks, guys. You’re the best Winking smile

#RutechEd: Lab Results


I have received survey results for my hands-on labs during TechEd Russia. And are they awesome! Both my labs are in top5, moreover, one of them is the first in the list!

I’m thrilled to bits =)

Many thanks to all visitors: you’ve created such an aim for me, that I’ve already started to think about what to show you next year.

My marks:

DirectAccess: 9 out of 9

Dynamic Access Control: 8.55 out of 9

MCPClub: DirectAccess explained

MCP Club moscow

13 Dec 2012 I finished the season at Microsoft MCP Club Moscow. I spoke about DirectAccess in 2012 and why is it worth to implement even if you haven’t done it with previous version.

As usual the audience was just excellent, they forgave me all the small mistakes I made, knew some of the material better than I did and so on. Therefore, it was sweet meeting: I like it very much and it was a success.

At the moment I’m processing the recording (I’ve lost video for the demonstration – chose a wrong mode for it), and thinking if I should make an English version.

#RuTechEd is over


TechEd Russia has finished its work. This time I was too busy to be a proper visitor: at the first day I was preparing my presentation and demos, at the second I checked my labs, delivering them and then… Then the TechEd ended =)

As for my engagements:

1) Presentation. Advanced Persistent Threat: behind the scenes. Unfortunately, my part wasn’t very good. At least I think so, therefore I’ll improve what I failed (still I hope that no one noticed Winking smile. Especially take into consideration the fact that our demos were total success).

2) The hands-on lab on Dynamic Access Control. Quite simple, yet having many details inside in and no mistakes I couldn’t fix in a flash.

3) The second lab was on DirectAccess. This one went wrong on several occasions but almost everything was fixed.

Overall, I’m quite satisfied with my performance, but a bit jealous of those who could just visit sessions and listen to speakers =)

Some photos:


My breakfast on TechEd. A bit grumpy (totally understandable: the photo had been taken minutes before I ate it =) )


MS MVPs are discussing the conquering of the world Winking smile


Speaker’s lounge before times.

TechEd Russia.

Yep, this year I don’t participate in Ask the Expert section, but instead I speak about Advanced Persistent Threat and I’m also a trainer for two labs: DirectAccess and Dynamic Access Control.

I really look forward to the event. It must be thrilling as always. And I hope I will bring some knowledge and decisions upon my listeners Winking smile

Free ebook: Introducing Windows 8: An Overview for IT Professionals

0160.image_5186E8A3Just a new eBook for us, IT Pro.

Deployment, management, security, recovery. All you need to bring the OS to your users.

Download links are below.

PDF Introducing Windows 8- An Overview for IT Professionals – PDF ebook
Mobi Introducing Windows 8-An Overview for IT Professionals – Mobi format for Kindle
ePub Introducing Windows 8-An Overview for IT Professionals – ePub format

FeedDemon + Windows 8: overcoming problems

Will anyone be surprised to hear that I’m trying to move to windows 8 right now? No? Right. At the moment a couple issues make my stay on it uncomfortable or impossible:

  • I still don’t have proper drivers for etoken for the OS.
  • Evernote in the new OS with the new interface (we don’t use term “Metro” anymore) sucks.
  • FeedDemon keeps giving me error messages in huge amount.

And it seems as the latter problem now has a solution. First of all, here is the message:


Untitled picture0

or in text: “Error saving file: The process cannot access the file because it is being used by another process (32)” and then states some file in the Temp folder.

I really don’t understand the connection between those files and the solution (or, rather, I’d name it workaround), but it works:

1. Go to Personalize

2. And change color schema from Automatic (top-left) to any other.

Untitled picture

Voila! No more error messages.

Troubleshooting articles.

imageOnce I have run into some article which was actually a list of references to the Windows IT Pro articles. I don’t even remember where I saw the article (probably it was WinITPro itself), but I all of a sudden remembered, that it was useful for me.

The list was named in my collection as “troubleshooting learning path” and it truly is. below is the list. What you need to access any article stated here is to enter an InstantDoc ID in search on the main page of WinITPro.

Have fun:


Name InstantDoc ID
Administrators’ Intro to Debugging 101818
Conquer Desktop Heap Problems 101701
Disk2vhd: The Windows Troubleshooter’s New Best Friend 102980
Examining Xperf 102054
Find the Binary File for Any WMI Class 102615
Further Adventures in Debugging 102867
Get a Handle on Windows Performance Analysis 101162
Got High-CPU Usage Problems? ProcDump ‘Em! 102479
Reap the Power of MPS_Reports Data 101468
Resolve Memory Leaks Faster 99933
Resolve WMI Problems Quickly with WMIDiag 100845
Say ‘Whoa!’ to Runaway Processes 100212
Simplify Process Troubleshooting with DebugDiag 100577
Troubleshooting the Infamous Event ID 333 Errors 101059
Under the Covers with Xperf 102263