What is new in security in Windows 2012orDynamic Access Control

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7ondrej@sevecek.com | www.sevecek.com |

Revolution?

Evolution

Evolution

• Access Control Lists (ACEs)– and NTFS

• File Server Resource Manager (FSRM)– and simple file classification

• Active Directory (AD) integrated classification– and NTFS rules with term conditions

• Automatic file classification with FSRM• Kerberos Claims

– and user attributes• Kerberos CompoundId

– and computer attributes• Central AD defined NTFS access rules

– and their enforcement with FSRM

EvolutionFeature Server Client Schema 2012 /

DFL / FFL

And logic ACL Windows 2012 - -

FSRM automatic classification

Windows 2012FSRM

- -

AD integrated classification terms

Windows 2012FSRM

- schema 2012FFL 2003

AD integrated NTFS access rules

Windows 2012FSRM

- schema 2012FFL 2003

User claims Windows 2012 - one Windows 2012 DC

Computer claims Windows 2012 Windows 8Windows 2012

local Windows 2012 DC

Claims, Terms, Classifications, Metadata

• They are just the same thing

Access Control Lists

What is New in Security in Windows 2012

Until Windows 2012

• Sorted in order– DENY is not always stronger

• Has OR logic– shadow groups– combined "AND" groups

Group Limits

• Access Token– 1024 SIDs

• Kerberos ticket– 12 kB by default– global group = 8 B– domain local group / foreign universal groups = 40 B

• 260 max

Disk

Classic flow of access control

NTFS PermissionsAcc

ess

this

Com

pute

rfro

m N

etw

ork

Authentication

Folder Quotas

Volume Quotas

Win

dow

s Fi

rew

all

TCP 445 Kerberos

NTLM

Path

Owner

Allow Logon Locally

Authentication Kerberos

NTLM

Access TokenUAC Restricted

Access Token

Sha

ring

Per

mis

sion

s

Allo

wed

to A

uthe

ntic

ate?

New in Windows 2012

• AND logic possible• Extendable with claims

– FSRM file claims– user claims– device (computer) claims

• Requires domain membership– Windows 8, Windows 2012

Disk

New flow of access control

NTFS PermissionsA

cces

s th

is C

ompu

ter

from

Net

wor

k

Authentication

Folder Quotas

Volume Quotas

Win

dow

s Fi

rew

all

TCP 445 Kerberos

NTLM

Path

Owner

Allow Logon Locally

Authentication Kerberos

NTLM

Access TokenUAC Restricted

Access Token

Sha

ring

Per

mis

sion

s

Allo

wed

to A

uthe

ntic

ate?

Condition ACEs

File Classification

What is New in Security in Windows 2012

File Server Resource Manager (FSRM)

• Manual File Classification• Automatic File Classification

– file name wildcard– folder path– words and/or regular expressions– PowerShell code

• Locally vs. AD defined terms• Adds file metadata

– alternative NTFS streams

File claims and ACL

• File claims can be used in the new ACE conditions– only AD based file terms

AD defined file claims

• Requires Windows 2012 schema extension• Requires Windows 2003 forest functional level

– do not require any Windows 2012 DC– some editor like ADSI Edit or Windows 2012 ADAC

• Must be uploaded to FSRM servers manually

Kerberos Claims

What is New in Security in Windows 2012

Kerberos ticket until Windows 2012 KDC

• User identity– login– SID

• Additional SIDs– groups– SID history

Good old Kerberos

ClientXP

DC2003

Server

TGT

Good old Kerberos

ClientXP

DC2003

Server

TGT

TGS

TGS

SIDs

SIDs

What is new in Kerberos tickets with Windows 2012 KDC• User identity

– login– SID

• Additional SIDs– groups– SID history

• User claims– AD attributes in Kerberos TGT tickets

Requirements

• At least single Windows 2012 DC (KDC)• Tickets are extendable• If client does not understand the extension, it simple

ignores its contents• If server requires user claims and they are not

present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)

Good old Kerberos supports claims as well

ClientXP

DC2003

Server2012

TGT

TGS

TGS

DC2012

ClaimsSIDs

SIDs

Brand new Kerberos with Windows 2012 KDC

ClientXP

DC2012

Server2012

TGT User Claims

Brand new Kerberos with Windows 2012 KDC

ClientXP

DC2012

Server2012

TGT

TGS

TGS

SIDs

User Claims

SIDs

User Claims

User Claims

What is new in Kerberos with DFL 2012

• User identity– login– SID

• Additional SIDs– groups– SID history

• User claims– AD attributes in Kerberos TGT tickets

• Device claims– AD attributes of computers– Compound ID in Kerberos TGT tickets

Kerberos Compound ID with device claims

Client8

DC2012

Server2012

TGT Request

TGT User Claims

Computer TGT

Device Claims

Brand new Kerberos with Windows 2012 KDC

Client8

DC2012

Server2012

TGT

TGS

TGS

SIDs

SIDs

User Claims

User Claims

Device Claims

User Claims

Device Claims

Device Claims

Requirements

• At least local Windows 2012 DC (KDC)– better to have 2012 DFL for consistent behavior

• Clients Windows 8 or Windows 2012– must ask for TGTs with Compound ID extension

• Server cannot just obtain device claims because it does not know from what device the user came

Central Access Rules

What is New in Security in Windows 2012

Requirements

• Windows 2012 schema extension• Windows 2003 forest functional level

– do not require any Windows 2012 DC– some editor like ADSI Edit or Windows 2012 ADAC

• Uploaded to FS by using Group Policy

Take away

What is New in Security in Windows 2012

EvolutionFeature Server Client Schema 2012 /

DFL / FFL

And logic ACL Windows 2012 - -

FSRM automatic classification

Windows 2012FSRM

- -

AD integrated classification terms

Windows 2012FSRM

- schema 2012FFL 2003

AD integrated NTFS access rules

Windows 2012FSRM

- schema 2012FFL 2003

User claims Windows 2012 - one Windows 2012 DC

Computer claims Windows 2012 Windows 8Windows 2012

local Windows 2012 DC

Thank you!

What is New in Security in Windows 2012