Windows 8 Dynamic Access Control

John CraddockInfrastructure and security ArchitectXTSeminars Ltd

February 2012What you are about to learn is

based on a pre-released product and may not accurately reflect the

functionality of the RTM version

With Windows 8 you can:• Create simpler authorization

models for file based resources

• Stop creating 1000s of groups to control access

• Classify files• Control access to files based

on AD attributes (claims)• Deploy the access model

Text/Icon/PicText/Icon/Pic

Text/Icon/PicText/Icon/Pic

Defining the requirements• Sales Consultants from the regional sales

departments must have read/write access to their region’s sales documents• They are not allowed to access sales documents for other

regions• Sales Managers must have access to sales

documents in all regions• Sales documents with high business impact must

only be viewable by Sales Managers• The access model must be applied across multiple

file servers in the Active Directory forest

A nice to have• High impact documents should only be accessible

from client machines that are managed by the Corp Sales department

How many different designs can you come up with?

Sales UK RW

UK

Sales

US

HI UK

HI US

Sales US RW

Sales HI UK RW

Sales HI US RW

UK Sales

US Sales

Sales Managers

How do we guarantee HI documents are placed in the correct folders?

Today’s Challenges

No way to tag files and apply authorization and auditing based on

file typeCreation of complex folder structures

No way to create ACLs based on expressions

Requires complex group structuresToken bloat

ACLs defined using groups Token bloat

Device state not supported in authorization decisions

No simple solutionServer isolation using Ipsec?

Leads to

Windows 8 to the rescue…

No way to tag files and apply authorization and auditing ased on file type

Files can be classified (tagged) and policies applied based on the files classification

No way to create ACLs based on expressions

Requires complex group structures

Expression based access control and auditing

ACLs defined using groups Expressions can containing groups, users,

and user and device claims

Device state not supported in authorization decisions

Access based on compound IDUser and device claims

Resolution

And there’s more• Policies can be created centrally and deployed

across multiple servers• Auditing supports policy staging• The proposed changes can be reviewed, before applying

them• Automatic RMS protection of documents through

classification (tagging)• File retention policies• Access deny remediation

Classification

Resource Classification

Step 1: Define resource properties

Step 2: Add properties to property list

Step 3: Deploy to file servers

Windows 8 ServerFile server role

Step 4: Classify Files and Folders

DemoClassifying files and folders

Defining access rules

Central Access Rules

User Group Member of Value UK SalesAND        Resource Country Any of Value UKAND        Resource Impact Any of Value Mod/low

Allow access if:

Applying access rules

Step 1: Define Central Access Rules

Step 2: Add rules to a Central Access Policy

Step 3: Deploy to file serversusing group policy

Windows 8 ServerFile server role

It just got simpler!

UK

Sales

US

UK Sales

US Sales

Sales Managers

Access based on Central Access

Policyand file and folder

classification

DemoDefining and deploying access rules

File Classification Infrastructure

Classification Options

Windows 8 ServerFile server role

Text/Icon/Pic

Manual

File Classificatio

n Infrastructur

e

In-built classifier

3rd party classifierplug-in

Application

DemoAutomatic classification

Claims Based Access Control

Adding Claims to the Kerberos Token

User’s Kerberos

Token

PAC

User’s group memberships added to PACAuthorization based on group membership

Pre-Windows 8

UserGroups

Claims

DeviceGroups

Claims

Windows 8Compound ID

PAC contains a user’s group and

claims information+

Device information

Authorization based on group membership, user and device claims

Enabling CBACStep 1: Define user and device attributes to be presented as claimsStep 2: Enable KDC support for CBAC viagroup policy

Step 4: Deploy CAP to file servers using group policy

Windows 8 ServerFile server role

Step 3: Update Central Access Policy to include claims

Claim Types

CAP

And Simpler!

• No groups• We even solved the “nice to have”• High impact documents should only be accessible from

client machines that are managed by the Corp Sales department

UK

Sales

US

Access based on Central Access

Policy, file and folder classification,

andCBAC

DemoClaims based access control

Summary

Summary

• Think about your current management model for user and device attributes• CBAC will map attributes to claims making them security

sensitive

Classification allows you to target policies

forAuthorizationEncryptionRetention

Access Rulesallows you to created rich authorization and auditing

policies

Access Rulesallows you to simplify folder

and group structures

CBACallows you to

base authorization

and auditing on user and device

claims

TechEd 2012• I will be speaking a TechEd 2012• Precon: Building Federated External Access for Microsoft

SharePoint 2010• Other breakouts

Consulting Services on Request

John.craddock@xtseminars.co.uk

John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

John CraddockInfrastructure and security ArchitectXTSeminars Ltd

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.