Date post: | 02-Nov-2014 |
Category: |
Technology |
Upload: | david-tesar |
View: | 6 times |
Download: | 1 times |
Windows Server 2012Dynamic Access Control
David TesarTechnical Evangelist, Microsofthttp://about.me/davidtesar
Level: 300
Session objectives
Understand the new Dynamic Access Control (DAC) capabilities built into Windows Server 2012
Learn how to leverage DAC for data compliance and leakage prevention
Data management landscape
Growth of users and
data
?
Distributed computing
Regulatory and Business
Compliance
?
Budget Constraints
Dynamic Access Control Building Blocks
• ACEs with conditions, including Boolean logic and relative operators
Expression-Based ACEs
• User and computer attributes can be used in ACEsUser and Device Claims
• File classifications can be used in authorization decisions
• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to admins
Access Denied Assistance
Expression-Based ACEs
• Consider 100 countries * 10 divisions * 5 Projects• 5,000 total groups to represent every combination:
• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]
Pre-2012: ’OR’ of groups only
• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)• ~60 groups instead of 5,000
Windows Server 2012: ‘AND’ in expressions
• 3 User Claims
Windows Server 2012: with Central Access Policies & Classification
Conditional Expression Operators
Logical– AND– OR– NOT– Exists (resource properties)
– See MS-DTYP for processing rules
Relational =, != , <, >, <=, >=, Member_of Device_Member_of Member_of_Any Device_Member_of_Any Any_of Contains NOT*
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: Resource.Impact = HighAllow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed
= True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
7
Expression-based access policy
File Server
User and Device Claims
• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device
Pre-2012: Security Principals Only
• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Windows Server 2012: Security Principals, User Claims, Device Claims
NT Access Token
Contoso\Alice
User
Groups:….
Claims: Title=SDE
Kerberos Ticket
Contoso\Alice
User
Groups:….
Claims: Title=SDE File ServerUser
Contoso DC
Ad Admin Enable Domain to issue claims
Defines claim types
Claim type
Display Name
Source
Suggested values
Value type
User attempts to login
Receives a Kerberos ticket
Attempt to access resource
Expression based ACLsAccess Denied RemediationUser Claims
Let’s review No conditional expressions
Using groups with conditional expressions
Using user claims
Data classification – identifying data Classify data based on location inheritance Classify data automatically Data Classification Toolkit
FCI Released in WS08R2• Classified based on rules run at specified schedules• Not continuous• Not for access control• No UI for manual classification
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Business Needs → Storage Results
Retain contract data for 10 years
Need per-project share
Ensure that business-secret files do not leak out
Complexity increases the chances of ineffective policies and prevents insight into business data
Business needs can start simple
But adding policies can fragment the storage infrastructure
Lack of insight into your data means that you cannot manage your costs and risks
Classify Data
Manage Data Based On Business ValueStep 1
Apply policy
according to
classification
Step 2
How can you classify information?
• Based on the Folder the file is created in• Driven by “Business owner” that sets up the folderLocation based
• Specified by Information Worker• Templates of documents can be used for default settings• Data entry applications that marks files created by users
Manual
• Automatic classification based on content and other characteristics • Great solution for classifying large amounts of existing information
Automatic classification
• Line of business applications that store information on file servers• Data management applicationsApplication
Summary – Classify and Apply policy
Area Windows Server 2008 R2 Windows Server 2012/Windows 8
Property definition Local Global to the forest (including default recommended definitions)
Who can classify files Administrator only Administrators, Business owners and users
Manual classification No UI Classification UI added in explorer
What can be classified Files Folders and Files
When is the classification and file management tasks done
Schedule Schedule and Continuous
In box classification mechanisms
Content, location Content (improved), location, PowerShell
In box file management tasks Expiration, custom Expiration, custom, RMS
What happens when data leaves the file server?
Automatic Rights Management encryption
Automatically protect your sensitive information
Adhere to compliance regulations that require data encryption
Automatic RMS encryption based on document classification.
Encryption
demo
Data ClassificationAD RMS
How do I deploy Expression based Access Control across
my servers?
Active Directory
Central Access Policy
Finance folders
User folders
Standard organization policyHigh Impact rulePersonal Information ruleFinance department policyHigh Impact Data rulePersonal Information ruleInformation wall rule
Corporate file serversHigh Impact Data rule
Applies To: Resource.Impact == HighAccess conditions: User.Clearance = High AND Device.IsManaged = True
Personal Information ruleApplies To: Resource.PII == TrueAccess conditions: Allow MemberOf( PIIAdministrators , Owner)
“Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department
2
Define Central Access Policies (CAPs)Define Central Access Rules (CARs)1
Apply CAPs on File Servers
3
File AccessShare Permissions
File Access without Central Access Policy
Access Control Decision
NTFS Permissions
File Access
File Access with Central Access Policy
Access Control Decision
Share Permissions
NTFS Permissions
Central Access Policy
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy Reference
NTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity Descriptor
Share Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:Full
Central Access Rule 1: Engineering Docs
Dept=Engineering Engineering:ModifyEveryone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify
NTFS FTE:ModifyVendors:Read
Effective Rights:
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Example: Effective Access
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
demo
Country based central access rule
Central Access Policy with user claims
How does this help me if I have to do an audit?
The audit challenge
Compliance and forensic analysis
Difficult to control audit volume
Inadequate support for managing audit policies centrally
Difficult to sift through audit noise to get to relevant data
Data Compliance Challenges
Expression based auditing Limit auditing to data that
meets specific classification criteria.
Limit auditing by action and by identity
Add contextual information into the audit events
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Expression based auditing
Audit event with contextual information
An attempt was made to access an object. Subject:
Security ID: CONTOSODOM\aliceAccount Name: alice
Account Domain: CONTOSODOMLogon ID: 0x3e7
Object:
Object Server: SecurityObject Type: File
Handle ID: 0x8e4Resource Attributes: S:AI(RA;;;;;WD;(“Personally Identifiable Information",TS,0x0,"High"))(RA;;;;;WD;(“Department_23AFE",TS,0x0,“Finance"))
Object Name: C:\Finance Document Share\FinancialStatements\MarchEmployeeStmt.xls
Incrementally add capabilities
Current infrastructure
Windows Server 2012 File Servers• Access and
Audit Policies based on security groups and file tagging
• Classify information & apply RMS policies
Windows Server 2012 DCs• Centrally
defined access and audit policies
• User claims can be used by access and audit policies
• Additional classification options
Windows 8 clients• Add device
claims to access and audit policies
• Better access denied experience
• Additional classification options
Part
ner
solu
tions
and
lin
e o
f bu
siness
ap
plic
ati
ons
In summary
Reduce group complexity
Simplify access control
Implement effective access control
Protect your data when it leaves the server
Related Content and Resources
SIA 207 – Windows Server 2012 Dynamic Access Control OverviewSIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization PoliciesSIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT
SIA21-HOL – Using Dynamic Access Control to Automatically and Centrally Secure Data in Windows Server 2012
Edge Show – weekly technical videos and news for IT Pros http://edge.technet.com
TechEd 2012 Sessions - http://channel9.msdn.com/Events/TechEd