Windows Server 2012Dynamic Access Control

David TesarTechnical Evangelist, Microsofthttp://about.me/davidtesar

Level: 300

Session objectives

Understand the new Dynamic Access Control (DAC) capabilities built into Windows Server 2012

Learn how to leverage DAC for data compliance and leakage prevention

Data management landscape

Growth of users and

data

?

Distributed computing

Regulatory and Business

Compliance

?

Budget Constraints

Dynamic Access Control Building Blocks

• ACEs with conditions, including Boolean logic and relative operators

Expression-Based ACEs

• User and computer attributes can be used in ACEsUser and Device Claims

• File classifications can be used in authorization decisions

• Continuous automatic classification• Automatic RMS encryption based on classification

Classification Enhancements

• Central authorization/audit rules defined in AD and applied across multiple file servers

Central Access and Audit Policies

• Allow users to request access• Provide detailed troubleshooting info to admins

Access Denied Assistance

Expression-Based ACEs

• Consider 100 countries * 10 divisions * 5 Projects• 5,000 total groups to represent every combination:

• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]

Pre-2012: ’OR’ of groups only

• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND

MemberOf(Engineering)• ~60 groups instead of 5,000

Windows Server 2012: ‘AND’ in expressions

• 3 User Claims

Windows Server 2012: with Central Access Policies & Classification

Conditional Expression Operators

Logical– AND– OR– NOT– Exists (resource properties)

– See MS-DTYP for processing rules

Relational =, != , <, >, <=, >=, Member_of Device_Member_of Member_of_Any Device_Member_of_Any Any_of Contains NOT*

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICY

Applies to: Resource.Impact = HighAllow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed

= True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

7

Expression-based access policy

File Server

User and Device Claims

• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device

Pre-2012: Security Principals Only

• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:

• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True

Windows Server 2012: Security Principals, User Claims, Device Claims

NT Access Token

Contoso\Alice

User

Groups:….

Claims: Title=SDE

Kerberos Ticket

Contoso\Alice

User

Groups:….

Claims: Title=SDE File ServerUser

Contoso DC

Ad Admin Enable Domain to issue claims

Defines claim types

Claim type

Display Name

Source

Suggested values

Value type

User attempts to login

Receives a Kerberos ticket

Attempt to access resource

Expression based ACLsAccess Denied RemediationUser Claims

Let’s review No conditional expressions

Using groups with conditional expressions

Using user claims

Data classification – identifying data Classify data based on location inheritance Classify data automatically Data Classification Toolkit

FCI Released in WS08R2• Classified based on rules run at specified schedules• Not continuous• Not for access control• No UI for manual classification

Data Classification

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Business Needs → Storage Results

Retain contract data for 10 years

Need per-project share

Ensure that business-secret files do not leak out

Complexity increases the chances of ineffective policies and prevents insight into business data

Business needs can start simple

But adding policies can fragment the storage infrastructure

Lack of insight into your data means that you cannot manage your costs and risks

Classify Data

Manage Data Based On Business ValueStep 1

Apply policy

according to

classification

Step 2

How can you classify information?

• Based on the Folder the file is created in• Driven by “Business owner” that sets up the folderLocation based

• Specified by Information Worker• Templates of documents can be used for default settings• Data entry applications that marks files created by users

Manual

• Automatic classification based on content and other characteristics • Great solution for classifying large amounts of existing information

Automatic classification

• Line of business applications that store information on file servers• Data management applicationsApplication

Summary – Classify and Apply policy

Area Windows Server 2008 R2 Windows Server 2012/Windows 8

Property definition Local Global to the forest (including default recommended definitions)

Who can classify files Administrator only Administrators, Business owners and users

Manual classification No UI Classification UI added in explorer

What can be classified Files Folders and Files

When is the classification and file management tasks done

Schedule Schedule and Continuous

In box classification mechanisms

Content, location Content (improved), location, PowerShell

In box file management tasks Expiration, custom Expiration, custom, RMS

What happens when data leaves the file server?

Automatic Rights Management encryption

Automatically protect your sensitive information

Adhere to compliance regulations that require data encryption

Automatic RMS encryption based on document classification.

Encryption

demo

Data ClassificationAD RMS

How do I deploy Expression based Access Control across

my servers?

Active Directory

Central Access Policy

 

Finance folders

User folders

Standard organization policyHigh Impact rulePersonal Information ruleFinance department policyHigh Impact Data rulePersonal Information ruleInformation wall rule

Corporate file serversHigh Impact Data rule

Applies To: Resource.Impact == HighAccess conditions: User.Clearance = High AND Device.IsManaged = True

Personal Information ruleApplies To: Resource.PII == TrueAccess conditions: Allow MemberOf( PIIAdministrators , Owner)

“Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department

2

Define Central Access Policies (CAPs)Define Central Access Rules (CARs)1

Apply CAPs on File Servers

3

File AccessShare Permissions

File Access without Central Access Policy

Access Control Decision

NTFS Permissions

File Access

File Access with Central Access Policy

Access Control Decision

Share Permissions

NTFS Permissions

Central Access Policy

How Access Check Works

File/FolderSecurity Descriptor

Central Access Policy Reference

NTFS Permissions

Active Directory (cached in local Registry)

Cached Central Access Policy Definition

Access Control Decision:1)Access Check – Share permissions if

applicable2)Access Check – File permissions3)Access Check – Every matching Central

Access Rule in Central Access Policy

ShareSecurity Descriptor

Share Permissions

Cached Central Access RuleCached Central Access RuleCached Central Access Rule

Permission Type Target Files Permissions Engineering FTE

Engineering Vendor

Sales FTE

Share Everyone:Full

Central Access Rule 1: Engineering Docs

Dept=Engineering Engineering:ModifyEveryone: Read

Rule 2: Sensitive Data Sensitivity=High FTE:Modify

Rule 3: Sales Docs Dept=Sales Sales:Modify

NTFS FTE:ModifyVendors:Read

Effective Rights:

Classifications on File Being Accessed

Department Engineering

Sensitivity High

Example: Effective Access

Read

Full Full Full

Modify Modify Read

Modify ModifyNone

Modify Modify

Modify None Read

[rule ignored – not processed]

demo

Country based central access rule

Central Access Policy with user claims

How does this help me if I have to do an audit?

The audit challenge

Compliance and forensic analysis

Difficult to control audit volume

Inadequate support for managing audit policies centrally

Difficult to sift through audit noise to get to relevant data

Data Compliance Challenges

Expression based auditing Limit auditing to data that

meets specific classification criteria.

Limit auditing by action and by identity

Add contextual information into the audit events

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Expression based auditing

Audit event with contextual information

An attempt was made to access an object. Subject:

Security ID: CONTOSODOM\aliceAccount Name: alice

Account Domain: CONTOSODOMLogon ID: 0x3e7

 Object:

Object Server: SecurityObject Type: File

Handle ID: 0x8e4Resource Attributes: S:AI(RA;;;;;WD;(“Personally Identifiable Information",TS,0x0,"High"))(RA;;;;;WD;(“Department_23AFE",TS,0x0,“Finance"))

Object Name: C:\Finance Document Share\FinancialStatements\MarchEmployeeStmt.xls

Incrementally add capabilities

Current infrastructure

Windows Server 2012 File Servers• Access and

Audit Policies based on security groups and file tagging

• Classify information & apply RMS policies

Windows Server 2012 DCs• Centrally

defined access and audit policies

• User claims can be used by access and audit policies

• Additional classification options

Windows 8 clients• Add device

claims to access and audit policies

• Better access denied experience

• Additional classification options

Part

ner

solu

tions

and

lin

e o

f bu

siness

ap

plic

ati

ons

In summary

Reduce group complexity

Simplify access control

Implement effective access control

Protect your data when it leaves the server

Related Content and Resources

SIA 207 – Windows Server 2012 Dynamic Access Control OverviewSIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization PoliciesSIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT

SIA21-HOL – Using Dynamic Access Control to Automatically and Centrally Secure Data in Windows Server 2012

Edge Show – weekly technical videos and news for IT Pros http://edge.technet.com

TechEd 2012 Sessions - http://channel9.msdn.com/Events/TechEd