Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation
Preview:
Citation preview
- Slide 1
- Dynamic Access Control Overview Matthias Wollnik Program
Manager, File Server Microsoft Corporation
- Slide 2
- Slide 3
- Slide 4
- Slide 5
- Slide 6
- Slide 7
- demo Location based classification Automatic content based
classification Data Classification demo
- Slide 8
- x 50 Country 50 Groups Department x 20 1000 Groups Sensitive
2000 Groups!
- Slide 9
- demo Country based central access rule Expression based ACL
demo
- Slide 10
- User claims User.Department = Finance User.Clearance = High
ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write |
if (@User.Department == @File.Department) AND (@Device.Managed ==
True) Device claims Device.Department = Finance Device.Managed =
True Resource properties Resource.Department = Finance
Resource.Impact = High AD DS 10 File Server
- Slide 11
- demo Country based central access rule Central Access Policy
with user claims
- Slide 12
- Windows Server 2012 Active Directory Windows Server 2012 File
Server End User Access Policy ? Resource Property Definitions User
Claims
- Slide 13
- No conditional expressions Using groups with conditional
expressions Using user claims
- Slide 14
- Slide 15
- Slide 16
- Slide 17
- demo Automatic Rights Management Protection
- Slide 18
- Slide 19
- DCT Database 4. Report 1. Import 2. Export 3. Deploy OOB
Knowledge Scale (#File Servers) Hybrid Environment Staging File
Server Production File Servers Windows 2008 R2 Windows 2012 Collect
Domain Controller (Active Directory) Management Client
- Slide 20
- Slide 21
- Slide 22
- Slide 23
- An attempt was made to access an object. Subject: Security
ID:CONTOSODOM\alice Account Name:alice Account Domain: CONTOSODOM
Logon ID:0x3e7 Object: Object Server:Security Object Type:File
Handle ID:0x8e4 Resource Attributes: S:AI(RA;;;;;WD;( Personally
Identifiable
Information",TS,0x0,"High"))(RA;;;;;WD;(Department_23AFE",TS,0x0,Finance"))
Object Name:C:\Finance Document
Share\FinancialStatements\MarchEmployeeStmt.xls
- Slide 24
- demo Expression Based Auditing
- Slide 25
- Event collected to central repository for analysis and
reporting Windows Server 2012 Active Directory Windows Server 2012
File Server End User Access Policy ? Resource Property Definitions
User Claims
- Slide 26
- Slide 27
- DAC Partners
- Slide 28
- Slide 29
- Department x 50 x 20 Country Sensitive ACCESS POLICY Applies
to: @File.Impact = High Allow | Read, Write | if (@User.Department
== @File.Department) AND (@Device.Managed == True) StealthAUDIT for
Windows Server 2012 Dynamic Access Control
http://www.stealthbits.com/
- Slide 30
- Identify where groups are being used and who owns them Clean
Up, Consolidate & Secure Conditional Permissions Central Access
Policies & Claims Impact Analysis & Group Reduction Apply,
Lock Down & Maintain Discover your environment Design new
security model Implement
- Slide 31
-
http://www.jijitechnologies.com/dynamic-access-control-effective-permission-report.aspx
- Slide 32
- Slide 33
- Data Loss Prevention
http://www.ca.com/us/data-security-solutions.aspx
http://www.dynamicaccesscontrol.com
http://www.websense.com/content/ data-security-overview.aspx CA
DataMinder dg classification
- Slide 34
- Data Loss Prevention Dynamic Access Control Dynamic Content
Classification and Control 1: Create2: Analyze3: Classify4: Tag5:
Enforce
- Slide 35
- CA Technologies Content-Aware Identity & Access Management
Control identity, control access and control information CA
DataMinder discovers, classifies and controls information Controls
Collaboration & File Sharing Environments SharePoint 2010 March
2012 Windows Server 2012 Dynamic Access Control July 2012 Delivers
precise & fine-grained access control Copyright 2012 CA. All
rights reserved. No unauthorized copying or distribution
permitted.
- Slide 36
- Supercharge DAC with automated file classification Enables
accurate automated file classification enterprise-wide with both
attribute-based and content-based classification Deeply integrated
with Windows Server 2012. dg classification can also be used to
fuel powerful Governance, Compliance and Archiving solutions For
more information visit us at Booth 230 (Orlando) / PP17 (Amsterdam)
or at www.dynamic-access-control.com A leader in automatic file
classification
- Slide 37
- http://www.gigatrust.com Dynamic Policy Enforcer
- Slide 38
- FCI CLASSIFY PROTECT D YNAMIC P OLICY P ROTECTOR Windows 8
Server D YNAMIC P OLICY M ODULE Desktop 4 4 1 1 2 2 2 2 3 3 4 4 1 1
AD Admin Center Access Policies Claims Properties Dynamic Access
Control USE LICENSE 3 3 Legend: User Claims Resource Properties
Access Policy GigaTrust Product Component GigaTrust Contact:
ppainter@gigatrust.com AD RMS Windows 8 Server static
- Slide 39
- http://www.nextlabs.com/html/?q=microsoft_solutions
http://www.titus.com/ http://www.axiomatics.com/dynamic-access-
sddl-xacml-windows-server-2012 Titus Metadata Security for
SharePoint Control Center for Windows Server 2012 Dynamic Access
Control Axiomatics Policy Server
- Slide 40
- Slide 41
- Windows Server 2012 Active Directory Windows Server 2012 File
Server End User Microsoft SharePoint 2010 Access Policy ? ?
- Slide 42
- Policy AuthorFile Server Active Directory User 1. Author policy
& export to AD 2. Convert XACML to SDDL & import 3. Push
out imported rules based on group policy 4. Access files 5. Check
access based on rules previously defined in APS Axiomatics Policy
Server (APS)
- Slide 43
- http://www.emc.com/security/rsa-netwitness.htm RSA
NetWitness
- Slide 44
- Slide 45
- Enterprise-wide visibility into server and application
health
- Slide 46
- Slide 47
- Slide 48
- Slide 49
- In Summary..
- Slide 50
- Reduce group complexity
- Slide 51
- Simplify access control
- Slide 52
- Implement effective access control
- Slide 53
- SIA 207 Windows Server 2012 Dynamic Access Control Overview SIA
341 Windows Server 2012 Dynamic Access Control Deep Dive for Active
Directory and Central Authorization Policies SIA 316 Windows Server
2012 Dynamic Access Control Best Practices and Case Study
Deployments in Microsoft IT SIA21-HOL Using Dynamic Access Conrol
to Automatically and Centrally Secure Data in Windows Server 2012
SIA02-TLC Windows Server 2012 Active Directory and Dynamic Access
Control Find Me Later At the Windows Server booth
- Slide 54
- Connect. Share. Discuss. http://europe.msteched.com Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning TechNet Resources for IT Professionals
http://microsoft.com/technet Resources for Developers
http://microsoft.com/msdn
- Slide 55
- Evaluations http://europe.msteched.com/sessions Submit your
evals online
- Slide 56
- Slide 57
- Resource 1 Resource 2 Resource 3 Resource 4 Required Slide
*delete this box when your slide is finalized Track PMs will supply
the content for this slide, which will be inserted during the final
scrub.