Dynamic Access Controls

Dynamic Access Controls

Table of Contents

Dynamic Access Control .................................................................................................................. 2

What Is Dynamic Access Control (DAC)? ........................................................................................ 3

DAC Capabilities .............................................................................................................................. 4

Data Classification ........................................................................................................................... 6

Classification Process ...................................................................................................................... 7

DAC Sample Scenario -1 .................................................................................................................. 9

DAC Sample Scenario -2 ................................................................................................................ 10





Benefits of Dynamic Access Control ............................................................................................. 15

Summary ....................................................................................................................................... 17

Notices .......................................................................................................................................... 20

Page 1 of 20

Dynamic Access Control

86

Dynamic Access Control

**086 Dynamic access control--

Page 2 of 20

What Is Dynamic Access Control (DAC)?

87

What Is Dynamic Access Control (DAC)?

**087 Have you guys ever heard the term MAC, mandatory access control? With mandatory access control, we're talking about clearance labels and classification labels, and restricting access to resources based up on do you have the right clearance. So, we have a secret file. And, as long as Mark has a secret clearance, we give him access to that secret file. Well, the problem with mandatory access control is until recently we have not had a whole lot of operating systems that really support that concept of mandatory access control. Windows, a new feature in Server

Page 3 of 20

2012 is this idea of dynamic access control, which is basically an easy way of administering this MAC type of concept. All right? They say it's a centralized security model for assigning and handing out privileges, if you will.

DAC Capabilities

88

DAC Capabilities

Data classification – automatically and manually classification of files can be applied to tag data across the organization

Centralize access policies – allows for “safety net” policies Example: You can control who is allowed to access intellectual property across the organization.

Centralized auditing – allows one stop monitoring of who has accessed or who attempted access to files / folders across the organization.

Can add Rights Management Service (RMS) encryption.So, even if the file leaves the DAC environment, it is still protected by encryption.

**088 All right, so a couple of concepts, first one is there has to be some way of classifying the data. So, when a file or folder gets created, we have to have a way of saying this is secret, or this is top secret, or whatever terminology you use. In your organization, you might say it is private and confidential types of

Page 4 of 20

things. So, you have to have some way of classifying it. That can be done manually by humans, whoever created it. Or we can set the system up to I see this particular file has this particular word in it, that makes it secret. Or this particular file has a social security number so that makes it confidential, type of thing. Okay. So, we have to have a way of classifying the data. We also have to have a way of creating policies. And policies say, if all else fails, how are we going to restrict access or allow access into this particular file. Right? So, who's allowed to have access? If we-- on the file. We also have to have a way of writing down Bob created this file. It was classified as secret, and then Sally had access to that particular file. All right? So, we get to track file clearances and classifications and access to those clearances and classifications. Now, one of the, I guess, issues that we have, or potential issues we have, is with dynamic access control is it only works within the system, within our Server 2012 domain, if you will. So, the question becomes what happens if I have a file that within my organization is classified as secret and somebody takes that file and removes it from the system, what's going to stop other people from reading it?

Page 5 of 20

Well, we can turn on rights management service, which is basically encryption. So, if you take it outside of that system, you can't see it at all. So, it's a now encrypted file. You can't see unless you have the actual key. All right?

Data Classification

89

Data Classification

**089 So, that's what DAC is designed to do. The classification, as I said, we can manually classify it, so you, the user, can go in and say this is secret or top secret or whatever it ends up being. Or Windows provides what's referred to as FSRM, file server resource management, that based upon some data dictionary that

Page 6 of 20

you might create says when this file is created, it has this structure, it has these informational elements in it, and these combinations, or whatever it ends up being, because it has a name and an account number, or an account number and a social security number, we're going to automatically classify it at a certain level based upon your data dictionary.

Classification Process

90

Classification Process

**090 So, all of this requires starting off with policy. We have to have some policy. We have to have some way of tagging our files and some way of then applying those tags across to-- when I say tags, I'm

Page 7 of 20

talking about the clearance level tags and the classification level tags. Some way of applying those tags, and then a way of comparing. This user, Mark, has a secret clearance. This file he's trying to access is top secret. And because those two things are not equal, Mark's not allowed to have access. Or secret clearance, secret classification, because they are equal, I will allow that type of access. Does that kind of make sense? All right. So, we have to have the policy. We have to have the tags. And we have to have a way of enforcing access based upon those tags.

Page 8 of 20

DAC Sample Scenario -1

91


A user from the operations department attempts to access a file or folder, belonging to the finance department, on the shared volume.

**091 And that's what DAC does for us. So, I'll give you a little scenario. So, we have somebody from the operations department. They attempt to access a file or folder that belongs, not to operations, but it belongs to the finance department and is a shared volume. All right? So, I work for operations. I'm trying to access finance type of data.

Page 9 of 20


92

DAC Sample Scenario -2• A user from the operations department attempts to access a file or folder,

belonging to the finance department, on the shared volume.

Since the file / folder was tagged as belonging to finance and a rule was created to only allow users of the finance department to have access;

**092 All right? Since the file folder was tagged as belonging to finance, and there is a rule somewhere that was created to only allow finance users to have access, what do you think's going to happen?

Page 10 of 20


93


belonging to the finance department, on the shared volume.• Since the file / folder was tagged as belonging to finance and a rule was

created to only allow users of the finance department to have access;

The user is denied access. A denied access message is presented to the user.

**093 Then, in theory, the operations department user should not be allowed access. That make sense? Now, this, to me, this whole process sounds a whole lot nicer than going through and manually creating the NTFS permissions and the share permissions that we talked about just a few moments ago. What do you guys think? Absolutely.

Page 11 of 20


94



created to only allow users of the finance department to have access;• The user is denied access. A denied access message is presented to the

user.— This message is more useful than traditional error messages.

The message allows the user to “request access” by clicking on a link within the message to send an email to the owner.

**094 So, that's what we're looking at. What message does the user get? In this case, the message gets-- the user gets a message that says sorry, you were not allowed access. But here's something that I think is really neat about that message. It's not just a you're not allowed and you're done for. There's something very helpful in it. It says if you would like to request access, click on this link. And by you clicking on this link, it effectively will send an email to some administrator somewhere, or to some owner of the file, saying Bob from operations wanted access to your resource, but because of DAC he was denied.

Page 12 of 20


95





• The message allows the user to “request access” by clicking on a link within the message to send an email to the owner.

The owner receives the email requesting access. However, this email also shows the owner WHY the user was denied access.

**095 And so, now the owner, when they receive this message, the owner can make a decision. Bob wants access. Well, what's he trying to access it for? What does he need? So, we can learn a little bit about the use case, if you will, and then make an informed decision as to whether we should allow him access in the future or restrict him from having-- continue to restrict him from having access. Right? Now, when it comes to the message, the email that the owner receives, Bob got a message saying you can't get there from here. The owner gets a message that says Bob could not

Page 13 of 20

get there from here, and here is why. So, there's explanation that helps the owner to figure out why he couldn't get there. Oh, because he's a member of the operations environment, not the finance department. And then we can make decisions that way.


96





• The message allows the user to “request access” by clicking on a link within the message to send an email to the owner.

• The owner receives the email requesting access. However, this email also shows the owner WHY the user was denied access.

Now the owner can make the appropriate changes to allow access if allowed by corporate policy.

**096 All right? And if the owner wants access, based up on corporate policy, we can modify DAC to allow that to happen.

Page 14 of 20

Benefits of Dynamic Access Control

97

Benefits of Dynamic Access Control

**097 All right. So, what are the benefits? I think right there the biggest benefit is how easy it is to configure and administer and to manage dynamic access control. Yes? Student: When Bob is granted access, is he just granted access to read it, or does he get it forever? Mark Williams: It depends on what the owner decides because the owner could decide we'll let Bob have read control on that file. Or the owner might say for Bob to do his particular job, read and write control.

Page 15 of 20

It's all up to the owner. So, the same types of permission that we can assign through NTFS and shares, we can also-- the owner can assign via DAC. All right? Student: Okay because I can see Bob grabbing and making a copy of it. It's kind of difficult, once you say go, all bets are off. Mark Williams: Right. There's a way that we can say that Bob can read it, there's no way he can make a copy of it. Keep in mind that rights management thing that we mentioned earlier. What happens if Bob were to actually take a copy of it from the finance folder and try to put it in the operations folder? What happens to it then? We could have it set up so that when it does that, it's locked. It's encrypted. No one has access to it. So, if Bob tries to make those-- I'll say do those malicious things, DAC is going to have tools to stop that, to prevent it from being successful.

Page 16 of 20

Summary

98

Summary

Discuss Windows users and groups

Learn how to create users and groups

Become familiar with the Windows Logon process and components

Learn how to configure privileges and rights for files and folders

Understand the Windows User Account Control

Review data classification using Dynamic Access Control

**098 All right, sir? Student: Does DAC imply a change in the underlying NTFS file systems that will render the new security features added to Windows Server 2012 not compatible with previous versions? Mark Williams: There are compatibility considerations. I don't remember what they are off the top of my head. But I think the starting part of your question was does it change the underlying fundamental way that NTFS and shares work. The answer to that is no. It does not-- I think it's more of a complementary--

Page 17 of 20

not knowing the architecture behind it, what I suspect happens is the NTFS and shared permissions are still there, but now we are adding to them with just a security identifier, some sort of additional tag. And so, when I go outside of my environment, if the tags don't match up, then I don't gain access. But NTFS permission will-- we could still use NTFS permissions or share permissions to grant access. But I would imagine it would still require the most restrictive-- if DAC-- there's an NTFS permission says grant Bob access, but DAC says he doesn't have a high enough clearance, he's not in the right department, then DAC would be more restrictive and stop him. Does that kind of make sense? Student: Yeah, and also I have a second question. During the past couple of years, I've seen quite a few vendors came out with file server add on applications saying they centrally audit or control access to your files. How does that compare to those? Mark Williams: That's a real good question. I don't know that there are enough people out there that are using Server 2012, yet, to have really figured out how-- what those relationships are and are going to be. Are you guys using Server 2012, yet? Student: We are not. But I do have opportunity to introduce Server 2012 in some of the new data centers that we're in the planning phases.

Page 18 of 20

Mark Williams: Yeah, I think as we start to migrate and we get more of a migration, we're going to start to have some of those questions answered about how does it interface, and what are the interoperability considerations with other things that are out there. But, right now, I haven't seen enough people using it to even make guesses it. Other questions? So, this section summarized what users are, the different types of users and groups, how a user differs from a group. We considered how do I create users and groups, so the different ways of doing it, how do I assign permissions to users and group. We considered the difference between share permissions and NTFS permissions. And then we looked at a really cool tool, dynamic access control. Just as a side note, that acronym, DAC, sometimes you guys that are CISSP type of people the term DAC means something different in CISSP terms. It actually is called discretionary access control, which is exactly opposite of what this thing does. All right? So, don't get confused by that. In this case, dynamic access control is a cool way of doing mandatory access control in Windows Server 2012. All right? Questions? All right, well then thank you very much for your time.

Page 19 of 20

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 20 of 20

Documents

Dynamic Access Controls