Dynamic Access ControlDeep DiveSiddharth BhaiProgram Manager, Active DirectoryMicrosoft Corporation
Matthias WollnikProgram Manager, File ServerMicrosoft Corporation
SIA341
Session objectivesQuick introduction of Dynamic Access Control
Understand how things work behind the scenes
See how this work ties in with cutting edge work in the industry
Windows File Server Solution
Data Compliance Challenges
Windows Platform Investments
Putting it Together
Dynamic Access Control: In a nutshellData Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICYApplies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
4
Expression-based access policyFile
Server
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEsUser and Device Claims
• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
User and Device Claims
• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device
Pre-2012: Security Principals Only
• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Windows Server 2012: Security Principals, User Claims, Device Claims
Expression-Based ACEs
• Led to group bloat• Consider 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:
• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]
Pre-2012: ’OR’ of groups only
• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)• 610 groups instead of 500,000
Windows Server 2012: ‘AND’ in expressions
• 3 User Claims
Windows Server 2012: with Central Access Policies
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
For Security
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
Match file to policy
Apply Policy
Save classification
For Security
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
RMS Encrypt
Save classification
For SecurityMatch file to
policy
Continued Execution of Content-Aware StrategyCA DataMinder integrates with Windows Server 2012
CA Technologies Content-Aware Identity & Access Management
Control identity, control access and control informationCA DataMinder discovers, classifies and controls information
Controls Collaboration & File Sharing EnvironmentsSharePoint 2010 – March 2012Windows Server 2012 Dynamic Access Control – July 2012
Delivers precise & fine-grained access control
Copyright © 2012 CA. All rights reserved. No unauthorized copying or distribution permitted.
Supercharge DAC with automated file classification
Enables accurate automated file classification enterprise-wide with both
attribute-based and content-based classification
Deeply integrated with Windows Server 2012.dg classification can also be used to fuel powerful Governance, Compliance and Archiving solutions
For more information visit us atBooth 230 (Orlando) / PP17
(Amsterdam) or at www.dynamic-access-control.comA leader in automatic file classification
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy ReferenceNTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity DescriptorShare Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:FullCentral Access Rule 1: Engineering Docs
Dept=Engineering Engineering:ModifyEveryone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:ModifyRule 3: Sales Docs Dept=Sales Sales:ModifyNTFS FTE:Modify
Vendors:ReadEffective Rights:
Classifications on File Being Accessed Department EngineeringSensitivity High
Central Access Rules
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
– Who has access to what
Calculating Effective Permission using JiJi AuditReporter
Effective permissions for multiple users on multiple sharesUser’s claims are automatically retrieved from AD for calculationAbility to toggle between Advanced & Basic permissions viewExport and filtering capabilities in the reportAbility to filter by user, share path, permissions and access limited by
www.jijitechnologies.com [email protected]
What will happen when I deploy?
Changing Central Access Policies may have wide impact
Replicating production environment for test purposes is difficult and expensive
Staging Policies
Staging policy
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Active Directory File serverResource properties
Department = Finance | HR | EnggImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == ContosoStaging policy
Applies to: @File.Impact = HighAllow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)
Sample staging event (4818)Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
Assessment of performance, availability and service levelsDeep application diagnosticsPowerful custom data visualization Auditing via Audit Collection SystemsIntegrates with DAC audit/staging events
Enterprise-wide visibility into server and application health
Kerberos and The New TokenDynamic Access Control leverages Kerberos
Windows 8 Kerberos extensionsCompound ID – binds a user to the device to be authorized as one principal
Domain Controller issues groups and claimsDC enumerates user claimsClaims delivered in Kerberos PAC
NT Token has sectionsUser & Device dataClaims and Groups!
Pre-2012 TokenUser AccountUser Groups[other stuff]
2012 TokenUser Account
User GroupsClaims
Device GroupsClaims
[other stuff]
NT Access TokenContoso\Alice
User
Groups:….Claims: Title=SDE
Kerberos TicketContoso\Alice
User
Groups:….Claims: Title=SDE
File Server
User Contoso DC
Ad Admin
Enable Domain to issue claims
Defines claim typesClaim type
Display NameSource
Suggested values
Value typeUser attempts to login
Receives a Kerberos ticket
Attempt to access resource
Kerberos flow in Pre-Windows 2012
User
M-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
Kerberos flow in Pre-Windows 2012
UserM-TGT
U-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
Kerberos flow in Pre-Windows 2012
UserM-TGT
TGS (no claims)
U-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
Kerberos flow in Pre-Windows 2012
UserM-TGT
TGS (no claims)
U-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
?
Kerberos flow with Pre-Windows 8 ClientsFile Server
Pre-Windows 8 User
Contoso DC
Set Policy to enable claims
Kerberos flow with Pre-Windows 8 ClientsFile Server
Contoso DC
M-TGT
TGS (no claims)
U-TGTPre-Windows
8 User
Kerberos flow with Pre-Windows 8 ClientsFile Server
Contoso DC
M-TGT
TGS (no claims)
U-TGTPre-Windows
8 User
Kerberos flow with Pre-Windows 8 ClientsFile Server
Contoso DC
M-TGT
U-TGT
TGS (with User Claims)
TGS (no claims)
Pre-Windows 8 User
?
Kerberos flow with Compound IdentityFile Server
User Contoso DC
M-TGT
TGS (User and Device Groups/Claims)
U-TGT
Kerberos flow with Compound IdentityFile Server
User Contoso DC
M-TGT
TGS (User and Device Groups/Claims)
U-TGT
?
Across Forest boundariesFile Server
User Contoso DC
Other Forest DCPublish Cross-Forest transformation Policy
Across Forest boundariesFile Server
User Contoso DC
M-TGT
TGS (with claims)
U-TGT
Referral TGT
Other Forest DC
Token/Ticket Bloat
Understanding the problemToken Bloat: Amount of authorization data in the NT TokenTicket Bloat: Amount of authorization data sent over the wire
Token Bloat: How does it manifest?Too many SIDs in the token (Upper bound of 1024)
Ticket Bloat: How does it manifest?Authorization data is sent over the network.
Over time, old group memberships linger and authorization data adds up.
Might see failures in one type of applicationUsually indicates the limits for that wire transport have been reached.
Impact of Claims
Ticket BloatClaims is authorization data carried over the wire. Initially, some increase in ticket sizes expected.
Windows 8 improvementsDC compresses claims before sending them over the wireDC compresses certain types of SIDs that weren’t compressed before (Resource Domain SIDs)MaxTokenSize default increased to 48kNew audit events – DC starts logging events when ticket sizes exceed specified value
Impact of Claims – Real NumbersFirst Claim 1 Boolean Claim
Adds 242 Bytes
User Claims Set5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Adds 970 Bytes
Compound-ID Claims SetsUser - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Device - 2 Claims:• 1 Boolean• 1 String – Single Valued
• Avg Len/value: 12 chars
Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data
Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.
Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character
Central Access Policy for SharePoint with Titus
With Windows Server 2012 DAC policy is limited to security for file servers
TITUS is extending the use of DAC to SharePoint
Central access policy access / deny decisions can be extended to SharePoint lists and SharePoint document librariesSecure all your information in file servers and SharePoint via common Central Access Policies
Windows Server 2012 Active Directory
Windows Server 2012File ServerEnd User
MicrosoftSharePoint 2010
Access Policy
? ?
Axiomatics Policy Server & XACML with DAC
Policy AuthorFile Server
Active Directory
User
1. Author policy & export to AD
2. Convert XACML to SDDL
& import3. Push out imported rules based on group
policy4. Access files
5. Check access based on rules previously defined in
APS
Axiomatics Policy Server
(APS)
Incrementally add capabilities
Current infrastructureWindows Server 2012 File Servers• Access and Audit Policies based on security groups and file
tagging
Windows Server 2012 DCs• Centrally defined access and audit policies• User claims can be used by access and audit policiesWindows 8 clients
• Add device claims to access and audit policies• Better access denied experience
Partn
er so
lutio
ns a
nd li
ne o
f bus
ines
s ap
plica
tions
Related ContentSIA 207 – Windows Server 2012 Dynamic Access Control OverviewSIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization PoliciesSIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft ITWSV334 – Windows Server 2012 File and Storage Services ManagementSIA21-HOL – Using Dynamic Access Control to Automatically and Centrally Secure Data in Windows Server 2012SIA02-TLC – Windows Server 2012 Active Directory and Dynamic Access Control
Find Me Later At…
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidatemicrosoft.com/windowsserverHands-On Labs
DOWNLOAD Windows AzureWindowsazure.com/teched
Resources
Connect. Share. Discuss.http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
TechNet
Resources for IT Professionalshttp://microsoft.com/technet
Resources for Developershttp://microsoft.com/msdn
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.