active directory and dynamic access control pete calvert (@erucsbo)
TRANSCRIPT
Feature Spotlight on Windows Server 2012Active Directory andDynamic Access ControlPete Calvert(@erucsbo)
WCL334
Agenda• The hit list• Spotlight features• Dynamic Access Control• Links to resources
Objectives• Provide an understanding of…
• the broad areas we have invested in and why• the business- and/or technical-challenges that led to each of the
new features
• Provide detailed insights into the Active Directory features and…• define requirements and implementation specifics• highlight the value these features bring to your environment
• Given the sheer volume of topics…• provide technically-deep content striving for a balance of breadth
and depth• provide you material that’s sufficiently complete & technically rich
to be useful outside of the session
High-Level Areas of Investment• Simplified deployment of Active Directory
• Optimal deployment experiences in both private- and public-clouds
• Increase consistency throughout the management experience
• Accommodate business-driven security requirements through the integration of:• file-classification • claims-based authorization
Our Broad GoalsVirtualization That Just Works
• All Active Directory features work equally well in physical, virtual or mixed environments
Simplified Deployment of Active Directory
• Complete integration of environment preparation, role installation and DC promotion into a single UI• DCs can be deployed rapidly to ease disaster recovery and workload balancing• DCs can be deployed remotely on multiple machines from a single Windows 8 machine• Consistent command-line experience through Windows PowerShell enables automation of deployment
tasks
Simplified Management of Active Directory
• GUI that simplifies complex tasks such as recovering a deleted object or managing password policies• Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI• Active Directory Windows PowerShell support for managing replication and topology data• Simplify delegation and management of service accounts
Miscellaneous
Management
New Features and Enhancements
Recycle Bin User Interface
Virtualization-Safe Technology
Active Directory Replication & Topology
Cmdlets
Active DirectoryPlatform Changes
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Rapid Deployment Kerberos Enhancements
Active Directory PowerShell History Viewer
User Interface
Fine-Grained Password Policy User Interface
Simplified Deployment
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
Dcpromo RIP
Provides XML file and PowerShell command to
automate adding the role
Can be run remotely
Create IFM seed with NTDSUTILIFM seed generation no longer requires
offline defrag (on by default)
Target forest must be Server 2003 functional level or higher
Adprep can still be run manually if required
PowerShellChecks are performed at each stage of the Wizard and
any issues highlighted before the final validation
Requires Enterprise Admin privilege
Simplified Deployment ++DC Promotion Retry Logic
• Since Windows 2000, DCpromo has been intolerant of transient network failures• caused promotions to fail if the network (or helper DC) “hiccupped”
• Windows Server 2012 promotion employs an indefinite retry• “indefinite” because no sufficiently meaningful set of metrics available
from which to assert “sufficient progress”• so we’ve deferred the decision of “failure” to the administrator
Simplified Deployment ++Enhanced Install-from-media (IFM) options• Goal of IFM deploy a DC more quickly
• yet “IFM prep” in NTDSUTIL executed a mandatory offline defragmentation pass• a maintenance task that our data suggests virtually nobody uses on existing
production DCs
• yielded an oftentimes much smaller DIT (which is great) but at the expense of time
• In Windows Server 2012, NTDSUTIL’s IFMprep enhanced• NTDSUTIL’s IFMprep now includes an option to eliminate the
defragmentation pass• not the default, that remains as is
• eliminates potentially hours (or days) of media preparation time• DIT will be larger (whitespace, not fragmentation) increasing copy time if slow-links
involved
Simplified Deployment ++AD FS V2.1 is in-the-box
• AD FS v2.0 shipped out-of-band • downloaded from http://microsoft.com
• AD FS (v2.1) ships in-the-box as a server-role with Windows Server 2012• integrated with Windows Server 2012 Dynamic Access Control
Miscellaneous
Virtualization-Safe Technology
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
Restoring from an image• One DC fails
• We can restore an image backup
Any problems?
DSA-GUID = A
InvocationID = E
highestCommitedUSN = 4567
HW vector M,5679
DSA-GUID = A
InvocationID = E
highestCommitedUSN =1000
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3000
HW vector M,3000 HW vector E,1000
Tim
e
DSA-GUID = A
InvocationID = E
highestCommitedUSN =4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 5679
HW vector M,5679 HW vector E,4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3000
HW vector E,1000
Restore
snapshotUSN rollback…
Send me your changes from 1000
Add users
3050
Send me your changes from 5679
There aren’t any!It gets worse!
Replication OK
DSA-GUID = A
InvocationID = E
highestCommitedUSN = 4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3000
HW vector M,5679 HW vector E,1000
DC1 DC2
Checks UTD vectors fromDC2 and sends changes
What happens next?
There aren’t any!
DSA-GUID = A
InvocationID = E
highestCommitedUSN = 4567
DSA-GUID = B
InvocationID = M
highestCommitedUSN = 3050
HW vector M,5679 HW vector E,1000
Send me your changes from 5679
Appears more up to date than me, that’s not right!
Disable inbound and outbound replication
Stop Netlogon service
Write event log messages
Post Server 2003 SP1 quarantining
Replicationlog
Windows Server 2012 solution• The hypervisor creates an identifier VM-Generation ID
(128 bits)• Exposed to the guest OS via the BIOS ACPI namespace• Stored by the DC on promotion in the msDS-GenerationID attribute
• An attribute of the DC computer object
• The VM-Generation ID is set during a VM import, copy or application of a snapshot
• When the DC boots, if the VM-Generation ID and the msDS-GenerationID are not the same• The DC assumes an AD restore
• InvocationID Changes• Seen as a new replication source
• RID pool discarded• Non-authoritative restore of SYSVOL
Hypervisor support for VM-Generation ID• Windows Server 2012 Standard Edition
(Hyper-V) • Windows Server 2012 Enterprise Edition
(Hyper-V) • Hyper-V Server 2012 (Hyper-V) • Windows 8 Professional (Hyper-V) • Windows 8 Enterprise (Hyper-V) • VMware Workstation 9.0 • VMware vSphere 5.0 with Update 4 • VMware vSphere 5.1
Watch this space
Miscellaneous
Active DirectoryPlatform Changes
Rapid Deployment
Simplified Deployment
New Features and Enhancements
Virtualization-Safe Technology
DC Cloning• Background
• deploying virtualized replica DCs is as labor-intensive as physical DCs • virtualization brings capabilities that can simplify
deployment• the result & goal of promoting additional DCs within a
domain is an ~identical instance (a replica)• excluding name, IP address, etc.
• deployment today involves many (arguably redundant) steps• preparation & deployment of sysprep’d server image• manually promoting a DC using:
• over-the-wire: can be time-consuming depending upon size of directory
• install-from-media (IFM): media-preparation and copying adds time & complexity
• post-deployment configuration steps where necessary
Cloning steps
PDCEW2012
Hypervisor support for
VM-Generation ID
CloneableDomainControllers
Check for incompatible componentsGet-ADDCCloningExcludedApplicationList
Remove incompatible components or declare them as safe
Source DC
XML
Deploy XML to source DC or mounted vhd/vhdx copy(can be on removable media)
Shutdown& copy
Hypervisor support for
VM-Generation ID
Create new VM
Cloned DC
DCCloneConfig.XMLIf ID has changed cloning starts if XML exists
Start the copied DC and…
DC CloningNTDS starts
Obtain current VM-GenID
If different from value in DIT
Reset InvocationID, discard RID pool
DCCloneConfig.xml available?
Dcpromo /fixclone
Parse DCCloneConfig.xml
Configure network settings
Locate PDC
Call _IDL_DRSAddCloneDC(name, site)
Check authorization
Create new DC object by duplicating source DC objects(NTDSDSA, Server, Computer instances)
Generate new DC machine account and password
Save clone state (new name, password, site)
Promote as replica (IFM)
Run (specific) sysprep providers
Reboot
Clone VM Windows Server 2012 PDC
IDL_DRSAddCloneDC
CN=Configuration|--CN=Sites
|---CN=<site name>|---CN=Servers
|---CN=<DC Name> |---CN=NTDS Settings
DefaultDCCloneAllowList.XML• Get-ADDCCloningExcludedApplicationList
displays any services or applications that are running that are NOT included in the XML
• These applications or services must either be removed or if considered safe added to CustomDCCloneAllowList.XML
• Generate XML using:• Get-ADDCCloningExcludedApplicationList -GenerateXML
• Xml added to %windir%\NTDS
DC Cloning• Requirements
• Windows Server 2012 virtual DC hosted on VM-Generation-ID-aware hypervisor platforms
• PDC FSMO must be running Windows Server 2012 to authorize cloning operation
• source DC must be authorized for cloning• through permission on domain head – “Allow DC to create a clone of itself”• add the source DC’s computer account to the new “Cloneable Domain Controllers” group
• DCCloneConfig.XML file must be present on the clone DC in one of:• directory containing the NTDS.DIT • default DIT directory (%windir%\NTDS) • removable media (virtual floppy, USB, etc.)
• commonplace Windows Server 2012 services that are co-located with DCs are supported, e.g. DNS, FRS, DFSR• additional services/scheduled tasks installed on the clone-source must be added to an
admin-extensible whitelist• if installed component is not present in whitelist, cloning process fails and cloned-DC
boots to DSRM
Miscellaneous
Virtualization-Safe Technology
Rapid Deployment
Simplified Deployment
Active DirectoryPlatform Changes
New Features and Enhancements
Brief Terminology Level-Set• RootDSE mods
• aka. operational attributes• LDAP’s answer to RPC
• Constructed attributes• typically imposes a compute burden—the answer is “constructed” based on
something else• query processor will reject anything other than a base-scoped filter that includes
a constructed attribute• typically not defined in the schema—known only to the code
• LDAP controls and matching rules• affect the way the query processor handles things, e.g.
• return deleted objects (a control that is checked in along with the query)• bitwise comparison (a matching rule) (searchFlags:1.2.840.113556.1.5.807:=1)
• Finite address spaces within Active Directory• RIDs (exposed)• DNTs (exposed but new to Windows Server 2012)• LIDs (not exposed)
RID Improvements• Background
• a recent bout of cases involving RID depletion or complete global RID-space exhaustion motivated an investigation into root cause
• a couple of bugs were identified and fixed• the investigation also highlighted the need for general improvements and concerns around finite scale limitations
DNTs• Each DC keeps track of object written to its
database using a Distinguished Name Tag (DNT)• The DNT is held in a 2^31 bit number (~ 2 billion)• The DNT is incremented as each new object is written • A DNT value is never reused even if an object is deleted
• When you run out of DNTs the DC must be demoted and then repromoted
• The DNT value is now exposed through a constructed attribute of RootDSE• approximateHighestInternalObjectID
S-1-5-21-1539329446-2123584859-1544097757-5023
SIDs
• SIDs must be unique throughout and across forests
• The RID is incremented by one each time a new SID is generated• This is simple to implement in a single-master environment • A RID master is required in a multi-master domain controller
environment
Domainsubauthority RID
RID problems• The maximum available RID is held as a 30
bit number• 1073,741,824
• 10,000 RIDs/day for the next 294 years• So why is it an issue?
• Rogue script creating millions of security principles• Very large RID Block size set• Incorrect values entered when elevating the RID pool during recovery• Large numbers of domain controllers removed and re-added• Bug – new RID pool requested every 30 seconds can occur under
certain rare circumstances• See KB 2618669 for Windows 2008 R2 hotfix
RID Improvements• Account creation failure can cause the loss of 1 RID
• a RID was leaked because a user was being created that didn’t meet policy• the RID was allocated, the user created, failed to meet policy user deleted RID leaked
• fixed in Windows Server 2012 by maintaining an in-memory bucket of RIDs that are available for reuse• note that if the DC is rebooted, the reuse list is lost
• reuse list is used preferentially over RID pool if entries exist• size of the reuse list bound by the maximum number of user-creation attempts
that simultaneously hit a failure case • our projections indicate single-digit size, i.e. nothing to take into account in sizing
exercises
• Prevent RID allocation during failed computer account creation by privilege by standard domain user• this is just another path (through domain join, for example) that permits the
creation of computer accounts• the logic above is used in exactly the same way to eliminate the leak
• Log event when a RID pool is invalidated• invalidation occurs via a rootDSE mod. and more natural scenarios, e.g. virtual DC
safeties, DIT restoration
RID Improvements• Missing rIDSetReferences value will lead to RID pool exhaustion
• attribute not correctly recreated when a DC’s computer account is deleted, later detected by the DC and reincarnated• DC checks attribute for pointer to its RID pool• attribute isn’t populated• DC assumes no RID pool and requests a new one• DC receives RID pool from RID FSMO and attempts to write new RID block to its RID set
and fails because no rIDSetReference exists• 30 seconds later, DC repeats process burning through <RID block size> RIDs on each
attempt• a single offending DC will eat through the entire global RID space in ~2 years using
default RID block size of 500
• in Windows Server 2012, you guessed it – we fixed this• reincarnation populates the necessary attributes
• Enforce a maximum cap on the RID policy RID Block Size• in the past, the RID block size was configurable on the RID FSMO’s
registry and imposed no upper bound• in Windows Server 2012, the maximum permissible admin-
configured RID block size is 15,000 (values >15K == 15K)
RID Improvements• Periodic RID Consumption Warning
• at 10% of remaining global space, system logs informational event• first event at 100,000,000 RIDs used, second event
logged at 10% of remainder• remainder = 900,000,000• 10% of remainder = 90,000,000
• second event logged at 190,000,000• existing RID consumption plus 10% of remainder
• events become more frequent as the global space is further depleted
RID Improvements• RID Manager artificial ceiling protection mechanism
• think of this as a soft ceiling • blocks further allocations of RID pools
• when hit, system flips msDS-RIDPoolAllocationEnabled on the RID Manager$ object to FALSE administrator flips back to TRUE to override
• log an event indicating we’ve reached the ceiling• an additional warning is logged when the global RID spaces reaches 80%
• the attribute can only be set to FALSE by the SYSTEM and is mastered by the RID FSMO (i.e. write it against the RID FSMO)• DA can set it back to TRUE• NOTE: it is set to TRUE by default (possibly obvious)
• the soft ceiling is 90% of the global RID space and is not configurable
• the soft ceiling is deemed as ”reached” when a RID pool containing the 90% RID is issued
RID Improvements• Unlock 31st bit in the global RID space
• yes–we actually did it… and it’s been tested a lot • doubles global RID space from 1 billion to 2 billion• irreversible action so take care
• CANNOT be authoritatively restored (unless it’s the only DC in the domain)
• 31st bit is unlocked via a rootDSE mod (requires Windows Server 2012 RID FSMO)• sidCompatibilityVersion:1
• other DCs must be running Windows Server 2012 to exploit this• plan is, however, to backport it to Windows Server 2008 R2• downlevel DCs will receive pools that use the higher order bit but will refuse to
issue RIDs to new principals from within it, i.e. the DCs are good for everything other than creating new principals• they will, for example, happily authenticate users with RIDs above 1 billion
Deferred Index Creation• Adding indices to existing attributes resulted in DC performance
issues, i.e.• DCs received schema update through replication• 5 minutes later, DCs refresh their schema cache
• many/all DCs ~simultaneously begin building the index
• Windows Server 2012 introduces new DSheuristic• 18th byte but uses a zero-base, so some say the 19th byte• setting it to 1 causes any Windows Server 2012 DC to defer building
indices until:• it receives the UpdateSchemaNow rootDSE mod. (triggers rebuild of the schema cache)• it is rebooted (which requires that the schema cache be rebuilt and, in turn, the deferred
indices)
• any attribute that is in a deferred index state will be logged in the Event Log every 24 hours• 2944: index deferred – logged once• 2945: index still pending – logged every 24 hours• 1137: index created – logged once (not a new event)
Expose DNTs on rootDSE• Active Directory’s DIT uses DNTs
• if we think of the DIT as a spreadsheet, DNTs are very much like row numbers
• finite address space == 2^31 (~2 billion)• DNTs are NOT replicated (a database-local concept)• never re-used (the value only ever increases)
• DNTs are never re-serialized (or reclaimed) except during over-the-wire promotions • neither IFM or cloning will re-serialize them• once you run out, the DC must be demoted and re-promoted over-the-wire
• determining the DNT for a given DC required that you dump its database or programmatically interrogate the DIT• time consuming, impacts performance and disk space
• Windows Server 2012 Active Directory exposes DNTs via:• rootDSE constructed attribute: approximateHighestInternalObjectID • perfmon counter, too
Off-Premises Domain Join• Extends offline domain-join by allowing the blob to
accommodate Direct Access prerequisites• Certs• Group Policies
• What does this mean?• a computer can now be domain-joined over the Internet if the domain is Direct Access enabled
• getting the blob to the non-domain-joined machine is an offline process and the responsibility of the admin
Connected Accounts• Background
• a consumer-oriented feature coupled with Modern UI providing enhanced app-dev. capabilities
• provides an out-of-box ability to interactively logon to Windows 8 as a “connected” Live ID
• roams certain aspects of a user’s profile between Windows 8 computers sharing the same connected Live ID
Connected Accounts• Live ID logon to Windows with a
connected Active Directory user account is NOT supported• connecting local accounts on domain-joined
machines IS supported• SSO to Live-supported web sites still functions
as does profile sync, etc.• Group Policy setting can disable Live ID
connected accounts completely
• Server SKUs do NOT support connected accounts
• Note that Windows 8 client applications that are built to use Metro are able to leverage a rich set of features specific only to connected accounts
Connected Accounts• Object Picker and Windows as a whole will correctly
display the Live ID, not the local account• any legacy applications will still see the NT-style account name
• Administrator must associate the Live ID with the target account• this can be done retroactively or during the OOBE (page 2)
• Connected local user WILL appear in Local Users and Groups• password change attempts will be blocked
Enhanced LDAP logging• Enhanced LDAP logging added in Windows Server 2012
• existing LDAP logging capabilities deemed insufficient • unable to isolate/diagnose root cause of many
behaviors/failures with existing logging
• Enabled through registry via logging overrides or level 5 LDAP logging• additional logging logs entry and exit stats for a given API• we now also track the entry and exit tick making it feasible to
determine sequence of events• entry: logs the operation name, the SID of the caller’s context, the client IP, entry
tick and client ID• exit: logs the operation name, the SID of the caller’s context, client IP, entry and
exit tick and client ID
New LDAP Controls/Behaviors• Batched extended-LDAP operations
(1.2.840.113556.1.4.2212)• Require server-sorted search use index on sort attribute
(1.2.840.113556.1.4.2207)• DirSync_EX_Control (1.2.840.113556.1.4.2090)• TreeDelete control with batch size
(1.2.840.113556.1.4.2204)• Include ties in server-sorted search results
(1.2.840.113556.1.4.2210)• Return highest change stamp applied as part of an update
(1.2.840.113556.1.4.2205)• Expected entry count (1.2.840.113556.1.4.2211)
• … check TechNet for more details on these
Miscellaneous
Management
Recycle Bin User Interface
Virtualization-Safe Technology
Active Directory Replication & Topology
Cmdlets
Active DirectoryPlatform Changes
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Rapid Deployment Kerberos Enhancements
Active Directory PowerShell History Viewer
User Interface
Fine-Grained Password Policy User Interface
Simplified Deployment
New Features and Enhancements
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer
User Interface
Fine-Grained Password Policy User Interface
New Features and Enhancements
Recycle Bin User Interface• Background
• the Recycle Bin feature introduced with Windows Server 2008 R2 provided an architecture permitting complete object recovery
• scenarios requiring object recovery via the Recycle Bin are typically high-priority• recovery from accidental deletions, etc. resulting in failed logons / work-stoppages
• the absence of a rich, graphical interface complicated its usage and slowed recovery
Recycle Bin User Interface• Solution
• simplify object recovery through the inclusion of a Deleted Objects node in the Active Directory Administrative Center • deleted objects can now be
recovered within the graphical user interface
• greatly reduces recovery-time by providing a discoverable, consistent view of deleted objects
Recycle Bin User Interface• Requirements
• Recycle Bin’s own requirements must first be satisfied, e.g.• Windows Server 2008 R2 forest functional level • Recycle Bin optional-feature must be switched on
• Windows Server 2012 Active Directory Administrative Center
• Objects requiring recovery must have been deleted within Deleted Object Lifetime (DOL)• defaults to 180 days
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer
User Interface
Fine-Grained Password Policy User Interface
Dynamic Access Control
New Features and Enhancements
Dynamic Access Control
• Background• today, it’s difficult to translate business-intent using existing authorization model
• no central administration capabilities• existing expression language makes it hard or impossible to fully express requirements
• increasing regulatory and business requirements around compliance demand a different approach
Dynamic Access Control• Solution
• new central access policies (CAP) model• new claims-based authorization platform
enhances, not replaces, existing model• user-claims and device-claims• user+device claims = compound identity
• includes traditional group memberships too
• use of file-classification information in authorization decisions
• modern authorization expressions, e.g.• evaluation of ANDed authorization conditions• leveraging classification and resource properties in
ACLs
• easier Access-Denied remediation experience
• access- and audit-policies can be defined flexibly and simply, e.g.• IF resource.Confidentiality = high THEN audit.Success
WHEN user.EmployeeType = vendor
Share Permissions
NTFS Permissions
Access Control
Decision
File Access
Share Permissions
NTFS Permissions
Central Access Policy
Access Control
Decision
File Access
Dynamic Access Control: In a nutshell
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEsUser and Device Claims
• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
User and Device Claims
• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device
Pre-2012: Security Principals Only
• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Windows Server 2012: Security Principals, User Claims, Device Claims
Expression-Based ACEs
• Led to group bloat• Consider 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:
• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]
Pre-2012: ’OR’ of groups only
• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)• 610 groups instead of 500,000
Windows Server 2012: ‘AND’ in expressions
• 3 User Claims
Windows Server 2012: with Central Access Policies
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
61
Expression-based access policyFile
Server
File Classification Infrastructure: What’s New
Resource Property Definitions
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
For Security
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
Match file to policy
Apply Policy
Save classification
For Security
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
RMS Encrypt
Save classification
For Security
Match file to policy
File Classification Infrastructure: What’s New
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy Reference
NTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity Descriptor
Share Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:Full
Central Access Rule 1: Engineering Docs
Dept=Engineering Engineering:ModifyEveryone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify
NTFS FTE:ModifyVendors:Read
Effective Rights:
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Central Access Rules
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
What will happen when I deploy?
• Changing Central Access Policies may have wide impact
• Replicating production environment for test purposes is difficult and expensive
Staging Policies
Staging policy
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Active Directory File serverResource properties
Department = Finance | HR | EnggImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == ContosoStaging policy
Applies to: @File.Impact = HighAllow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)
Incremental Deployment
Deploy: Windows 8 Clients Add Device Claims in Central Access
and Audit Policies Improved Access Denied Assistance
Deploy: Windows Server 2012 Domain ControllersAdd User Claims in Central Access and Audit Policies
Deploy: Windows Server 2012 File ServersCentral Access and Audit Policies based on Security Groups and File
Tagging
Automatic Rights Management Services (RMS) encryption
Enhance (not replace) your current environmentIncrementally add capabilities to your existing security settings
Partn
er S
olu
tion
s and
Line o
f Bu
siness A
pp
licatio
ns
Dynamic Access Control• Requirements
• Windows 8 or Windows Server 2012 file servers (no DCs necessary yet)• modern authorization expressions, e.g.
• evaluating ANDed authorization conditions• NOTE: leveraging classification and resource properties in ACLs requires the Windows Server 2012 schema
• Access Denied Remediation
• 1 or more Windows Server 2012 DCs required for Kerberos claims• Central Access Policies (CAP) support• must enable the claims-policy in a Domain Controller-scoped policy, e.g. Default Domain Controllers Policy
• once configured, Windows 8 clients might use only Windows Server 2012 DCs• enough DCs must be deployed to service the load imposed by uplevel clients and servers (piling-on)
• Windows Server 2012 Active Directory Administrative Center to administer CAPs and CAPRs• CAPR = Claims Access Policy Rules
• for device-claims, compound ID must be switched on at the target service account• via Group Policy or directly editing the corresponding objects
• downlevel clients require DFL 5 in order to receive claims from a KDC• in the absence of that, uplevel servers able to use S4U2Self to obtain claims-enabled ticket on caller’s behalf
• note that Authentication Mechanism Assurance (AMA) SIDs/claims and device authorization data not available since context around authentication method and device already lost
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Dynamic Access Control
Group Managed Service Accounts
Kerberos Enhancements
Active Directory PowerShell History Viewer
User Interface
Fine-Grained Password Policy User Interface
Active Directory Based Activation
New Features and Enhancements
Active Directory-based Activation (AD BA)• Background
• today, Volume Licensing for Windows/Office requires Key Management Service (KMS) servers
• requires minimal training• turnkey solution covers ~90% of deployments• complexity caused by lack of a graphical administration
console
• requires RPC traffic on the network which complicates matters
• does not support any kind of authentication, the EULA prohibits the customer from connecting the KMS server to any external network• i.e. connectivity-alone to the service equates to activated
Active Directory-based Activation (AD BA)• Solution• use your existing Active Directory infrastructure to activate
your clients• no additional machines required• no RPC requirement, uses LDAP exclusively• includes RODCs
• beyond installation and service-specific requirements, no data written back to the directory• activating initial CSVLK (customer-specific volume license key) requires:
• one-time contact with Microsoft Activation Services over the Internet (identical to retail activation)
• key entered using volume activation server role or using command line.• repeat the activation process for additional forests up to 6 times by default
• activation-object maintained in configuration partition• represents proof of purchase• machines can be member of any domain in the forest
• all Windows 8 machines will automatically activate
Active Directory-based Activation (AD BA)• Requirements
• only Windows 8 or Windows Server 2012 machines can leverage AD BA
• KMS and AD BA can coexist• you still need KMS if you require downlevel volume-licensing
• setup requires Windows 8 or Windows Server 2012 machine
• requires Windows Server 2012 Active Directory schema, not Windows Server 2012 domain controllers
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
New Features and Enhancements
AD Windows PowerShell History Viewer• Background
• Windows PowerShell is a key technology in creating a consistent experience between the command-line and the graphical user interface
• Windows PowerShell increases productivity• but requires investment in learning how to use it
AD Windows PowerShell History Viewer• Solution
• allow administrators to view the Windows PowerShell commands executed when using the Administrative Center, e.g.• the administrator adds a user to a
group• the UI displays the equivalent Active
Directory Windows PowerShell command
• Administrator’s can copy the resulting syntax and integrate it into their scripts
• reduces learning-curve• increases confidence in
scripting• further enhances Windows
PowerShell discoverability
AD Windows PowerShell History Viewer•Requirements
• Windows Server 2012 Active Directory Administrative Center
• Active Directory Web Service• running on a domain controller within the target domain
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
New Features and Enhancements
Fine-Grained Password Policy
• Background• the Fine-Grained Password Policy capability introduced with Windows Server 2008 provided more granular management of password-policies
• in order to leverage the feature, administrators had to manually create password-settings objects (PSOs)• it proved difficult to ensure that the manually defined policy-values behaved as desired
• resulted in time-consuming, trial and error administration
Fine-Grained Password Policy
• Solution• creating, editing and assigning PSOs now managed through the Active Directory Administrative Center
• greatly simplifies management of password-settings objects
Fine-Grained Password Policy
•Requirements• FGPP requirements must be met, e.g.•Windows Server 2008 domain functional level
• Windows Server 2012 Active Directory Administrative Center
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Kerberos Enhancements
New Features and Enhancements
Kerberos changes• There are a number of changes to Kerberos
to enhance day to day operations• Increase to the maximum Kerberos SSPI context buffer size• PAC group compression• Warning events for large token sizes• Increased logging
• Major changes• New Kerberos constrained delegation support• Claims support
Delegation
• Prior to Windows Server 2012, constrained delegation required the front- and back-end service accounts to be in the same domain
• 2012 allows delegation across domains and forest trusts
Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount
Block cross forest delegation by setting netdom trust to “no” for /EnableTGTDelegation
Adding claims to the Kerberos token
User’s Kerberos
Token
PAC
User’s group memberships added to PACAuthorization based on group membership
Pre-Windows 8 & Server 2012
UserGroups
Claims
DeviceGroups
Claims
Windows 8 & Server 2012
Compound ID
PAC contains a user’s group and claims
information+
Device information
Authorization can be based on group membership, user and device claims
Enabling Kerberos for claims• Enable the KDC administrative template for
Support for Dynamic Access Control and Kerberos armoring
• Kerberos armoring also referred to as Flexible Authentication Secure Tunneling (FAST) provides:• A protected channel between the Kerberos client and the KDC
• Protection against offline dictionary attacks• Signs Kerberos error messages
• Prevent spoofing• Compound identity
Token/Ticket Bloat
• Understanding the problem• Token Bloat: Amount of authorization data in the NT Token• Ticket Bloat: Amount of authorization data sent over the wire
• Token Bloat: How does it manifest?• Too many SIDs in the token (Upper bound of 1024)
• Ticket Bloat: How does it manifest?• Authorization data is sent over the network.
• Over time, old group memberships linger and authorization data adds up.
• Might see failures in one type of application• Usually indicates the limits for that wire transport have been reached.
Impact of Claims
• Ticket Bloat• Claims is authorization data carried over the wire. Initially, some
increase in ticket sizes expected.
• Windows 8 improvements• DC compresses claims before sending them over the wire• DC compresses certain types of SIDs that weren’t compressed
before (Resource Domain SIDs)• MaxTokenSize default increased to 48k• New audit events – DC starts logging events when ticket sizes
exceed specified value
Impact of Claims – Real Numbers
First Claim
1 Boolean Claim
Adds 242 Bytes
User Claims Set
5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Adds 970 Bytes
Compound-ID Claims Sets
User - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Device - 2 Claims:• 1 Boolean• 1 String – Single Valued
• Avg Len/value: 12 chars
Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data
Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.
Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character
Management
Recycle Bin User Interface
Active Directory Replication & Topology
Cmdlets
Dynamic Access Control
Active Directory Based Activation
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Group Managed Service Accounts
New Features and Enhancements
Group Managed Service Accounts• Background
• Managed Service Accounts (MSAs) introduced with Windows Server 2008 R2
• clustered or load-balanced services that needed to share a single security-principal were unsupported• MSAs not able to be used in many desirable scenarios
Group Managed Service Accounts• Solution• introduce new security principal type known as a gMSA• services running on multiple hosts can run under the same gMSA
account• 1 or more Windows Server 2012 DCs required
• gMSAs can authenticate against any OS-version DC• passwords computed by Group Key Distribution Service (GKDS) running on all Windows
Server 2012 DCs
• Windows Server 2012 hosts using gMSAs obtain password and password-updates from GKDS• password retrieval limited to authorized computers
• password-change interval defined at gMSA account creation (30 days by default)
• like MSAs, gMSAs are supported only by the Windows Service Control Manager (SCM) and IIS application pools• support for scheduled tasks is being investigated
Group Managed Service Accounts• Requirements
• Windows Server 2012 Active Directory schema updated in forests containing gMSAs
• 1 or more Windows Server 2012 DCs to provide password computation and retrieval
• only services running on Windows 8 or Windows Server 2012 can use gMSAs
• Windows Server 2012 Active Directory Module for Windows PowerShell to create gMSA accounts
Management
Recycle Bin User Interface
Dynamic Access Control
Active Directory Based Activation
Group Managed Service Accounts
Kerberos Enhancements
Active Directory Windows PowerShell History Viewer
Fine-Grained Password Policy User Interface
Active Directory Replication & Topology
Cmdlets
New Features and Enhancements
Make sure PowerShell is your best friend
• PowerShell 3.0 with over 2000 cmdlets• Allows creation scripts with workflow• AD PowerShell history helps you get started• Comprehensive cmdlets for replication management• Newest help files download on demand: Update-Help
What Active Directory 2012 R2 adds…• Workplace Join using Device Registration Se
rvice• Connecting to Applications and Services fro
m anywhere Web Application Proxy• Managing Risk with Multi-Factor Access Con
trol• Managing Risk with Additional Multi-Factor
Authentication for Sensitive Applications
The future of Active Directory is cloudy
• Windows Active Directory (AD)• You host it, on-premises / Cloud• You manage the infrastructure and the
data• Services:
• AD Directory Services (AD DS)• Kerberos authentication• NTLM authentication
• AD Lightweight Directory Services (AD LDS)
• AD Federation Services (AD FS)• AD Certificate Services (AD CS)• AD Rights Management Services (AD
RMS)
• Windows Azure Active Directory (WAAD)• Microsoft hosts it in their datacenters• Microsoft manages the infrastructure• You manage the data• Services:
• Directory Services• Federated authentication
• WS-Federation• SAML-P• Oauth 2.0• More to come...
• Access Control Services (ACS)
synchronization
In Summary…..
Leverage new technologies
Extend Identity governance reach
Implement effective access control
For more info…TechNet• What’s New in Active Directory 2012• What’s New in Active Directory 2012 R2• Intro to Dynamic Access ControlTechEd North America• WCA-B204: Active Directory Enables User Productivity and IT
Risk Management Strategies Across a Variety of Devices• WCA-B334: Secure Anywhere Access to Corporate Resources
Such as Windows Server Work Folders Using ADFS• WCA-B333: Enable Work from Anywhere without Losing Sleep:
Remote Access with the Web Application Proxy and VPN solutions
Developer Network
Resources for Developers
http://msdn.microsoft.com/en-au/
Learning
Virtual Academy
http://www.microsoftvirtualacademy.com/
TechNet
Resources
Sessions on Demand
http://channel9.msdn.com/Events/TechEd/Australia/2013
Resources for IT Professionals
http://technet.microsoft.com/en-au/
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.