dynamic access control deep d ive & extensibility

Dynamic Access ControlDeep Dive & Extensibility

Dave McPhersonSr. Program Manager3-052

Quick introduction of Dynamic Access ControlUnderstand how things work behind the scenesDynamic

AccessControl

Session objectives

• Classification• Central access policies• Staging• Authentication and authorization

flows• Token bloatExtensibility

Dynamic Access Control: In a nutshell

Data Classification

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Automatic RMS encryption based on document classification.

Expression-based auditing

Expression-based access conditions Encryption

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Dynamic Access Control Building Blocks

• User and computer attributes can be used in ACEs

• ACEs with conditions, including logical and relational operatorsUser and Device Claims

Expression-Based ACEs

• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification

Classification Enhancements

• Central authorization/audit rules defined in AD and applied across multiple file servers

Central Access and Audit Policies

• Allow users to self remedy or request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance

User claimsUser.Department = Finance

User.Clearance = High

Conditional Access PolicyApplies to: Resource.Impact = High

Allow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed = True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

5

Expression-based access policyFile

Server

User and Device Claims

• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device

Pre-2012: Security Principals Only

• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:

• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True

Windows Server 2012: Security Principals, User Claims, Device Claims

Expression-Based ACEs• Led to group bloat• Consider an org with 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:

• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]

Pre-2012: ’OR’ of groups only

• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND

MemberOf(Engineering)• 610 groups instead of 500,000

Windows Server 2012: ‘AND’ in expressions

• 3 User Claims + 3 Resource properties

Windows Server 2012: with Central Access Policies & Classification

Conditional Expression OperatorsLogical

AND OR NOT Exists (resource

properties)

See MS-DTYP for processing rules

Relational =, != , <, >, <=, >=, Member_of Device_Member_of Member_of_Any Device_Member_of_Any Any_of Contains NOT*

Conditional Expressions in Windows Extension of the CALLBACK_ACE_TYPE

Allows custom ACE behavior Previously only available through AuthzAPI Expression goes into the ApplicationData section

(prefix 4 ‘xtra’ bytes) SDDL

A normal ACE: (A;CIOI;GA;;;AU) A conditional ACE: (XA;CIOI;GA;;;AU(@User.smartcard == 1 ||

@Device.managed == 1) && @Resource.dept Any_of {"Sales","HR"}))

Access Control Policy Extensibility• Security Descriptor Definition Language (SDDL)

CBAC ACEs managed as SDDL strings Added / removed from SDDL strings via standard string manipulation functions AddConditionalAce AddResourceAttributeAce

• Managing Claims in AD Powershell / LDAP

• Managing Central Access Policies PowerShell / LDAP

File Classification Infrastructure

DynamicAccessControl

File Classification Infrastructure• FCI Released in WS08R2• Classified based on rules run

at specified schedules• Not continuous• Not for access control• No UI for manual classification


Resource Property Definitions



FCI

In-box content classifier

3rd party classification plugin

See modified / created file

Save classification



FCI




Save classification

For Security



FCI



File Managemen

t Task


Match file to policy

Apply Policy

Save classification

For Security



FCI


3rd party classificati

on Extensibilit

y

File Managemen

t Task


RMS Encrypt

Save classification

For SecurityMatch file to

policy

Central Access Policies

DynamicAccessControl

Active Directory

Central Access Policy

Finance folders

User folders

Standard organization policyHigh Impact rulePersonal Information ruleFinance department policyHigh Impact Data rulePersonal Information ruleInformation wall rule

Corporate file serversHigh Impact Data ruleApplies To: Resource.Impact == HighAccess conditions: User.Clearance = High AND Device.IsManaged = True

Personal Information ruleApplies To: Resource.PII == TrueAccess conditions: Allow MemberOf( PIIAdministrators , Owner)

“Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department

2Define Central Access Policies (CAPs)Define Central Access Rules (CARs)

1Apply CAPs on File Servers

3

File AccessShare Permissions

File Access without Central Access Policy

Access Control

DecisionNTFS Permissions

File Access

File Access with Central Access Policy

Access Control

Decision

Share PermissionsNTFS Permissions

Central Access Policy

How Access Check Works

File/FolderSecurity Descriptor

Central Access Policy ReferenceNTFS Permissions

Active Directory (cached in local Registry)

Cached Central Access Policy Definition

Access Control Decision:1)Access Check – Share permissions if

applicable2)Access Check – File permissions3)Access Check – Every matching Central

Access Rule in Central Access Policy

ShareSecurity DescriptorShare Permissions

Cached Central Access RuleCached Central Access RuleCached Central Access Rule

Staging PoliciesDynamicAccessControl

What will happen when I deploy?

Changing Central Access Policies may have wide impact

Replicating production environment for test purposes is difficult and expensiveStaging Policies

Sample staging event (4818)Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy

Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”

Behind the ScenesDynamicAccessControl

Kerberos and The New Token Dynamic Access Control leverages Kerberos

Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one

principal

Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC

NT Token has sections User & Device data Claims and Groups!

Pre-2012 TokenUser AccountUser Groups[other stuff]

2012 TokenUser Account

User GroupsClaims

Device GroupsClaims

[other stuff]

NT Access TokenContoso\Alice

User

Groups:….Claims: Title=SDE

Kerberos TicketContoso\Alice

User

Groups:….Claims: Title=SDE

File ServerUser

Contoso DC

Ad Admin Enable Domain to issue claims

Defines claim types

Claim typeDisplay Name

SourceSuggested

valuesValue type

User attempts to login

Receives a Kerberos ticket

Attempt to access resource

Kerberos flow in Pre-Windows 2012

M-TGT

Contoso DCPre-Windows

2012

Pre-Windows 2012 File ServerUser


U-TGT


2012


M-TGT


TGS (no claims)


2012


M-TGT

U-TGT


User

M-TGT

U-TGTTGS (no claims)

?


2012

Pre-Windows 2012 File Server

Kerberos flow with User Claims

File ServerTGS (with User Claims)

Contoso DC

User

M-TGT

U-TGT

Kerberos flow with User Claims

TGS (with User Claims)

?File Server

Contoso DC

User

M-TGT

U-TGT

Kerberos flow with Pre-Windows 8 Clients

Set Policy to enable claims

Contoso DC

File Server

Pre-Windows 8 User


TGS (

no cl

aims)

File Server

Contoso DC

Pre-Windows 8 User

M-TGT

U-TGT


TGS (no claims)

Contoso DC

File Server

Pre-Windows 8 User

M-TGT

U-TGT

File Server


Pre-Windows 8 User

M-TGT

U-TGTTGS (no claims)

TGS (with User

Claims)

?

Contoso DC

S4UToSelf()

Kerberos flow with Compound Identity

TGS (

User an

d Dev

ice

Groups

/Claim

s)

M-TG

TU-TG

T

Contoso DC

File Server

User

M-TGT

U-TGT

File Server

Kerberos flow with Compound Identity

TGS (User and Device Groups/Claims)

?

Contoso DC

User

M-TGT

U-TGT

Across Forest boundaries

Other Forest DCPublish Cross-Forest transformation Policy

Contoso DC

File Server

User

M-TGT

U-TGT


Referral TGT

Other Forest DC

File Server

Contoso DC

User

M-TGT

U-TGT


TGS (with claims)

Referral TGT

Other Forest DCContoso

DC

File Server

User

M-TGT

U-TGT


Other Forest DC

TGS (with claims)

?

File Server

Contoso DC

User

M-TGT

U-TGT

To the Cloud!

TGS

ADFS

Cloud App

Contoso DC

User

M-TGT

U-TGT

To the Cloud! Cloud App

Contoso DCADFS

User

M-TGT

U-TGT

To the Cloud!

SAMLTGS

ADFS Contoso DC

Cloud App

User

M-TGT

U-TGT

To the Cloud!

SAML

?Contoso DC

Cloud App

ADFS

User

M-TGT

U-TGT

Token/Ticket Bloat Understanding the problem

Token Bloat: Amount of authorization data in the NT Token Ticket Bloat: Amount of authorization data sent over the wire

Token Bloat: How does it manifest? Too many SIDs in the token (Upper bound of 1024)

Ticket Bloat: How does it manifest? Authorization data is sent over the network.

Over time, old group memberships linger and authorization data adds up. Might see failures in one type of application

Usually indicates the limits for that wire transport have been reached.

Impact of Claims

Ticket Bloat Claims is authorization data carried over the wire. Initially, some increase

in ticket sizes expected.

Windows 8 improvements DC compresses claims before sending them over the wire DC compresses certain types of SIDs that weren’t compressed before

(Resource Domain SIDs) MaxTokenSize default increased to 48k New audit events – DC starts logging events when ticket sizes exceed

specified value

Impact of Claims – Real NumbersFirst Claim 1 Boolean Claim

Adds 242 Bytes

User Claims Set5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued

• Avg Len/value: 12 chars• 1 String – Multi Valued

• Avg Len/value: 12 chars• Avg #Values: 6 values

Adds 970 Bytes

Compound-ID Claims SetsUser - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued

• Avg Len/value: 12 chars• 1 String – Multi Valued

• Avg Len/value: 12 chars• Avg #Values: 6 values

Device - 2 Claims:• 1 Boolean• 1 String – Single Valued

• Avg Len/value: 12 chars

Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data

Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.

Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character

Incrementally add capabilities

Current infrastructure

Windows Server 2012 File Servers• Access and Audit

Policies based on security groups and file tagging

Windows Server 2012 DCs• Centrally defined

access and audit policies

• User claims can be used by access and audit policies

Windows 8 clients• Add device

claims to access and audit policies

• Better access denied experience

Partn

er so

lutio

ns a

nd li

ne o

f bus

ines

s ap

plica

tions

Many partner solutions!

MICROSOFT CONF IDENTIAL – INTERNAL ONLY

Quick introduction of Dynamic Access ControlUnderstand how things work behind the scenesFile ClassificationCentral Access Policies & StagingAuthentication & Authorization flowsToken bloat

Extensibility

In Review: Session Objectives And Takeaways

• Dynamic Access Control Dev Extensibility http://msdn.microsoft.com/en-us/library/windows/desktop/Hh802756(v=vs.85).aspx

• Follow us on Twitter @WindowsAzure

• Get Started: www.windowsazure.com/build

Resources

Please submit session evals on the Build Windows 8 App or at http://aka.ms/BuildSessions

http://msdn.microsoft.com/en-us/library/windows/desktop/Hh802756(v=vs.85).aspx




http://www.windowsazure.com/build

http://aka.ms/BuildSessions

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

dynamic access control deep d ive & extensibility

Documents