dynamic access control deep dive siddharth bhai program manager, active directory microsoft...
TRANSCRIPT
Dynamic Access ControlDeep Dive
Siddharth BhaiProgram Manager, Active DirectoryMicrosoft Corporation
Matthias WollnikProgram Manager, File ServerMicrosoft Corporation
SIA341
Session objectives
Quick introduction of Dynamic Access Control
Understand how things work behind the scenes
See how this work ties in with cutting edge work in the industry
Windows File Server Solution
Data Compliance Challenges
Windows Platform Investments
Putting it Together
Dynamic Access Control: In a nutshell
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
4
Expression-based access policy
File Server
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEsUser and Device Claims
• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
User and Device Claims
• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device
Pre-2012: Security Principals Only
• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Windows Server 2012: Security Principals, User Claims, Device Claims
Expression-Based ACEs
• Led to group bloat• Consider 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:
• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]
Pre-2012: ’OR’ of groups only
• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)• 610 groups instead of 500,000
Windows Server 2012: ‘AND’ in expressions
• 3 User Claims
Windows Server 2012: with Central Access Policies
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
For Security
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
Match file to policy
Apply Policy
Save classification
For Security
File Classification Infrastructure: What’s New
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
RMS Encrypt
Save classification
For Security
Match file to policy
Continued Execution of Content-Aware StrategyCA DataMinder integrates with Windows Server 2012
CA Technologies Content-Aware Identity & Access Management
Control identity, control access and control informationCA DataMinder discovers, classifies and controls information
Controls Collaboration & File Sharing EnvironmentsSharePoint 2010 – March 2012Windows Server 2012 Dynamic Access Control – July 2012
Delivers precise & fine-grained access control
Copyright © 2012 CA. All rights reserved. No unauthorized copying or distribution permitted.
Supercharge DAC with automated file classification
Enables accurate automated file classification enterprise-wide with both
attribute-based and
content-based classification
Deeply integrated with Windows Server 2012.
dg classification can also be used to fuel powerful Governance, Compliance and Archiving solutions
For more information visit us atBooth 230 (Orlando) / PP17
(Amsterdam) or at www.dynamic-access-control.comA leader in automatic file classification
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy Reference
NTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity Descriptor
Share Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
Permission Type Target Files Permissions Engineering FTE
Engineering Vendor
Sales FTE
Share Everyone:Full
Central Access Rule 1: Engineering Docs
Dept=Engineering Engineering:ModifyEveryone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify
NTFS FTE:ModifyVendors:Read
Effective Rights:
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Central Access Rules
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
– Who has access to what
Calculating Effective Permission using JiJi AuditReporter
Effective permissions for multiple users on multiple sharesUser’s claims are automatically retrieved from AD for calculationAbility to toggle between Advanced & Basic permissions viewExport and filtering capabilities in the reportAbility to filter by user, share path, permissions and access limited by
www.jijitechnologies.com [email protected]
What will happen when I deploy?
Changing Central Access Policies may have wide impact
Replicating production environment for test purposes is difficult and expensive
Staging Policies
Staging policy
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Active Directory File serverResource properties
Department = Finance | HR | EnggImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == ContosoStaging policy
Applies to: @File.Impact = HighAllow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)
Sample staging event (4818)Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
Assessment of performance, availability and service levelsDeep application diagnosticsPowerful custom data visualization Auditing via Audit Collection SystemsIntegrates with DAC audit/staging events
Enterprise-wide visibility into server and application health
Kerberos and The New Token
Dynamic Access Control leverages KerberosWindows 8 Kerberos extensionsCompound ID – binds a user to the device to be authorized as one principal
Domain Controller issues groups and claimsDC enumerates user claimsClaims delivered in Kerberos PAC
NT Token has sectionsUser & Device dataClaims and Groups!
Pre-2012 Token
User Account
User Groups
[other stuff]
2012 Token
User Account
User Groups
Claims
Device Groups
Claims
[other stuff]
NT Access Token
Contoso\Alice
User
Groups:….
Claims: Title=SDE
Kerberos Ticket
Contoso\Alice
User
Groups:….
Claims: Title=SDE
File Server
UserContoso
DC
Ad Admin
Enable Domain to issue claims
Defines claim types
Claim type
Display Name
Source
Suggested values
Value typeUser attempts to login
Receives a Kerberos ticket
Attempt to access resource
Kerberos flow in Pre-Windows 2012
User
M-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
Kerberos flow in Pre-Windows 2012
User
M-TGT
U-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
Kerberos flow in Pre-Windows 2012
User
M-TGT
TGS (no claims)
U-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
Kerberos flow in Pre-Windows 2012
User
M-TGT
TGS (no claims)
U-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012
?
Kerberos flow with Pre-Windows 8 Clients
File Server
Pre-Windows 8 User
Contoso DC
Set Policy to enable claims
Kerberos flow with Pre-Windows 8 Clients
File Server
Contoso DC
M-TGT
TGS (no claims)
U-TGT
Pre-Windows 8 User
Kerberos flow with Pre-Windows 8 Clients
File Server
Contoso DC
M-TGT
TGS (no claims)
U-TGT
Pre-Windows 8 User
Kerberos flow with Pre-Windows 8 Clients
File Server
Contoso DC
M-TGT
U-TGT
TGS (with User Claims)
TGS (no claims)
Pre-Windows 8 User
?
Kerberos flow with Compound Identity
File Server
UserContoso
DCM-TGT
TGS (User and Device Groups/Claims)
U-TGT
Kerberos flow with Compound Identity
File Server
UserContoso
DCM-TGT
TGS (User and Device Groups/Claims)
U-TGT
?
Across Forest boundaries
File Server
UserContoso
DC
Other Forest DC
Publish Cross-Forest transformation Policy
Across Forest boundaries
File Server
UserContoso
DCM-TGT
TGS (with claims)
U-TGT
Referral TGT
Other Forest DC
Token/Ticket Bloat
Understanding the problemToken Bloat: Amount of authorization data in the NT TokenTicket Bloat: Amount of authorization data sent over the wire
Token Bloat: How does it manifest?Too many SIDs in the token (Upper bound of 1024)
Ticket Bloat: How does it manifest?Authorization data is sent over the network.
Over time, old group memberships linger and authorization data adds up.
Might see failures in one type of applicationUsually indicates the limits for that wire transport have been reached.
Impact of Claims
Ticket BloatClaims is authorization data carried over the wire. Initially, some increase in ticket sizes expected.
Windows 8 improvementsDC compresses claims before sending them over the wireDC compresses certain types of SIDs that weren’t compressed before (Resource Domain SIDs)MaxTokenSize default increased to 48kNew audit events – DC starts logging events when ticket sizes exceed specified value
Impact of Claims – Real Numbers
First Claim 1 Boolean Claim
Adds 242 Bytes
User Claims Set5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Adds 970 Bytes
Compound-ID Claims SetsUser - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Device - 2 Claims:• 1 Boolean• 1 String – Single Valued
• Avg Len/value: 12 chars
Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data
Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.
Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character
Central Access Policy for SharePoint with Titus
With Windows Server 2012 DAC policy is limited to security for file servers
TITUS is extending the use of DAC to SharePoint
Central access policy access / deny decisions can be extended to SharePoint lists and SharePoint document librariesSecure all your information in file servers and SharePoint via common Central Access Policies
Windows Server 2012 Active Directory
Windows Server 2012File Server
End User
MicrosoftSharePoint 2010
Access Policy
? ?
Axiomatics Policy Server & XACML with DAC
Policy Author
File Server
Active Directory
User
1. Author policy & export to AD
2. Convert XACML to SDDL
& import
3. Push out imported rules based on group
policy
4. Access files
5. Check access based on rules previously defined in
APS
Axiomatics Policy Server
(APS)
Incrementally add capabilities
Current infrastructure
Windows Server 2012 File Servers• Access and Audit Policies based on security groups and file
tagging
Windows Server 2012 DCs• Centrally defined access and audit policies• User claims can be used by access and audit policiesWindows 8 clients
• Add device claims to access and audit policies• Better access denied experience
Part
ner
solu
tions
and
lin
e o
f bu
siness
ap
plic
ati
ons
Related ContentSIA 207 – Windows Server 2012 Dynamic Access Control OverviewSIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization PoliciesSIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft ITWSV334 – Windows Server 2012 File and Storage Services ManagementSIA21-HOL – Using Dynamic Access Control to Automatically and Centrally Secure Data in Windows Server 2012
SIA02-TLC – Windows Server 2012 Active Directory and Dynamic Access Control
Find Me Later At…
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC
#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserverHands-On Labs
DOWNLOAD Windows Azure
Windowsazure.com/teched
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.