dynamic access control the file server, reimagined presented by mark minasi [email protected] @mminasi...
TRANSCRIPT
Dynamic Access Controlthe file server, reimaginedPresented by Mark [email protected]@mminasi on twitter
1contents copyright 2013 Mark Minasi. Please do not redistribute, and thanks for respecting my copyrights!
Dynamic Access Control
o Big topic, arguably the biggest in Server 2012
o A new, fourth level of permissionso Incorporates more information about
the shared information, who's reading it, and what machine they're reading it from
o Builds in more troubleshooting information
o Affects auditing as wello Should make Windows security enable
compliance issues more effectively2
3
High-Level Benefitso Finer grained, richer file server
permissions: "only people with the title 'manager' can access 'secure' files in this share, provided they're on a machine on the 12th floor"
o More complex permissions, but a central way to build them and distribute them
o Security that considers not only who you are, but what machine you're trying to access from
o File classification systems to identify data that is "high importance," "private," "regulated" either through human intervention or automatic classification
4
High-Level Benefitso Partially aimed at people trying to
meet regulatory requirementso Partially aimed at large orgs with lots
of non-specialized "departmental admins"
o Does not require a complete move to Windows 8 and Server 2012
5
Approacho There's a lot to absorb here both from
the point of view of new concepts and new skills
o So let me start this out with some examples to (with hope) make you interested enough to want to dig in
6
DAC Examples
o …you are a member of the Sales group and the Managers group
o …you are sitting on a machine in the Accountants group
o …the value of your "Title" in AD is "engineer"
o …the machine you're sitting at is in Building 23 (AD physical location info)
o …the files are classified "medical records" and you are a member of the "Doctors" group
"you can read these files if…"
7
DAC Joins Share and NTFS Permso DAC is a fourth level of "ACL:" just as
NTFS permissions interact with another set of permissions – sharing permissions – to determine your access, DAC joins the party
o And of course there are Windows Integrity Levels, although we don't use them much
o As with NTFS vs share differences, the most restrictive wins
8
DAC Appears in Two Placeso The simpler and easier-to-see
manifestation of DAC is in a set of extensions to NTFS permissions
o They appear when a 2012 system is domain-joined
o They're easy to show and I'll be using them a lot
o DAC also appears as that fourth, separate level of permissions, and it is the DAC power
o The only way to get a "real" DAC permission is, as we'll see, via a group policy
10
New Concepts/Skillso Creating permissions with "And's"o Using the new Effective Access UIo Understanding claims=AD attributeso "Promoting" an attribute to a claimo Adding claims in permissionso Device claimso Creating file classificationso Classifying files by hando Building automatic file classifiers
11
New Concepts/Skillso Creating central access ruleso Making central access policies from
central access ruleso Applying central access rules
12
"And's" in Permissionso Suppose you wanted to say, "only
people who are a member of 'engineers' and 'Omaha plant employees' can access this share?"
o Answer, pre-2012? More groupso How many groups are in your
organization right now?o Do you do "role-based management"
of objects?o Perhaps the phrase "token bloat" has
some meaning…
13
Making "And" Worko Again, it first appears as an extension
to NTFSo So it's easy to demonstrateo Will work on any domain-joined
machineo Requires no group policy changes; try
thiso Create a folder, needn't share ito Create two groups, two userso Put one user in both, one user in just oneo Yank out all permissions but system &
adminso Create a new one in Advanced, condition
= must be a "member of each" groupo Try out Effective Permissions
14
Our Opening Situationo We've got a server that is domain-
joined – you can't do any fancy permissions unless you're domain-joined
o We've got two users, Tom and Dicko Tom is in groups McCoyso Dick is in groups McCoys and Hatfieldso I create a folder "myfolder" and yank
out all ACEs except the ones for System and Administrators
o Opening up Advanced Security, I see this…
15Click Add…
16
Now for the interesting part… click Add a condition
17
In "Add Items," choose the two groups (the UI's not good at showing this)
18
Choose the groups with this dialog box:
And then the new permission will look like this:
Click OK/Apply and …
19
New Permission
20
Click "Effective Access" to try it out
21
Note "include group membership" (what if-ing,) "select device"
22
Next, Consider Claimso Claims are assertions about someone,
like "my title is 'Manager,'" or "my email is [email protected]"
o Claims from AD attributeso AD has 100+ attributes about user
and machine accounts (title, description, physical location, etc)
o DAC does not "see" any of them by default, but you can make them "visible" by making them "claim types"
o GUI tool is AD Admin Center
23
Making an AD Attribute a Claimo Open ADACo On left, click "Dynamic Access
Control"o In center pane, right-click on Claim
Typeso Choose New / Claim Typeo Choose an attribute in "Source
Attribute"o Choose User and/or Computero Add "Suggested Values" if you likeo Click OK on the bottom right
24
Promoting AD Attribs to Claims
25
Example: Make "Office" a Claim Type
26
Giving “Office” a Suggested Value (1)
27
Giving “Office” a Suggested Value (2)
28
Giving “Office” a Suggested Value (3)
29
Giving “Office” a Suggested Value (4)
30
Using Claimso At this point, we could create another
ACE: "authenticated users get Modify permission under the condition that their physicalDeliveryOfficeName = 'Pungo'"
o (* and % wildcards don't work, and case doesn't matter)
o You can set AD attributes in ADAC, with the PowerShell set-aduser command, or in ADSIEdit
o Here’s a rule that says you need to have a “Office” value of “Pungo” to get access
o (don’t try this yet, it won’t work)
31
Creating a Claims-Based ACE
32
Using Claimso You’ll see that the drop-down next to
Users, which only offered “Group” before, now also offers each claim, like “physicalofficedeliverylocation” or “title”
o Ditto the drop-downs that offer values like “Pungo,” but if you’ve created Suggested Values then that’s all you’re offered, and if no Suggested Values, you get a blank text field that you can populate… again no wild cards
o Try out Effective Access again, and the dialog has changed a bit
33
Here you see that now Effective Access lets me give Mark a claim for "what if-ing"
34
How Does the File Server Know?o So we have modified AD, and so our
DCs know thato But wait… we’re working on a file
server; why would its Security dialog box know all of a sudden that it should offer Title, PhysicalDeliveryOfficeName, “Pungo,” “Manager,” etc?
o It doesn’t… until you tell ito Tool: a PowerShell command:o Update-
FSRMClassificationpropertyDefinitiono We’ll see this again in DAC!
35
One More Thing for Claims…o You've got to tell your DC to provide
claimso In Admin Templates / System / KDC,
"KDC support for claims…," set it to "supported" on your DCs
o For all client systems, Admin Templates / System / Kerberos, "Kerberos client support…" set to Enabled
o Servers and clients need gpupdate then
o At this point, you can see your claims:o whoami /claimso (You have to log off/on to see them)
36
Seeing Claims and Setting ValuesWe haven’t enabled the Kerberos settings yet, so whoami can’t help
Another example, now that we’ve got everything enabled…
37
39
Is Using Claims Secure?
o AD attributes fall into several groups –passwords, phone&mail options, general, personal, public, RAS, account restrictions, user logon, Web info
o By default, users can only mess with phone/mail, web and "personal" which includes addresses, assistant, comment, honorific, various phone and fax numbers, office location, and picture
o So you're safe with other attributes, and you can always change the permissions
I mean, can't any user just change her title to "doctor?"
40
Now Your Workstation Counts, Tooo AD claims can be asserted both for
user accounts and machine accountso Lets you control which machines users
access your data fromo Ditto workstation group membershipso Device claims created as with user
claims
42
File Classificationo Might be "sensitive," "contains
personal data," "is a photograph" or anything you care about
o In more detailo You define classificationso Files get classified either by someone
digging into the file's property page (new "Classification" tab), or by a process that regularly scans folders looking for keywords and the like
o Both the classifications and the auto-classification scans are configured from the File Server Resource Manager (not installed by default)
43
How to Classify Files?o Microsoft figured that they knew what
classifications many people needed, so 16 classifications are pre-loaded in AD and you can enable them if you'd like
o In ADAC, DAC there's a section "Resource Properties"
o Enable a property, and that file property will appear in the Security dialog box and you’ll be able to create classification-related ACEs
44
ADAC and DAC
45
Enabling an Existing Propertyo Quite easyo In ADAC, navigate to Dynamic Access
Controlo Doubleclick on Resource Properties to
display the currently-available oneso Right-click the property you want to
enable and choose Enableo The property icon changes to show
you that it’s enabled
46
Choosing Two Built-in Properties
47
And Once You’ve Chosen Them…o Their icon changes, but it’s kind of
subtle…
48
Tell the File Servero The file server won't learn that that
the new file property is important until AD tells it
o Tell a file server about the resources with update-fsrmclassificationpropertydefinition
o Now they'll appear on "classification" and as options in the ACE editor
o In my experience, you have to either close the Explorer window and reopen, or refresh the window (it seems to vary) for the file classification properties to appear in the Security UI and on a file’s Properties page
49
Example ACE with Resources
50
How Do You Set a Property?o We can now “classify” files and
folders, which is how Immutable gets set to “yes” or “no”
o There's an automatic way, but first let's see the manual method
o Right-click a file or folder, choose Properties and there will be a new tab, "Classification"
Classification UI
51
Right-click any NTFS folder or file and you'll see the new "Classification" tab
52
If You Classify a Folder…o Files created in the folder get the
classificationo Move a file in from the same volume,
it doesn’t classifyo Copy a file from another volume, it
gets the folder classification (with Explorer, PowerShell copy, robocopy)
o If you modify a file, the classifications are not reset
53
Home-Grown Properties
o Windows comes with a bunch of properties, but we can create our own
o It’s in ADACo Under Resource Properties, click New /
Resource Propertieso Give it a name, types of values, and
suggested valueso update-
fsrmclassificationpropertydefinition
making your own classifications
54
55
Automatic Classificationo Microsoft offers a sort of basic
automated classifier toolo Lets you tell the tool to look at a
folder and examine its contents, matching them either to a particular string or a regular expression, with a PoSH script, or just changing everything in a folder wholesale
o The tool is in the File Server Resource Manager (FSRM)
o Here’s a very simple one for Scary Stuff
o Open FSRM, click “Classification Management,” “Classification Rules,” “Create Classification…”
56
Create the Rule (1)
57
Create the Rule (2)
58
Create the Rule (3)
“Content Classifier” means “match a given string or a regular expression”Click this to specify what to look for
59
Specifying Expression to Match
60
Re-Evaluation Rules
61
Apply the Rule
Run this and all of the frightening stuff is immediately marked
62
FSRM Classification Report
63
FSRM Classification Report
64
When You Run the Classifier…o By default, anything currently
classified, whether by hand or automatically, is ignored, no scan
o This is true even if a file has changed since the last scan
o Alternatively you can choose (as we saw) to re-evaluate all files
o In my experience if you have been classified and you drop out of the rule, the classifier never “de-classifies” you to “no” from “yes” or from “yes” to “none”
65
Regular Expression Exampleo Create a rule that looks inside a folder
to find files that contain SSNso The rule will basically say, "if you find
a file that contains nnn-nn-nnnn where "n" are all digits, then set HasSSN to "Yes.“
o Same process as before, but choose Regular Expression and enter this text:
o \d{3}-\d{2}-\d{4}
66
When Does it Happen?o You can make a rule run from FSRM,
as we’ve seeno In Classification
Management/Classification Rules, click on the rule, then look in the "Actions" pane, choose "Run classification with all rules now…" or
o start-fsrmclassificationo When you're trying this, remember
that the UI can be a bit slow in updating changes in status… relax, hit refresh, wait a few secs!
Back to the Big Picture
o Clearly setting up this stuff will be more complex
o But the good news is that you can create any of the policies I just imagined and store them on the AD
o They are called "central access policies"
o Those policies can then be applied by a local admin, and thus can be kept consistent
Won’t this be too complex for most admins?
67
68
Contrived but Complete Exampleo We're now ready to move from the
NTFSish DAC examples to a more "complete" and centrally deployable set of examples
o We'll use a simple example that (I think) showcases the new stuff – AD claims and file resources
o Let's say that we want a central access rule that says
o If a file's marked "Immutable=Yes," then you must have the "Title=Doctor" to access it
o Then we'll deploy it
69
Central Access Rules and Policieso First, you build one or more central
access rules (CARs); you build them in ADAC (or, in theory, ADSIEdit)
o Then you join one or more CARs to create a Central Access Policy (CAP), and again you do it in ADAC
o You then create a group policy object that contains that CAP (or CAPs)
o Deploy that GPO to a servero Then go to the server and activate the
CAP
overview
70
To Follow Along…o If you want to try this out:
o I built a domain controller called DC1o Created a folder named c:\stuffo Set its NTFS permissions to everyone:full
controlo Set share perms to everyone:full controlo Create a standard usero Elevate the AD "title" attribute to a claim,
create a suggested value of "Doctor"o Give the standard user the title "Doctor"o Enable the "Immutable" property, update
FS infoo Create some files in c:\stuff with
immutable=yeso Verify that the user can dir \\dc1\stuff
71
More Specific Task Listo Create Central Access Rule "Titles
Matter"o Direct it to files with immutable=yeso Set permissions with condition
"title=doctor"o Create CAP "Protect Immutable"o Add CAR "Titles Matter"o Create GPO "DAC Example," link to
domaino Add CAR "Protect Immutable"o Update policieso From c:\stuff Security dialog, add the
CAR
72
Central Access Rules and Policieso They are both sections in Active
Directory Administrative Center, under the "Dynamic Access Control" section on the left-hand column
o Right click Central Access Rules or Central Access Policies and choose New
o Give it a title
finding them
73
74
Where To Make the Conditionso As I've said, this CAR will have two
conditions, but the UI is somewhat different from what we've seen so far
o The resource-related condition (Immutable=Yes) gets installed via what the CAR UI calls "Targeted Resources"
o The "user-related condition" (title=Doctor) gets installed just below that, under "Permissions"
o First, add the resource condition by clicking "Edit" in the "Target Resources" section
75
Creating a Resource Conditiono Click "Add a condition" to tell the CAR
that the CAR will apply only to files of a particular type
76
Creating a Resource Conditiono The drop-downs look like the ones
we've seen so far, but the far left-hand one is solely "Resource," not "Device" or "User"
o Click OK to finish this part
77
The Resource Condition is Visibleo You can see the new condition back in
the main page for the new CAR:
78
Create the User Conditiono We've configured the "this affects
Immutable=Yes files" part, now let's add the "… and they can only be accessed by people with the title 'Doctor'" part
o To do that, click "Edit" in "Current Permissions"
79
This Part Should Look Familiar
As before, click "Add a condition"
80
As Should This One…
81
A CAR is Borno You can see the rules in this screen
crop; click OK and you have a CAR
82
Next, Create the CA Policyo Again, CAPs are next to CARs in AD
Admin Centero Right-click "Central Access Policies,"
New and you get new blanko I'll call this one "Protect Immutable"
and all I've got to do is name it and insert its one rule, "Titles Matter"
83
Making a CAPo To add a CAR, click the "Add…" button
84
Adding a CARo Just use the >> and << buttons to
include the CAR or CARs, then click OK
85
The new CAP
86
Deploy/Publish the CAPo The only way to make a CAP useful is
to publish it to servers, which makes it easy for local admins to choose and apply it to their shares
o Windows does that by having you create a GPO with a setting that points to the CAP
o So next we create a GPO, link it to the domain, OU or whatever
o Look in the GPO in Computer / Windows Settings / Security Settings / File System / Central Access Policy
87
88
Installing the CAP in the GPOo Right-click the folder, choose "Manage
Central Access Policies…" and choose the desired CAP or CAPs
89
Deploy the GPOo To see and use the CA policy on a file
server, ensure that it got the DAC-related GPO
o Then navigate to the Advanced Security Settings folder on your share
o In addition to Permissions, Share, Auditing and Effective Access, you'll have a new tab "Central Policy"
o Click it and you'll see "No Central Access Policy," but click the "Change" link next to the UAC shield and you'll be able to see and apply "Protect Immutable"
90
CAP Installed
91
Testing CAPso CARs and CAPs are complex, so it's
easy to mess them upo That's why there's a provision to
install test permissionso They don't actually take effect, but
they log what would have happened in if you've got object auditing enabled and SACLs on the folder(s) concerned
o Check "enable permission staging configuration" to use this
92
93
Using the Staged Permissionso Enable object auditingo Set SACLs on the folder/fileso Try to access it as you can now and
won't be able to latero Look in the Security log for event
4818
94
Sample 4818
95
Thanks for Coming!o My Server 2012 class (two days) and
my PowerShell class (one day) are coming to San Francisco July 15-17 2013, info at www.minasi.com
o Newsletters there alsoo Contact me at [email protected]