what is new in security in windows 2012 or dynamic access control
DESCRIPTION
What is new in security in Windows 2012 or Dynamic Access Control. Ing. Ondřej Ševeček | GOPAS a. s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7 [email protected] | www.sevecek.com |. Revolution?. Evolution. Evolution. Access Control Lists (ACEs) and NTFS - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/1.jpg)
What is new in security in Windows 2012orDynamic Access Control
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | [email protected] | www.sevecek.com |
![Page 2: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/2.jpg)
Revolution?
Evolution
![Page 3: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/3.jpg)
Evolution
• Access Control Lists (ACEs)– and NTFS
• File Server Resource Manager (FSRM)– and simple file classification
• Active Directory (AD) integrated classification– and NTFS rules with term conditions
• Automatic file classification with FSRM• Kerberos Claims
– and user attributes• Kerberos CompoundId
– and computer attributes• Central AD defined NTFS access rules
– and their enforcement with FSRM
![Page 4: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/4.jpg)
EvolutionFeature Server Client Schema 2012 /
DFL / FFL
And logic ACL Windows 2012 - -
FSRM automatic classification
Windows 2012FSRM
- -
AD integrated classification terms
Windows 2012FSRM
- schema 2012FFL 2003
AD integrated NTFS access rules
Windows 2012FSRM
- schema 2012FFL 2003
User claims Windows 2012 - one Windows 2012 DC
Computer claims Windows 2012 Windows 8Windows 2012
local Windows 2012 DC
![Page 5: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/5.jpg)
Claims, Terms, Classifications, Metadata
• They are just the same thing
![Page 6: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/6.jpg)
Access Control Lists
What is New in Security in Windows 2012
![Page 7: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/7.jpg)
Until Windows 2012
• Sorted in order– DENY is not always stronger
• Has OR logic– shadow groups– combined "AND" groups
![Page 8: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/8.jpg)
Group Limits
• Access Token– 1024 SIDs
• Kerberos ticket– 12 kB by default– global group = 8 B– domain local group / foreign universal groups = 40 B
• 260 max
![Page 9: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/9.jpg)
Disk
Classic flow of access control
NTFS PermissionsAcc
ess
this
Com
pute
rfro
m N
etw
ork
Authentication
Folder Quotas
Volume Quotas
Win
dow
s Fi
rew
all
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sha
ring
Per
mis
sion
s
Allo
wed
to A
uthe
ntic
ate?
![Page 10: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/10.jpg)
New in Windows 2012
• AND logic possible• Extendable with claims
– FSRM file claims– user claims– device (computer) claims
• Requires domain membership– Windows 8, Windows 2012
![Page 11: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/11.jpg)
Disk
New flow of access control
NTFS PermissionsA
cces
s th
is C
ompu
ter
from
Net
wor
k
Authentication
Folder Quotas
Volume Quotas
Win
dow
s Fi
rew
all
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sha
ring
Per
mis
sion
s
Allo
wed
to A
uthe
ntic
ate?
Condition ACEs
![Page 12: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/12.jpg)
File Classification
What is New in Security in Windows 2012
![Page 13: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/13.jpg)
File Server Resource Manager (FSRM)
• Manual File Classification• Automatic File Classification
– file name wildcard– folder path– words and/or regular expressions– PowerShell code
• Locally vs. AD defined terms• Adds file metadata
– alternative NTFS streams
![Page 14: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/14.jpg)
File claims and ACL
• File claims can be used in the new ACE conditions– only AD based file terms
![Page 15: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/15.jpg)
AD defined file claims
• Requires Windows 2012 schema extension• Requires Windows 2003 forest functional level
– do not require any Windows 2012 DC– some editor like ADSI Edit or Windows 2012 ADAC
• Must be uploaded to FSRM servers manually
![Page 16: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/16.jpg)
Kerberos Claims
What is New in Security in Windows 2012
![Page 17: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/17.jpg)
Kerberos ticket until Windows 2012 KDC
• User identity– login– SID
• Additional SIDs– groups– SID history
![Page 18: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/18.jpg)
Good old Kerberos
ClientXP
DC2003
Server
TGT
![Page 19: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/19.jpg)
Good old Kerberos
ClientXP
DC2003
Server
TGT
TGS
TGS
SIDs
SIDs
![Page 20: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/20.jpg)
What is new in Kerberos tickets with Windows 2012 KDC• User identity
– login– SID
• Additional SIDs– groups– SID history
• User claims– AD attributes in Kerberos TGT tickets
![Page 21: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/21.jpg)
Requirements
• At least single Windows 2012 DC (KDC)• Tickets are extendable• If client does not understand the extension, it simple
ignores its contents• If server requires user claims and they are not
present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)
![Page 22: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/22.jpg)
Good old Kerberos supports claims as well
ClientXP
DC2003
Server2012
TGT
TGS
TGS
DC2012
ClaimsSIDs
SIDs
![Page 23: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/23.jpg)
Brand new Kerberos with Windows 2012 KDC
ClientXP
DC2012
Server2012
TGT User Claims
![Page 24: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/24.jpg)
Brand new Kerberos with Windows 2012 KDC
ClientXP
DC2012
Server2012
TGT
TGS
TGS
SIDs
User Claims
SIDs
User Claims
User Claims
![Page 25: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/25.jpg)
What is new in Kerberos with DFL 2012
• User identity– login– SID
• Additional SIDs– groups– SID history
• User claims– AD attributes in Kerberos TGT tickets
• Device claims– AD attributes of computers– Compound ID in Kerberos TGT tickets
![Page 26: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/26.jpg)
Kerberos Compound ID with device claims
Client8
DC2012
Server2012
TGT Request
TGT User Claims
Computer TGT
Device Claims
![Page 27: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/27.jpg)
Brand new Kerberos with Windows 2012 KDC
Client8
DC2012
Server2012
TGT
TGS
TGS
SIDs
SIDs
User Claims
User Claims
Device Claims
User Claims
Device Claims
Device Claims
![Page 28: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/28.jpg)
Requirements
• At least local Windows 2012 DC (KDC)– better to have 2012 DFL for consistent behavior
• Clients Windows 8 or Windows 2012– must ask for TGTs with Compound ID extension
• Server cannot just obtain device claims because it does not know from what device the user came
![Page 29: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/29.jpg)
Central Access Rules
What is New in Security in Windows 2012
![Page 30: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/30.jpg)
Requirements
• Windows 2012 schema extension• Windows 2003 forest functional level
– do not require any Windows 2012 DC– some editor like ADSI Edit or Windows 2012 ADAC
• Uploaded to FS by using Group Policy
![Page 31: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/31.jpg)
Take away
What is New in Security in Windows 2012
![Page 32: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/32.jpg)
EvolutionFeature Server Client Schema 2012 /
DFL / FFL
And logic ACL Windows 2012 - -
FSRM automatic classification
Windows 2012FSRM
- -
AD integrated classification terms
Windows 2012FSRM
- schema 2012FFL 2003
AD integrated NTFS access rules
Windows 2012FSRM
- schema 2012FFL 2003
User claims Windows 2012 - one Windows 2012 DC
Computer claims Windows 2012 Windows 8Windows 2012
local Windows 2012 DC
![Page 33: What is new in security in Windows 2012 or Dynamic Access Control](https://reader035.vdocument.in/reader035/viewer/2022062521/56816846550346895dde234f/html5/thumbnails/33.jpg)
Thank you!
What is New in Security in Windows 2012