Windows server 2012 dynamic access control tech mentor
Windows Server 2012Dynamic Access ControlDavid TesarTechnical Evangelist, Microsofthttp://about.me/davidtesarLevel: 300
Session objectives Understand the new Dynamic Access Control (DAC) capabilities built into Windows Server 2012 Learn how to leverage DAC for data compliance and leakage prevention
Data management landscape Growth of Budget users and data Constraints Distributed Regulatory and computing Business Compliance ? ?
Dynamic Access Control BuildingBlocks • ACEs with conditions, including Boolean logic and relative Expression-Based ACEs operators User and Device Claims • User and computer attributes can be used in ACEs • File classifications can be used in authorization decisions Classification • Continuous automatic classification Enhancements • Automatic RMS encryption based on classification Central Access and • Central authorization/audit rules defined in AD and applied Audit Policies across multiple file servers Access Denied • Allow users to request access Assistance • Provide detailed troubleshooting info to admins
Expression-Based ACEs Pre-2012: ’OR’ of groups only • Consider 100 countries * 10 divisions * 5 Projects • 5,000 total groups to represent every combination: • ProjectZ UK Engineering Users • ProjectZ Canada Engineering Users [etc…] Windows Server 2012: ‘AND’ in expressions • ACE conditions allow multiple groups with Boolean logic • Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) • ~60 groups instead of 5,000 Windows Server 2012: with Central Access Policies & Classification • 3 User Claims
Conditional Expression Operators Logical – AND – OR – NOT – Exists (resource properties) – See MS-DTYP for processing rules
Expression-based access policy AD DS File Server User claims Device claims Resource properties User.Department = Finance Device.Department = Finance Resource.Department = Finance User.Clearance = High Device.Managed = True Resource.Impact = High ACCESS POLICY Applies to: Resource.Impact = HighAllow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed = True) 7
User and Device Claims Pre-2012: Security Principals Only • Restricted to making policy decisions based on the user’s group memberships • Shadow groups are often created to reflect existing attributes as groups • Groups have rules around who can be members of which types of groups • No way to transform groups across AD trust boundaries • No way to control access based on characteristics of user’s device Windows Server 2012: Security Principals, User Claims, Device Claims • Selected AD user/computer attributes are included in the security token • Claims can be used directly in file server permissions • Claims are consistently issued to all users in a forest • Claims can be transformed across trust boundaries • Enables newer types of policies that weren’t possible before: • Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Claim type Display Name Source Suggested values Kerberos Ticket Value type ContosoAliceUser Groups:…. Claims: Title=SDE NT Access Token ContosoAlice User Groups:…. Claims: Title=SDE
Data classification – identifying data Classify data based on location inheritance Classify data automatically Data Classification Toolkit
Business Needs → Storage Results Need per-project shareBusiness needs can start Ensure thatsimple business-secretBut adding policies can files do not leak outfragment the storageinfrastructureComplexity increases the Retain contractchances of ineffective data for 10 yearspolicies and preventsinsight into business data
Lack of insight into your data means that youcannot manage your costs and risks
Manage Data Based OnBusiness Value Classify Data Apply policy according to classification
How can you classify information? Location based • Based on the Folder the file is created in • Driven by “Business owner” that sets up the folder • Specified by Information Worker Manual • Templates of documents can be used for default settings • Data entry applications that marks files created by users Automatic • Automatic classification based on content and other characteristics classification • Great solution for classifying large amounts of existing information Application • Line of business applications that store information on file servers • Data management applications
Summary – Classify and Apply policyArea Windows Server 2008 R2 Windows Server 2012/Windows 8Property definition Local Global to the forest (including default recommended definitions)Who can classify files Administrator only Administrators, Business owners and usersManual classification No UI Classification UI added in explorerWhat can be classified Files Folders and FilesWhen is the classification and file Schedule Schedule and Continuousmanagement tasks doneIn box classification mechanisms Content, location Content (improved), location, PowerShellIn box file management tasks Expiration, custom Expiration, custom, RMS
What happens when data leaves the file server?
Automatic Rights Managementencryption Automatically protect your sensitive information Adhere to compliance regulations that require data encryption
How do I deploy Expression based Access Control across my servers?
Central Access Policy Active Directory 1 2 3 Define Central Access Rules (CARs) Define Central Access Policies (CAPs) Apply CAPs on File Servers High Impact Data rule Corporate file serversApplies To: Resource.Impact == High Standard organizationAccess conditions: policyUser.Clearance = High AND Device.IsManaged = True High Impact rule Personal Information rule Personal Information rule Finance departmentApplies To: Resource.PII == True policyAccess conditions: High Impact Data rule User folders Allow MemberOf( PIIAdministrators , Owner) Personal Information rule Information wall rule Finance folders “Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department
File Access without Central Access PolicyShare Permissions Access NTFS Permissions Control Decision
File Access with Central Access PolicyShare Permissions Access NTFS Permissions Control Central Access Policy Decision
How Access Check Works Share Security Descriptor Share Permissions Active Directory (cached in local Registry) File/Folder Cached Central Access Policy Security Descriptor Definition Central Access Policy Reference Cached Central Access Rule NTFS Permissions Cached Central Access Rule Cached Central Access Rule Access Control Decision: 1)Access Check – Share permissions if applicable 2)Access Check – File permissions 3)Access Check – Every matching Central Access Rule in Central Access Policy
Example: Effective Access Classifications on File Being Accessed Department Engineering Sensitivity HighPermission Type Target Files Permissions Engineering Engineering Sales FTE FTE VendorShare Everyone:Full Full Full FullCentral Access Rule 1: Dept=Engineering Engineering:Modify Modify Modify ReadEngineering Docs Everyone: ReadRule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None ModifyRule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]NTFS FTE:Modify Modify Read Modify Vendors:Read Effective Rights: Modify None Read
How does this help me if I have to do an audit?
The audit challenge Compliance and forensic analysis Difficult to control audit volume Inadequate support for managing audit policies centrally Difficult to sift through audit noise to get to relevant data
Expression based auditing Limit auditing to data that meets specific classification criteria. Limit auditing by action and by identity Add contextual information into the audit events
Audit event with contextual informationAn attempt was made to access an object.Subject: Security ID: CONTOSODOMalice Account Name: alice Account Domain: CONTOSODOM Logon ID: 0x3e7Object: Object Server: Security Object Type: File Object Name: C:Finance Document ShareFinancialStatementsMarchEmployeeStmt.xls Handle ID: 0x8e4 Resource Attributes: S:AI(RA;;;;;WD;( “Personally Identifiable Information",TS,0x0,"High"))(RA;;;;;WD;(“Department_23AFE",TS,0x0,“Finance"))
Incrementally add capabilities Windows 8 clients Windows • Add device claims Server 2012 to access and audit policies Windows DCs • Better access Server 2012 • Centrally defined denied experienceCurrent File Servers access and audit • Additional policies classificationinfrastructure • Access and Audit • User claims can be options Policies based on used by access security groups and audit policies and file tagging • Additional • Classify classification information & options apply RMS policies