Windows Server 2012 introduceert Dynamic Access. Dynamic Access is een verzameling features om ervoor te zorgen dat gebruikers en hun data conform de bedrijfsregels beschikbaar en beschermd zijn. Bestaande technieken, zoals IRM en Kerberos zijn vereenvoudigd en uitgebreid. Ook kunt u met File Classifications ervoor zorgen dat gevoelige bestanden die per ongeluk op publieke shares komen, beschermd worden dankzij “tags” die hen bijvoorbeeld aan uw afdeling Juridische zaken koppelen. Met Dynamic Access heeft u daarmee meer controle wie toegang heeft en tot welke data. Wilt u de beste beveiliging en toch uw gebruikers de mogelijkheid bieden van ‘het nieuwe werken’ of ‘bring your own device’, dan is deze techniek voor u!
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Windows server 2012 Wat mag ik met Dynamic Access
1. Microsoft Windows Server 2012
Seminar: Wat mag ik met Dynamic Access in
Windows Server 2012
Windows Server 2012 introduceert Dynamic Access. Dynamic Access is
een verzameling features om ervoor te zorgen dat gebruikers en hun data
conform de bedrijfsregels beschikbaar en beschermd zijn. Bestaande
technieken, zoals IRM en Kerberos zijn vereenvoudigd en uitgebreid. Ook
kunt u met File Classifications ervoor zorgen dat gevoelige bestanden die
per ongeluk op publieke shares komen, beschermd worden dankzij “tags”
die hen bijvoorbeeld aan uw afdeling Juridische zaken koppelen. Met
Dynamic Access heeft u daarmee meer controle wie toegang heeft en tot
welke data. Wilt u de beste beveiliging en toch uw gebruikers de
mogelijkheid bieden van „het nieuwe werken‟ of „bring your own
device‟, dan is deze techniek voor u!!
2.
3. Windows Server 2012
Trends and Challenges
Dynamic Access
Get Started: Advies en Doen!
7. 66%
run
20%
grow
14%
transform
EXPLOSIVE BUDGET IT
MULTIPLE DEVICES
DATA GROWTH REDUCTIONS CONSTRAINTS
Companies are under pressure to do more with less
8. ENABLING ROL & DEVICE ALLOW CUSTOMERS
AVAILABILITY
DEVICES DRIVEN PRIVILEGES & PARTNERS
Companies must facilitate productivity without impacting
security
9. f
CENTRALIZE &
RAPID RESPONSE PROTECT REPORT & AUDIT
STANDARDIZE
Companies need an integrated security strategy
10. USERS & DEVICES
PRIVATE PUBLIC
INFRASTRUCTURE APPS & SERVICES
TRADITIONAL IT
IDENTITY
HYBRID CLOUD
11.
12.
13.
14. User and Device Claims • User and computer attributes can be used in ACEs
Expression-Based ACEs • ACEs with conditions, including Boolean logic and relative operators
• File classifications can be used in authorization decisions
Classification Enhancements • Continuous automatic classification
• Automatic RMS encryption based on classification
Central Access and Audit • Central authorization/audit rules defined in AD and applied across multiple file
Policies servers
• Allow users to request access
Access Denied Assistance • Provide detailed troubleshooting info to admins
15. AD DS File Server
User claims Device claims Resource properties
User.Department = Finance Device.Department = Finance Resource.Department = Finance
User.Clearance = High Device.Managed = True Resource.Impact = High
ACCESS POLICY
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
18. In-box 3rd party
content classification
classifier plugin
Resource
Property
Definitions See modified /
created file
Save
classification FCI
For Security
22. Share
Security Descriptor
Share Permissions
Active Directory
(cached in local Registry)
File/Folder Cached Central Access Policy
Security Descriptor Definition
Central Access Policy Reference Cached Central Access Rule
NTFS Permissions Cached Central Access Rule
Cached Central Access Rule
Access Control Decision:
1) Access Check – Share permissions if applicable
2) Access Check – File permissions
3) Access Check – Every matching Central Access
Rule in Central Access Policy
23. File Access
Share Permissions
Access NTFS Permissions
Control
Decision
24. File Share Permissions Access
Access NTFS Permissions Control
Central Access Policy Decision
25. Classifications on File Being Accessed
Department Engineering
Sensitivity High
Permission Type Target Files Permissions Engineering Engineering Sales
Full-Time Part-Time Full-Time
Share Everyone:Full Full Full Full
Rule 1: Engineering Docs Dept=Engineering Engineering:Modify
Modify Modify Read
Everyone: Read
Rule 2: Sensitive Data Sensitivity=High FT:Modify Modify None Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]
NTFS FT:Modify
Modify Read Modify
Part-Time:Read
Effective Rights: Modify None Read
26. 2012 Token
User Account
User Groups
Pre-2012 Token Claims
User Account Device Groups
User Groups Claims
[other stuff] [other stuff]
27. NT Access Token
ContosoAlice Claim type
User Groups:…. Display Name
Claims: Title=SDE Source
Suggested values
Value type
Kerberos Ticket
ContosoAlice
User Groups:….
Claims: Title=SDE
28.
29.
30.
31.
32.
33.
34. Windows Server 2012
Active Directory
Claims Resource
In Active Directory: Property
Definitions
Access
Policy
On File Server:
At Runtime: End User
Windows Server 2012
File Server
35.
36.
37.
38.
39.
40. 01
• Manual tagging by content • Central access policies • Central audit policies that can • Automatic Rights
owners targeted based on file tags be applied across multiple file Management Services (RMS)
servers protection for Microsoft Office
• Automatic classification (tagging) • Expression-based access
documents based on file tags
conditions with support for • Expression-based auditing
• Application-based tagging
user claims, device claims, and conditions with support for • Near real-time protection
file tags user claims, device claims, and soon after the file is tagged
file tags
• Access denied remediation • Extensibility for non-Office
• Policy staging audits to RMS protectors
simulate policy changes in a
real environment
Windows Server 2012 brings Microsoft’s experience from building and operating public clouds to deliver a highly dynamic, available, and cost-effective server platform for your private cloud. It offers businesses and hosting providers a scalable, dynamic, and multitenant-aware cloud infrastructure that securely connects across premises and allows IT to respond to business needs faster and more efficiently. Microsoft’s Cloud OS uniquely delivers on customer needs across these scenarios. The Cloud OS is a consistent platform with a common set of technologies you can use to develop and manage applications for all environments using the same skills, knowledge and experience:Agile development Platform: Use the tools you know build the apps you need, new modern apps and traditional apps, wherever they need to run to get to your customers or users. Those tools may be Visual Studio and .NET or open source technologies and languages, such REST, JSON, PHP, Java.Unified Dev-ops & Management: Use System Center as single pane of glass for all apps coupled with Visual Studio as common platform to build once, deploy anywhere with integration to manage apps across their lifecycles for quick time to solution and easy troubleshooting/management.Common identity: Implement Active Directory as a powerful asset across environments to help you extend your enterprise to the cloud with internet scale security using a single identity and/or securely extend apps and data to devices.Integrated virtualization: Microsoft is engineered for cloud from the metal up with virtualization built as an integrated element of the OS, not layered on the OS with no need for additional add-ons.Complete data platform: Microsoft delivers comprehensive technologies to manage petabytes of data in the cloud to millions of transactions for your most mission-critical applications to billions of rows in the hands of end users for predictive and adhoc analytics in IT-managed offerings. Microsoft uniquely delivers the Cloud OS as a consistent and comprehensive set of capabilities across on-premises, Microsoft Cloud or service provider’s cloud to support the world’s apps and data anywhere.