What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

Slides:



Advertisements
Similar presentations
The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Advertisements

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
File Server Organization and Best Practices IT Partners June, 02, 2010.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
Understanding Active Directory
Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Upgrading the Platform - How to Get There!
 background and intro  client deployment  system Architecture and server deployment  behind the scenes  data protection and security  multi-server.
Active Directory and Dynamic Access Control Pete Calvert
Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.
Overview of Active Directory Domain Services Lesson 1.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Implementing Secure Shared File Access
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.
Week 9 Objectives Securing Files and Folders Protecting Shared Files and Folders by Using Shadow Copies Configuring Network Printing.
Implementing File and Print Services
Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Hands-On Microsoft Windows Server 2008
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Module 9 Configuring Messaging Policy and Compliance.
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Module 9 Configuring Messaging Policy and Compliance.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.
Kick starting your migration to Windows Server 2012 Alex Pubanz, Jesse Suna Senior PFEs, Microsoft WSV331.
Chapter 10: Rights, User, and Group Administration.
Module 7 Planning and Deploying Messaging Compliance.
Module 3: Configuring File Access and Printers on Windows 7 Clients
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
NetTech Solutions Security and Security Permissions Lesson Nine.
Managing Applications, Services, Folders, and Libraries Lesson 4.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Module 4: Managing Access to Resources. Overview Overview of Managing Access to Resources Managing Access to Shared Folders Managing Access to Files and.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Microsoft Virtual Academy Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers.
MCSA Windows Server 2012 Pass Upgrading Your Skills to MCSA Windows Server 2012 Exam By The Help Of Exams4Sure Get Complete File From
Overview of Active Directory Domain Services
Session Dynamic Access Control – The NEW Black
9/6/2018 1:41 AM SAC-422T Using claims-based access control for compliance and information governance Samuel Devasahayam Nir Ben Zvi Lead Program Manager.
Dynamic Access Control
11/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
11/19/2018 6:21 AM SAC-425T Building security auditing solutions for compliance and forensic analysis Jay Dave Dave McPherson Program Manager Security.
11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
Using classification for access control and compliance
Bethesda Cybersecurity Club
Chapter 9: Managing Groups, Folders, Files, and Object Security
Microsoft Data Insights Summit
Presentation transcript:

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk

ClassificationAccess controlAuditing Rights Management Services protection Dynamic Access Control 6 Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks

ClassificationAccess controlAuditing Rights Management Services protection Files inherit classification tags from parent folder File owners tag files manually Files are tagged automatically Files are tagged by applications Central access policies are based on classification Access conditions for user claims, device claims, and file tags are based on expressions Assistance is available for denial of access Central audit policies can be applied across multiple file servers Audits for user claims, device claims, and file tags are based on expressions Audits can be staged to simulate policy changes in a real environment Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents Protection is in near-real– time when a file is tagged RMS protection extends to files not created in Microsoft Office Dynamic Access Control 7

Identify and classify information 9 Create or modify file Determine classification Save classification In-box content classifier Third-party classification plug-in Location Manual Contextual Application

Resource claims build on users and groups 10 User redmond\jsmith / S Groups MktgFTE / S RemoteAccess / S High-PII / S Viewed using “whoami /claims” from the command line Derived from property values and issued as part of the token received at logon Consumed during authorization events Claims “Department” Dept_ String“Mktg” “Country” Country_ String“US”

User claims User.Department = Finance User.Clearance = High Access policy For access to financial information that has high business impact, a user must be a finance department employee with a high security clearance, and must use a managed device registered with the finance department. Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Active Directory Domain Services Expression-based access rules 11 File server

Active Directory Domain Services Characteristics Composed of central access rules Applied to file servers through Group Policy objects Supplement (i.e. do not replace) native file and folder access control lists from New Technology File System (NTFS) Central access policies 13 Corporate file servers Personally identifiable information policy Finance policy User folders Finance folders Organizational policies High business impact Personally identifiable information High business impact policy Finance department policies High business impact Personally identifiable information Finance

Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Central access policy workflow 14 Active Directory Domain Services User File server Allow or deny Claim definitions Audit policy File property definitions

Organization-wide authorization Departmental authorization Specific data management Need-to-know Getting started with access policies 15

Access-denied assistance 16 On a computer running the Windows 8 operating system, Windows retrieves access information from the File Server Resource Manager and displays a message with access remediation options. If remediation options include a link for requesting access, the user can request access to the file. Alternatively, users can request access help through . After the user satisfies access requirements, the user’s claims are updated and the user can access the file. File server User Active Directory Domain Services

Security auditing Active Directory Domain Services Create claim types Create resource properties Group Policy Create global audit policy File Server Select and apply resource properties to the shared folders User’s computer User tries to access information Active Directory Domain Services User File server Allow or deny Claim definitions Audit policy File property definitions

Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business Audit all vendors when they try to access documents related to projects that they are not working on Audit policy examples 19 Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller. A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured. On the file server, a rule automatically applies RMS protection to any file classified as high-impact. The RMS template and encryption are applied to the file on the file server and the file is encrypted. Classification-based encryption process File server RMS server Classification engine 4 User Active Directory Domain Services

ClassificationAccess controlAuditing Rights Management Services protection Dynamic Access Control: Benefits 24 Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks

Easily resolve end-user permission issues Centrally manage access control from Active Directory Pre-stage and simulate the effect of changes to access policy Automatically identify and classify data based on content Central access policies File access audit Integration with Active Directory Rights Management Services File Classification Infrastructure Policy-driven access to data with Dynamic Access Control 26