Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation
demo Location based classification Automatic content based classification Data Classification demo
x 50 Country 50 Groups Department x Groups Sensitive 2000 Groups!
demo Country based central access rule Expression based ACL demo
User claims User.Department = Finance User.Clearance = High ACCESS POLICY Applies = High Allow | Read, Write | if AND == True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High AD DS 10 File Server
demo Country based central access rule Central Access Policy with user claims
Windows Server 2012 Active Directory Windows Server 2012 File Server End User Access Policy ? Resource Property Definitions User Claims
No conditional expressions Using groups with conditional expressions Using user claims
demo Automatic Rights Management Protection
DCT Database 4. Report 1. Import 2. Export 3. Deploy OOB Knowledge Scale (#File Servers) Hybrid Environment Staging File Server Production File Servers Windows 2008 R2 Windows 2012 Collect Domain Controller (Active Directory) Management Client
An attempt was made to access an object. Subject: Security ID:CONTOSODOM\alice Account Name:alice Account Domain: CONTOSODOM Logon ID:0x3e7 Object: Object Server:Security Object Type:File Handle ID:0x8e4 Resource Attributes: S:AI(RA;;;;;WD;( “Personally Identifiable Information",TS,0x0,"High"))(RA;;;;;WD;(“Department_23AFE",TS,0x0,“Finance")) Object Name:C:\Finance Document Share\FinancialStatements\MarchEmployeeStmt.xls
demo Expression Based Auditing
Event collected to central repository for analysis and reporting Windows Server 2012 Active Directory Windows Server 2012 File Server End User Access Policy ? Resource Property Definitions User Claims
DAC Partners
Department x 50 x 20 Country Sensitive ACCESS POLICY Applies = High Allow | Read, Write | if AND == True) StealthAUDIT® for Windows Server 2012 Dynamic Access Control
Identify where groups are being used and who owns them Clean Up, Consolidate & Secure Conditional Permissions Central Access Policies & Claims Impact Analysis & Group Reduction Apply, Lock Down & Maintain Discover your environment Design new security model Implement ®
Data Loss Prevention data-security-overview.aspx CA DataMinder dg classification
Data Loss Prevention Dynamic Access Control Dynamic Content Classification and Control 1: Create2: Analyze3: Classify4: Tag5: Enforce
CA Technologies Content-Aware Identity & Access Management Control identity, control access and control information CA DataMinder discovers, classifies and controls information Controls Collaboration & File Sharing Environments SharePoint 2010 – March 2012 Windows Server 2012 Dynamic Access Control – July 2012 Delivers precise & fine-grained access control Copyright © 2012 CA. All rights reserved. No unauthorized copying or distribution permitted.
Supercharge DAC with automated file classification Enables accurate automated file classification enterprise-wide with both attribute-based and content-based classification Deeply integrated with Windows Server dg classification can also be used to fuel powerful Governance, Compliance and Archiving solutions For more information visit us at Booth 230 (Orlando) / PP17 (Amsterdam) or at A leader in automatic file classification
Dynamic Policy Enforcer
FCI CLASSIFY PROTECT D YNAMIC P OLICY P ROTECTOR Windows 8 Server D YNAMIC P OLICY M ODULE Desktop AD Admin Center Access Policies Claims Properties Dynamic Access Control USE LICENSE 3 3 Legend: User Claims Resource Properties Access Policy GigaTrust Product Component GigaTrust Contact: AD RMS Windows 8 Server static
sddl-xacml-windows-server-2012 Titus Metadata Security for SharePoint Control Center for Windows Server 2012 Dynamic Access Control Axiomatics Policy Server
Windows Server 2012 Active Directory Windows Server 2012 File Server End User Microsoft SharePoint 2010 Access Policy ? ?
Policy AuthorFile Server Active Directory User 1. Author policy & export to AD 2. Convert XACML to SDDL & import 3. Push out imported rules based on group policy 4. Access files 5. Check access based on rules previously defined in APS Axiomatics Policy Server (APS)
RSA NetWitness
Enterprise-wide visibility into server and application health
In Summary…..
Reduce group complexity
Simplify access control
Implement effective access control
SIA 207 – Windows Server 2012 Dynamic Access Control Overview SIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies SIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT SIA21-HOL – Using Dynamic Access Conrol to Automatically and Centrally Secure Data in Windows Server 2012 SIA02-TLC – Windows Server 2012 Active Directory and Dynamic Access Control Find Me Later At the Windows Server booth
Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers
Evaluations Submit your evals online
Resource 1 Resource 2 Resource 3 Resource 4 Required Slide *delete this box when your slide is finalized Track PMs will supply the content for this slide, which will be inserted during the final scrub.