What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.

Slides:



Advertisements
Similar presentations
AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.
Advertisements

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to Active Directory
12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions
Introduction to Kerberos Kerberos and Domain Authentication.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Chapter 7 WORKING WITH GROUPS.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Overview of Active Directory Domain Services Lesson 1.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Web Server Administration Chapter 5 Managing a Server.
MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 6: Windows File and Print Services.
Implementing Secure Shared File Access
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Week 9 Objectives Securing Files and Folders Protecting Shared Files and Folders by Using Shadow Copies Configuring Network Printing.
Implementing File and Print Services
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Welcome Thank you for taking our training. Collection 6425: Configure Windows 2008 Active Directory Domain Services Course 6710 – 6719 at
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Module 4 Managing Access to Resources in Active Directory ® Domain Services.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
8.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 8: Planning.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
SQL Server Security By Mattias Lind For PASS Security VC.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
Permissions and User Rights
Bezpečnost Windows pro pokročilé: zajímavosti a UAC GOPAS: | | Ing. Ondřej Ševeček | GOPAS a.s. |
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Event Filtering.
Page 1 NTFS and Share Permissions Lecture 6 Hassan Shuja 10/26/2004.
70-412: Configuring Advanced Windows Server 2012 services
Module 7: Implementing Security Using Group Policy.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
Privilege Management Chapter 22.
Review on Active Directory. Aim Enable users to find network resources easily Central and easy administration of users and resources in a domain Improve.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 8 Implementing Security Using Group Policy.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Overview of Active Directory Domain Services Lesson 1.
What is new in security in Windows 2012 or Dynamic Access Control
Overview of Active Directory Domain Services
Active Directory Fundamentals
SharePoint and IIS core integration
GOPAS TechEd 2012 Kerberos Delegation
Presentation transcript:

What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7 | |

Revolution? Evolution

Access Control Lists (ACEs) –and NTFS File Server Resource Manager (FSRM) –and simple file classification Active Directory (AD) integrated classification –and NTFS rules with term conditions Automatic file classification with FSRM Kerberos Claims –and user attributes Kerberos CompoundId –and computer attributes Central AD defined NTFS access rules –and their enforcement with FSRM

Evolution FeatureServerClientSchema 2012 / DFL / FFL And logic ACLWindows FSRM automatic classification Windows 2012 FSRM -- AD integrated classification terms Windows 2012 FSRM -schema 2012 FFL 2003 AD integrated NTFS access rules Windows 2012 FSRM -schema 2012 FFL 2003 User claimsWindows 2012-one Windows 2012 DC Computer claimsWindows 2012Windows 8 Windows 2012 local Windows 2012 DC

Claims, Terms, Classifications, Metadata They are just the same thing

Access Control Lists What is New in Security in Windows 2012

Until Windows 2012 Sorted in order –DENY is not always stronger Has OR logic –shadow groups –combined "AND" groups

Group Limits Access Token –1024 SIDs Kerberos ticket –12 kB by default –global group = 8 B –domain local group / foreign universal groups = 40 B 260 max

Disk Classic flow of access control NTFS Permissions Access this Computer from Network Authentication Folder Quotas Volume Quotas Windows Firewall TCP 445 Kerberos NTLM Path Owner Allow Logon Locally Authentication Kerberos NTLM Access Token UAC Restricted Access Token Sharing Permissions Allowed to Authenticate?

New in Windows 2012 AND logic possible Extendable with claims –FSRM file claims –user claims –device (computer) claims Requires domain membership –Windows 8, Windows 2012

Disk New flow of access control NTFS Permissions Access this Computer from Network Authentication Folder Quotas Volume Quotas Windows Firewall TCP 445 Kerberos NTLM Path Owner Allow Logon Locally Authentication Kerberos NTLM Access Token UAC Restricted Access Token Sharing Permissions Allowed to Authenticate? Condition ACEs

File Classification What is New in Security in Windows 2012

File Server Resource Manager (FSRM) Manual File Classification Automatic File Classification –file name wildcard –folder path –words and/or regular expressions –PowerShell code Locally vs. AD defined terms Adds file metadata –alternative NTFS streams

File claims and ACL File claims can be used in the new ACE conditions –only AD based file terms

AD defined file claims Requires Windows 2012 schema extension Requires Windows 2003 forest functional level –do not require any Windows 2012 DC –some editor like ADSI Edit or Windows 2012 ADAC Must be uploaded to FSRM servers manually

Kerberos Claims What is New in Security in Windows 2012

Kerberos ticket until Windows 2012 KDC User identity –login –SID Additional SIDs –groups –SID history

Good old Kerberos Client XP DC 2003 Server TGT

Good old Kerberos Client XP DC 2003 Server TGT TGS SIDs

What is new in Kerberos tickets with Windows 2012 KDC User identity –login –SID Additional SIDs –groups –SID history User claims –AD attributes in Kerberos TGT tickets

Requirements At least single Windows 2012 DC (KDC) Tickets are extendable If client does not understand the extension, it simple ignores its contents If server requires user claims and they are not present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)

Good old Kerberos supports claims as well Client XP DC 2003 Server 2012 TGT TGS DC 2012 Claims SIDs

Brand new Kerberos with Windows 2012 KDC Client XP DC 2012 Server 2012 TGTUser Claims

Brand new Kerberos with Windows 2012 KDC Client XP DC 2012 Server 2012 TGT TGS SIDs User Claims SIDs User Claims

What is new in Kerberos with DFL 2012 User identity –login –SID Additional SIDs –groups –SID history User claims –AD attributes in Kerberos TGT tickets Device claims –AD attributes of computers –Compound ID in Kerberos TGT tickets

Kerberos Compound ID with device claims Client 8 DC 2012 Server 2012 TGT Request TGTUser Claims Computer TGT Device Claims

Brand new Kerberos with Windows 2012 KDC Client 8 DC 2012 Server 2012 TGT TGS SIDs User Claims Device Claims User Claims Device Claims

Requirements At least local Windows 2012 DC (KDC) –better to have 2012 DFL for consistent behavior Clients Windows 8 or Windows 2012 –must ask for TGTs with Compound ID extension Server cannot just obtain device claims because it does not know from what device the user came

Central Access Rules What is New in Security in Windows 2012

Requirements Windows 2012 schema extension Windows 2003 forest functional level –do not require any Windows 2012 DC –some editor like ADSI Edit or Windows 2012 ADAC Uploaded to FS by using Group Policy

Take away What is New in Security in Windows 2012

Evolution FeatureServerClientSchema 2012 / DFL / FFL And logic ACLWindows FSRM automatic classification Windows 2012 FSRM -- AD integrated classification terms Windows 2012 FSRM -schema 2012 FFL 2003 AD integrated NTFS access rules Windows 2012 FSRM -schema 2012 FFL 2003 User claimsWindows 2012-one Windows 2012 DC Computer claimsWindows 2012Windows 8 Windows 2012 local Windows 2012 DC

Thank you! What is New in Security in Windows 2012

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.