User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.

Slides:



Advertisements
Similar presentations
AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.
Advertisements

Managing User, Computer and Group Accounts
Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
Access Control Methodologies
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Lesson 4: Configuring File and Share Access
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
Group Accounts; Securing Resources with Permissions
Understanding Active Directory
Chapter 7 WORKING WITH GROUPS.
Upgrading the Platform - How to Get There!
Active Directory and Dynamic Access Control Pete Calvert
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
Overview of Access and Information Protection
Implementing Secure Shared File Access
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation.
Designing Active Directory for Security
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Module 4 Managing Access to Resources in Active Directory ® Domain Services.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Kick starting your migration to Windows Server 2012 Alex Pubanz, Jesse Suna Senior PFEs, Microsoft WSV331.
Module 7 Planning and Deploying Messaging Compliance.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Chapter 8 Configuring and Managing Shared Folder Security.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Module 4: Managing Access to Resources. Overview Overview of Managing Access to Resources Managing Access to Shared Folders Managing Access to Files and.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
Module 3: Managing Groups. Overview Creating Groups Managing Group Membership Strategies for Using Groups Using Default Groups.
Configuring and Managing Resource Access Lecture 5.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Windows Server 2003 檔案分享管理 林寶森
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
ITMT Windows 7 Configuration Chapter 6 – Sharing Resource ITMT 1371 – Windows 7 Configuration 1.
Secure Connected Infrastructure
What is new in security in Windows 2012 or Dynamic Access Control
Stop Those Prying Eyes Getting to Your Data
Session Dynamic Access Control – The NEW Black
9/6/2018 1:41 AM SAC-422T Using claims-based access control for compliance and information governance Samuel Devasahayam Nir Ben Zvi Lead Program Manager.
Dynamic Access Control
11/19/2018 6:21 AM SAC-425T Building security auditing solutions for compliance and forensic analysis Jay Dave Dave McPherson Program Manager Security.
11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.
Access and Information Protection Product Overview October 2013
Chapter 4: Planning the Active Directory and Security
Brian Puhl Technology Architect Microsoft Corporation
Chapter 9: Managing Groups, Folders, Files, and Object Security
Presentation transcript:

User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based ACEs File classifications can be used in authorization decisions Continuous automatic classification Automatic RMS encryption based on classification Classification Enhancements Central authorization/audit rules defined in AD and applied across multiple file servers Central Access and Audit Policies Allow users to self remedy or request access Provide detailed troubleshooting info to admins Access Denied Assistance

User claims User.Department = Finance User.Clearance = High Conditional Access Policy Applies to: Resource.Impact = High Allow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed = True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High AD DS 5 Expression-based access policy File Server

Restricted to making policy decisions based on the user’s group memberships Shadow groups are often created to reflect existing attributes as groups Groups have rules around who can be members of which types of groups No way to transform groups across AD trust boundaries No way to control access based on characteristics of user’s device Pre-2012: Security Principals Only Selected AD user/computer attributes are included in the security token Claims can be used directly in file server permissions Claims are consistently issued to all users in a forest Claims can be transformed across trust boundaries Enables newer types of policies that weren’t possible before: Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True Windows Server 2012: Security Principals, User Claims, Device Claims

Led to group bloat Consider an org with 500 projects, 100 countries, 10 divisions 500,000 total groups to represent every combination: ProjectZ UK Engineering Users ProjectZ Canada Engineering Users [etc…] Pre-2012: ’OR’ of groups only ACE conditions allow multiple groups with Boolean logic Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) 610 groups instead of 500,000 Windows Server 2012: ‘AND’ in expressions 3 User Claims + 3 Resource properties Windows Server 2012: with Central Access Policies & Classification

Resource Property Definitions

FCI In-box content classifier 3 rd party classification plugin See modified / created file Save classification

Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin See modified / created file Save classification For Security

Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin File Management Task See modified / created file Match file to policy Save classification For Security

Resource Property Definitions FCI In-box content classifier 3 rd party classification Extensibility File Management Task See modified / created file Save classification For Security Match file to policy

Active Directory Finance folders User folders Standard organization policy High Impact rule Personal Information rule Standard organization policy High Impact rule Personal Information rule Finance department policy High Impact Data rule Personal Information rule Information wall rule Finance department policy High Impact Data rule Personal Information rule Information wall rule Corporate file servers High Impact Data rule Applies To: Resource.Impact == High Access conditions : User.Clearance = High AND Device.IsManaged = True Personal Information rule Applies To: Resource.PII == True Access conditions: Allow MemberOf( PIIAdministrators, Owner) “Information wall” rule Applies To: Exists Resource.Department Access conditions: User.Department any_of Resource.Department 2 Define Central Access Policies (CAPs) Define Central Access Rules (CARs) 1 Apply CAPs on File Servers 3

File Access Share Permissions Access Control Decision NTFS Permissions

File Access Access Control Decision Share PermissionsNTFS PermissionsCentral Access Policy

File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition Access Control Decision: 1)Access Check – Share permissions if applicable 2)Access Check – File permissions 3)Access Check – Every matching Central Access Rule in Central Access Policy Share Security Descriptor Share Permissions Cached Central Access Rule

Staging Policies

User claims Clearance = High | Med | Low Company = Contoso | Fabrikam User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies = High Allow | Full Control | == Contoso Current Central Access policy for high impact data Applies = High Allow | Full Control | == Contoso Staging policy Applies = High Allow | Full Control | if == Contoso) AND == High) Staging policy Applies = High Allow | Full Control | if == Contoso) AND == High)

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOM Object: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”

Pre-2012 Token User Account User Groups [other stuff] 2012 Token User Account UserGroups Claims DeviceGroups Claims [other stuff]

NT Access Token Contoso\Alice User Groups:…. Claims: Title=SDE Kerberos Ticket Contoso\Alice User Groups:…. Claims: Title=SDE File Server User Contoso DC Ad Admin Enable Domain to issue claims Defines claim types Claim type Display Name Source Suggested values Value type User attempts to login Receives a Kerberos ticket Attempt to access resource

M-TGT Contoso DC Pre-Windows 2012 Pre-Windows 2012 File Server User

U-TGT Contoso DC Pre-Windows 2012 Pre-Windows 2012 File Server User M-TGT

TGS (no claims) Contoso DC Pre-Windows 2012 Pre-Windows 2012 File Server User M-TGTU-TGT

User M-TGTU-TGT TGS (no claims) ? Contoso DC Pre-Windows 2012 Pre-Windows 2012 File Server

File Server TGS (with User Claims) Contoso DC User M-TGTU-TGT

TGS (with User Claims) ? File Server Contoso DC User M-TGTU-TGT

Set Policy to enable claims Contoso DC File Server Pre-Windows 8 User

TGS (no claims) File Server Contoso DC Pre-Windows 8 User M-TGTU-TGT

TGS (no claims) Contoso DC File Server Pre-Windows 8 User M-TGTU-TGT

File Server Pre-Windows 8 User M-TGTU-TGT TGS (no claims) TGS (with User Claims) ? Contoso DC S4UToSelf()

TGS (User and Device Groups/Claims) M-TGT U-TGT Contoso DC File Server User M-TGTU-TGT

File Server TGS (User and Device Groups/Claims) ? Contoso DC User M-TGTU-TGT

Other Forest DC Publish Cross- Forest transformation Policy Contoso DC File Server User M-TGTU-TGT

Referral TGT Other Forest DC File Server Contoso DC User M-TGTU-TGT

TGS (with claims) Referral TGT Other Forest DC Contoso DC File Server User M-TGTU-TGT

Other Forest DC TGS (with claims) ? File Server Contoso DC User M-TGTU-TGT

TGS ADFS Cloud App Contoso DC User M-TGTU-TGT

Cloud App Contoso DC ADFS User M-TGTU-TGT

SAML TGS ADFS Contoso DC Cloud App User M-TGTU-TGT

SAML ? Contoso DC Cloud App ADFS User M-TGTU-TGT

First Claim 1 Boolean Claim Adds 242 Bytes User Claims Set 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg Len/value: 12 chars Avg #Values: 6 values Adds 970 Bytes Compound-ID Claims Sets User - 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg Len/value: 12 chars Avg #Values: 6 values Device - 2 Claims: 1 Boolean 1 String – Single Valued Avg Len/value: 12 chars Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data Worst-Case Analysis (assumes no compression): Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments. Bytes Before Compression 120user overhead 120device overhead 114per int/bool claim 8per int/bool value 138 per string claim 2 per string character

Current infrastructure Windows Server 2012 File Servers Access and Audit Policies based on security groups and file tagging Windows Server 2012 DCs Centrally defined access and audit policies User claims can be used by access and audit policies Windows 8 clients Add device claims to access and audit policies Better access denied experience Partner solutions and line of business applications

Please submit session evals on the Build Windows 8 App or at

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.