Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is new in security in Windows 2012 or Dynamic Access Control

Published byBenedict Malone Modified over 6 years ago

Similar presentations

Presentation on theme: "What is new in security in Windows 2012 or Dynamic Access Control"— Presentation transcript:

1 What is new in security in Windows 2012 or Dynamic Access Control
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7 | |

2 Revolution? Evolution

3 Evolution Access Control Lists (ACEs)
and NTFS File Server Resource Manager (FSRM) and simple file classification Active Directory (AD) integrated classification and automatic file classification with FSRM Kerberos Claims and user attributes Kerberos CompoundId and computer attributes

4 Evolution Feature Server Client Schema 2012 / DFL / FFL And logic ACL
Windows 2012 - FSRM automatic classification AD integrated classification terms schema 2012 FFL 2003 User claims one Windows 2012 DC Computer claims Windows 8 local Windows 2012 DC

5 Claims, Terms and Classifications
They are just the same thing

6 What is New in Security in Windows 2012
Access Control Lists What is New in Security in Windows 2012

7 Until Windows 2012 Sorted in order Has OR logic
DENY is not always stronger Has OR logic

8 Flow of Access Control Sharing Permissions Authentication
Kerberos NTLM Allow Logon Locally Access this Computer from Network Sharing Permissions UAC Restricted Access Token Authentication TCP 445 Windows Firewall Kerberos NTLM NTFS Permissions Allowed to Authenticate? Access Token Folder Quotas Path Volume Quotas Owner Disk

9 New in Windows 2012 AND logic possible Extendable with claims
FSRM file claims user claims device (computer) claims

10 Flow of Access Control Sharing Permissions Authentication
Kerberos NTLM Allow Logon Locally Access this Computer from Network Sharing Permissions UAC Restricted Access Token Authentication TCP 445 Windows Firewall Kerberos NTLM NTFS Permissions Claim ACEs Allowed to Authenticate? Access Token Folder Quotas Path Volume Quotas Owner Disk

11 What is New in Security in Windows 2012
File Classification What is New in Security in Windows 2012

12 File Server Resource Manager (FSRM)
Manual File Classification Automatic File Classification words file name wildcard regular expressions .PS1 code Locally vs. AD defined terms Adds file metadata alternative NTFS streams

13 File claims and ACL File claims can be used in the new ACL

14 AD defined file claims Requires Windows 2012 schema extension
Requires Windows 2003 forest functional level do not require any Windows 2012 DC some editor like ADSI Edit or Windows 2012 ADAC Must be uploaded to FSRM servers manually

15 What is New in Security in Windows 2012
Kerberos Claims What is New in Security in Windows 2012

16 Kerberos ticket until Windows 2012 KDC
User identity login SID Additional SIDs groups SID history

17 Good old Kerberos Client XP Server TGT DC 2003

18 Good old Kerberos Client XP Server TGS SIDs TGT TGS SIDs DC 2003

19 What is new in Kerberos tickets with Windows 2012 KDC
User identity login SID Additional SIDs groups SID history User claims AD attributes in Kerberos TGT tickets

20 Requirements At least single Windows 2012 DC (KDC)
Tickets are extendable If client does not understand the extension, it simple ignores its contents If server requires user claims and they are not present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)

21 Good old Kerberos supports claims as well
Client XP Server 2012 TGS SIDs TGT Claims TGS SIDs DC 2012 DC 2003

22 Brand new Kerberos with Windows 2012 KDC
Client XP Server 2012 TGT User Claims DC 2012

23 Brand new Kerberos with Windows 2012 KDC
Client XP Server 2012 TGS SIDs User Claims TGT User Claims TGS SIDs User Claims DC 2012

24 What is new in Kerberos with DFL 2012
User identity login SID Additional SIDs groups SID history User claims AD attributes in Kerberos TGT tickets Device claims AD attributes of computers Compound ID in Kerberos TGT tickets

25 Kerberos Compound ID with device claims
Client 8 Server 2012 TGT Request Computer TGT TGT User Claims Device Claims DC 2012

26 Brand new Kerberos with Windows 2012 KDC
Client XP Server 2012 TGS SIDs User Claims TGT User Claims Device Claims TGS SIDs User Claims DC 2012 Device Claims

27 Requirements At least local Windows 2012 DC (KDC)
better to have 2012 DFL for consistent behavior Clients Windows 8 or Windows 2012 must ask for TGTs with Compound ID extension Server cannot just obtain device claims because it does not know from what device the user came

28 What is New in Security in Windows 2012
Take away What is New in Security in Windows 2012

29 Evolution Feature Server Client Schema 2012 / DFL / FFL And logic ACL
Windows 2012 - FSRM automatic classification AD integrated classification terms schema 2012 FFL 2003 User claims one Windows 2012 DC Computer claims Windows 8 local Windows 2012 DC

30 What is New in Security in Windows 2012
Thank you! What is New in Security in Windows 2012

Download ppt "What is new in security in Windows 2012 or Dynamic Access Control"

Similar presentations

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to Active Directory

Introduction to Active Directory
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 3: Creating and Managing User Accounts.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Ing. Ondřej Ševeček | GOPAS a.s. MCM:Directory | MVP:Security | CEHv7 | Evolution.

Ing. Ondřej Ševeček | GOPAS a.s. MCM:Directory | MVP:Security | CEHv7 | Evolution.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Similar presentations

Ads by Google