Presentation is loading. Please wait.

Presentation is loading. Please wait.

Session Dynamic Access Control – The NEW Black

Published byClaire Reed Modified over 6 years ago

Similar presentations

Presentation on theme: "Session Dynamic Access Control – The NEW Black"— Presentation transcript:

1 Session Dynamic Access Control – The NEW Black
Jesper Krogh Lead Infrastructure Architect

2 Agenda Dynamic Access Control – The New Black
Why Dynamic Access Control? Dynamic Access Control – The Elements Within Domain requirements Understanding Claims and Property Definitions Resource Properties Central Access Policies Central Auditing How to get started?

3 Why Dynamic Access Control?

4 Different views of data compliance
CSO/CIO department “I need to have the right compliance controls to keep me out of jail” Infrastructure Support “I don’t know what data is in my repositories and how to control it” Content Owner “Is my important data appropriately protected and compliant with regulations – how do I audit this” Information Worker “I don’t know if I am complying with my organization’s polices”

5 Dynamic Access Control
A new, fourth level of permissions Incorporates more information about the shared information, who's reading it, and what machine they're reading it from Builds in more troubleshooting information Affects auditing as well Should make Windows security, able to handle compliance issues more effectively

6 High-Level Benefits Finer grained, richer file server permissions: "only people within the “Finance” Department can access ‘finance' files in this share, provided they're on a machine on the 12th floor" More complex permissions, but a central way to build them and distribute them Security that considers not only who you are, but what machine you're trying to access from File classification systems to identify data that is "high importance," "private," "regulated" either through human intervention or automatic classification

7 High-Level Benefits Partially aimed at people trying to meet regulatory requirements Partially aimed at large orgs with lots of non-specialized "departmental admins" Does not require a complete move to Windows 8 and Server 2012 - Windows 8 is required for Device based claims!

8 "And's" in Permissions You can define “logical” statements in file permissions User department equals resource department & User Country equals resource country Pre Windows 2012 = More groups! Token Bloat (btw: increased to 48K in Server 2012)

9 Making IT Work Again, it first appears as an extension to NTFS
Will work on any domain-joined machine Requires no group policy changes.

10 Dynamic Access Control – The elements within

11 Dynamic Access Control
Classification Access control Auditing Rights Management Services protection Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks

12 Dynamic Access Control
Classification Access control Auditing Rights Management Services protection Files inherit classification tags from parent folder File owners tag files manually Files are tagged automatically Files are tagged by applications Central access policies are based on classification Access conditions for user claims, device claims, and file tags are based on expressions Assistance is available for denial of access Central audit policies can be applied across multiple file servers Audits for user claims, device claims, and file tags are based on expressions Audits can be staged to simulate policy changes in a real environment Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents Protection is in near-real–time when a file is tagged RMS protection extends to files not created in Microsoft Office

13 Dynamic Access Control Building Blocks
User and computer attributes can be used in ACEs User and Device Claims ACEs with conditions, including Boolean logic and relative operators Expression-Based ACEs File classifications can be used in authorization decisions Continuous automatic classification Automatic RMS encryption based on classification Classification Enhancements Central authorization/audit rules defined in AD and applied across multiple file servers Central Access and Audit Policies Allow users to request access Provide detailed troubleshooting info to admins Access Denied Assistance

14 Scenario: Validate and Monitor
Implement Controls for PCI-DSS IT Pro PCI-DSS Create Baseline for PCI-DSS (Import & Customize) Classify & Apply Policies Export Baseline Reports Monitor IT Pro Validate Auditor / Compliance Manager Apply Baseline to all File Servers Baseline Classify & Apply Policies

15 Expression-based access rules
Active Directory Domain Services File server User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Access policy For access to financial information that has high business impact, a user must be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.

16 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

17 Demo Let’s have a look…

18 Domain Requirements

19 Domain Requirements The normal scenarios!
The file server with the protected data must be running Windows Server 2012. There must be at least one Windows Server 2012 Domain Controller. Windows 8 is required if you want use attributes of the computer object to define the protection. Note That you do not have to raise the Forest or Domain Functional Level to be Server 2012, so you can still use Server 2008 Domain Controllers.

20 Domain Requirements User Domain must not contain any 2003 DCs (or earlier servers) File server Domain must not contain any 2003 DCs (or earlier servers) In cross forest scenarios Root domains must be 2012 controllers Enable KDC support for claims, compound authentication, and Kerberos armoring. Enable Claims, compound authentication for Dynamic Access Control and Kerberos armoring Does not require Windows 8 clients – but they are required for Device Based Claims

21 Incrementally add capabilities
Current infrastructure Windows Server 2012 File Servers Access and Audit Policies based on security groups and file tagging Windows Server 2012 DCs Centrally defined access and audit policies User claims can be used by access and audit policies Windows 8 clients Add device claims to access and audit policies Better access denied experience

22 Demo Prepare Domain for Claims

23 Understanding Claims & Property Definitions

24 Identify and classify information
Location Create or modify file In-box content classifier Manual Third-party classification plug-in Contextual Application Save classification Determine classification

25 Resource claims build on users and groups
redmond\jsmith / S Groups MktgFTE / S RemoteAccess / S High-PII / S Derived from property values and issued as part of the token received at logon Consumed during authorization events Claims “Department” Dept_ String “Mktg” “Country” Country_ String “US” Viewed using “whoami /claims” from the command line

26 User and Device Claims Restricted to making policy decisions based on the user’s group memberships Shadow groups are often created to reflect existing attributes as groups Groups have rules around who can be members of which types of groups No way to transform groups across AD trust boundaries No way to control access based on characteristics of user’s device Pre-2012: Security Principals Only Selected AD user/computer attributes are included in the security token Claims can be used directly in file server permissions Claims are consistently issued to all users in a forest Claims can be transformed across trust boundaries Enables newer types of policies that weren’t possible before: Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True Windows Server 2012: Security Principals, User Claims, Device Claims

27 Demo Create Claim Types

28 Demo (End) Create Claim Types New-ADClaimType -Description:"Operating-System" -DisplayName:"operatingSystem" -IsSingleValued:$true -PassThru:$true -Server:"DC2.Krogh-test.dk" -SourceAttribute:"CN=Operating-System,CN=Schema,CN=Configuration,DC=Krogh-test,DC=dk" Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Windows 8.1 Enterprise", "Windows 8.1 Enterprise", "Windows 8.1 Enterprise")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Windows 8.0 Enterprise", "Windows 8.0 Enterprise", ""))) New-ADClaimType -Description:"DNS-Host-Name" -DisplayName:"dNSHostName" -IsSingleValued:$true -PassThru:$true -Server:"DC2.Krogh-test.dk" -SourceAttribute:"CN=DNS-Host-Name,CN=Schema,CN=Configuration,DC=Krogh-test,DC=dk"

29 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

30 Ressource Properties

31 Data classification – identifying data
Classify data based on location inheritance Classify data automatically Data Classification Toolkit Data Classification Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content.

32 Baseline Classification Properties
Area Properties Values Information Privacy Personally Identifiable Information High; Moderate; Low; Public; Not PII Protected Health Information High; Moderate; Low Information Security Confidentiality Required Clearance Restricted; Internal Use; Public Legal Compliancy SOX; PCI; HIPAA/HITECH; NIST SP ; NIST SP ; U.S.-EU Safe Harbor Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal Information Privacy Act Discoverability Privileged; Hold Immutable Yes/No Intellectual Property Copyright; Trade Secret; Parent Application Document; Patent Supporting Document Records Management Retention Long-term; Mid-term; Short-term; Indefinite Retention Start Date <Date Value> Organizational Impact Department Engineering ;Legal; Human Resources … Project <Project> Personal Use

33 Demo Create Ressource Properties

34 Demo (End) Create Ressource Properties Set-ADResourceProperty –Enabled:$true –Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=krogh-test,DC=dk" Set-ADResourceProperty –Enabled:$true –Identity:"CN=Confidentiality_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=krogh-test,DC=dk" Add-ADResourcePropertyListMember "Krogh-Test Resource Properties" -Members Impact_MS Add-ADResourcePropertyListMember "Krogh-Test Resource Properties" -Members Confidentiality_MS

35 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

36 Central Access Policies

37 How Access Check Works Share Security Descriptor Share Permissions
Active Directory (cached in local Registry) Cached Central Access Policy Definition File/Folder Security Descriptor Cached Central Access Rule Central Access Policy Reference Cached Central Access Rule Permissions Cached Central Access Rule Access Control Decision: Access Check – Share permissions if applicable Access Check – File permissions Access Check – Every matching Central Access Rule in Central Access Policy

38 Central Access Rules Classifications on File Being Accessed Department
Engineering Sensitivity High Permission Type Target Files Permissions Engineering FTE Engineering Vendor Sales FTE Share Everyone:Full Central Access Rule 1: Engineering Docs Dept=Engineering Engineering:Modify Everyone: Read Rule 2: Sensitive Data Sensitivity=High FTE:Modify Rule 3: Sales Docs Dept=Sales Sales:Modify NTFS Vendors:Read Effective Rights: Full Full Full Modify Modify Read Modify None Modify [rule ignored – not processed] Modify Read Modify Modify None Read

39 Share Permissions NTFS Permissions Access Control Decision File Access

40 File Access Access Control Decision Share Permissions NTFS Permissions
Central Access Policy Access Control Decision File Access

41 Demo Create Central Access Rules

42 Central access policies
Active Directory Domain Services Corporate file servers High business impact policy Organizational policies High business impact Personally identifiable information Characteristics Composed of central access rules Applied to file servers through Group Policy objects Supplement (i.e. do not replace) native file and folder access control lists from New Technology File System (NTFS) Personally identifiable information policy Finance department policies High business impact Personally identifiable information Finance Finance policy User folders Finance folders

43 Demo Add Central Access Rule to Central Access Policy

44 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

45 Demo Apply Central Access Policies across File servers by using GPOs

46 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

47 Demo Send central access policies to file servers & Apply access policy to the shared folder

48 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

49 Central Auditing

50 Audit policy examples Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business Audit all vendors when they try to access documents related to projects that they are not working on Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

51 Demo Configure Auditing

52 Summary

53 Dynamic Access Control
Classification Access control Auditing Rights Management Services protection Files inherit classification tags from parent folder File owners tag files manually Files are tagged automatically Files are tagged by applications Central access policies are based on classification Access conditions for user claims, device claims, and file tags are based on expressions Assistance is available for denial of access Central audit policies can be applied across multiple file servers Audits for user claims, device claims, and file tags are based on expressions Audits can be staged to simulate policy changes in a real environment Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents Protection is in near-real–time when a file is tagged RMS protection extends to files not created in Microsoft Office

54 Central access policy workflow
Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Active Directory Domain Services Claim definitions User File property definitions Allow or deny Audit policy File server

55 Comparison 2 Claims 15 locations, 10 departments per location
Old style groups Dynamic Access Control 2 Claims Location Department 15 locations, 10 departments per location 150 Location_Department Groups 10 All_Department Groups 15 All_Location Groups 175 groups + script for maintenance

56 Using Security Groups Handle confidential Data
Tag the data by marking the folders that contain confidential data Configure a Central Access Rule that specifies that only specific security groups can access data that are tagged in a specific way Apply a Central Access Policy to the appropriate Windows Server 2012 File Servers in your organization

57 Reduce number of security groups
Large number of users, departments, security groups, and thus, Large number of access control lists (ACLs). Complicated if person moves department / location Dynamic Access Control can help with reducing the workload of IT admins for managing security group. The steps required for this are: Tag all the folders with the appropriate values, for example, department, country, and sensitive. Decide on the combinations of expressions to be used in in Windows ACL. For example, you would use MemberOf (Spain_Security_Group)ANDMemberOf (Finance_Security_Group)ANDMemberOf(Sensitive_Security_Group) to limit access to Spain’s finance department sensitive information. Create specific central access rules with these expressions that target certain security groups and specific folders on the files servers

58 User groups or Claims Rule of thumb, you should use user claims (vs. security group) when: You want to be able to use conditions such as User.Project = File.Project in your policy so that you can compress thousands of conditions to a simple expression (avoiding conditions such as File.Project=Cosmos AND User.Memberof(Cosmos_security_group)). The user attribute in Active Directory that you are sourcing the user claim from has the appropriate security setting on who or what can set that attribute. High integrity of the attribute value in Active Directory and the system that sets this value has operational procedures that take into consideration the use of that value for authorization decisions.No foreseeable changes to the values in the attribute. For example if the attribute is a department name and these often change due to re-organization, then it is not fit to be used as a user claim.

59 In this step, the expressions that were created for the policies are broken down and analyzed to figure out what resource properties, security groups as well as potential user claims need to be created to deploy the specific policies How to proceed? Determine what file servers you want to deploy the access policies you have decided on. For example you can have a finance access policy that you want to roll out only to the finance file servers Archived finance documents should only be read by members of the Finance department. Members of the Finance department should only be able to access documents in their own country. Only Finance Administrators should have write access. An exception will be allowed for members of the FinanceException group. This group will have read access. Understand and translate business intent Express access policy in Windows Server 2012 constructs Determine the user groups, resource properties and claim types Determine the servers where this policy should be applied to Applicability: A condition that defines which data the policy applies to (Example: Resource.BusinessImpact=High) Access conditions: A list of one or more Access Control Entries (ACE) that defines who can access the data (Example: Allow | Full Control | User.EmployeeType=FTE) Exception: An additional list of one or more access control entries that define an exception for the policy (Example: MemberOf(HBIExceptionGroup)

60 Evaluation DA319 5 5 5 I liked it a lot
Evaluation Scale: 1 = Very bad 2 = Bad 3 = Relevant 4 = Good 5 = Very Good! Questions: Speaker Performance Relevance according to your work Match of technical level according to published level Comments Evaluation Create a Text message on your phone and send it to 1919 with the content: DA I liked it a lot Session Code Jesper Performance (1 to 5) Relevance (1 to 5) Match of technical Level (1 to 5) Comments (optional)

61 Thank you © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.  Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.  MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Session Dynamic Access Control – The NEW Black"

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;

? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
ReplicationBackupHSMSecurityArchiveEncryptionExpiration.

ReplicationBackupHSMSecurityArchiveEncryptionExpiration.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Understanding Active Directory

Understanding Active Directory
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
Upgrading the Platform - How to Get There!

Upgrading the Platform - How to Get There!
Active Directory and Dynamic Access Control Pete Calvert

Active Directory and Dynamic Access Control Pete Calvert
Implementing Secure Shared File Access

Implementing Secure Shared File Access
Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation.

Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities.

WSV323. CSO/CIO department Regulation translated to control objectives Infrastructure Support Control objectives turned into control activities.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.

Future of the Server Room Tour. Ottawa Montreal Calgary Vancouver Toronto Future of Your Server Room Three Pillars of Windows Server 2008 Virtualization.
User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.

User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.

Similar presentations

Ads by Google