1. Dynamic Access Control
Lukáš Radil

2. This session Objectives Agenda: Intro to Dynamic Access Control
Tech Ready 15
11/8/2018
This session
Agenda:
Intro to Dynamic Access Control
Data Classification Toolkit for Windows Server and 2012 R2
Customer and Microsoft IT solution examples
Objectives
Understand Dynamic Access Control capabilities built into Windows Server
Understand how to leverage Dynamic Access Control for compliance and DLP
Learn about the technologies in action
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Data management landscape
Předsedkyně ÚOOÚ
JUDr. Ivana Janů
Growth of users and data ?
Budget Constraints
Distributed computing
Business Compliance ?

4. Different views of data management
CSO/CIO department
“I need to have the right controls to keep my job”
Infrastructure Support
“I don’t know what data is in my repositories and how to control it”
Content Owner
“Is my important data appropriately protected and compliant with regulations”
Information Worker
“I don’t know if I am complying with my organization’s polices”

5. Concepts Data Classification Expression based access conditions
Expression based auditing
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.

6. Data classification – identifying data
Classify data based on location inheritance
Classify data automatically
Data Classification Toolkit
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.

7. Windows Server Management Marketing Data classification
11/8/2018
Demo
Demo
Data classification
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Automatic Rights Management encryption
Automatically protect your sensitive information
Adhere to compliance regulations that require data encryption
Integrated with Windows Server 2012 R2 Work Folders
Use RMS on-prem or RMS online
Automatic RMS encryption based on document classification.

9. Windows Server Management Marketing Automatic RMS protection
11/8/2018
Demo
Demo
Automatic RMS protection
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Baseline Classification Properties
Area
Properties
Values
Information Privacy
Personally Identifiable Information
High; Moderate; Low; Public; Not PII
Protected Health Information
High; Moderate; Low
Information Security
Confidentiality
Required Clearance
Restricted; Internal Use; Public
Legal
Compliancy
SOX; PCI; HIPAA/HITECH; NIST SP ; NIST SP ; U.S.-EU Safe Harbor Framework; GLBA; ITAR; PIPEDA; EU Data Protection Directive; Japanese Personal Information Privacy Act
Discoverability
Privileged; Hold
Immutable
Yes/No
Intellectual Property
Copyright; Trade Secret; Parent Application Document; Patent Supporting Document
Records Management
Retention
Long-term; Mid-term; Short-term; Indefinite
Retention Start Date
<Date Value>
Organizational
Impact
Department
Engineering ;Legal; Human Resources …
Project
<Project>
Personal Use

11. Multi server deployment using the Data Classification Toolkit
OOB Knowledge
Scale (#File Servers)
Hybrid Environment
Domain Controller
(Active Directory)
Production File Servers
Staging File Server
1. Import
3. Deploy
Windows 2008 R2
Collect
Windows 2012
Windows 2012 R2
2. Export
Management Client
4. Report
DCT Database

12. Expression based access control
Expression based access conditions
Manage fewer security groups by using conditional expressions
Using resource classification and user and device claims in access conditions
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.

13. Expression based access control
Expression based access conditions
Manage fewer security groups by using conditional expressions
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
50 Groups
Country
x 50
1000 Groups
Branch
x 20
Customers
100,000 Groups!
x 100
100,000 groups170 groups with conditional expressions
MemberOf(US) AND MemberOf(Seattle_Branch) AND MemberOf(Contoso_Customer)

14. Central access policies
AD DS
File Server
User claims
User.Department = Finance
User.Clearance = High
Device claims
Device.Department = Finance
Device.Managed = True
Resource properties
Resource.Department = Finance
Resource.Impact = High
ACCESS POLICY
Applies = High
Allow | Read, Write | if AND == True) 15

15. FAQ for expression based policies
Which client devices are supported?
Do I need to upgrade all my DCs to Server 2012+?
User claims vs. groups – when to use what?
What are the requirements to use device claims?
Do I need to worry about Kerberos token size?
Do I need to worry about performance?
What’s the ADFS story?

16. Windows Server Management Marketing Central access policies
11/8/2018
Demo
Demo
Central access policies
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Customer Solution Example
Department of Defense

18. Customer Active Directory Environment
Active Directory Trusts with Selective Authentication
User Accounts Forest
Resources Forest
2012
Domain Controller
(Active Directory)
Domain Controller
(Active Directory)
Access to User Data Shares
COI1
Share with Access Based Enumeration on Windows 2012
File Server
COI2
Client
COI3

19. Customer DAC Scenario – Current (AD Groups)
1 CAP - “Community of Interest Shares”
2 File Rules
All Files with COI Classification
All Files with No Classification
1 Resource Property Definition – “COI”
Central Access Policy
“Community of Interest Shares”
Files Rule 1
Files Rule 2
Files Rule 3
Resource Property Definition
“COI”
Customer Defined Access Policy
For access to COI information, a user must be a member of the COI for which the data is classified. If data is not classified, only the Owner, Administrators, and SYSTEM have Full Control.

20. File Classification Infrastructure

21. FCI Deployment overview
11/8/2018
FCI Deployment overview
Large file server infrastructure
Over 540 terabytes of data stored across 86 file servers
Expected growth of 15% over FY15 to 620 TB
Challenges
No automated data file classification existed (manual only)
High Business Impact data (HBI) and Personally Identifiable Information (PII) was at risk
MSIT requirements
Classify all files suspected of containing HBI or PII setting “Impact_MS” file property to “high”
Encrypt files classified as High impact with Rights Management template “Microsoft – All”
Notify users of HBI content found and advise on corporate policies
Deployment scope
Windows 2012 production file servers used for the DataBox program – used for File History and IntelliMirror services to store and sync employee working documents and settings
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Approach & planning Develop baseline configuration Deployment testing
11/8/2018
Approach & planning
Develop baseline configuration
Configured primary file server manually to establish baseline configuration
Conducted extensive testing of classification rules and FCI configuration settings
Exported final configuration to production file servers using Data Classification Toolkit (DCT)
Deployment testing
Deployed “baseline” FCI configuration to 23 production file servers built with Server 2012 & 2012R2
Analyzed results from daily scans evaluating rule accuracy & effectiveness
Refined rules and FCI configuration based on scanning results over a 15 week period
Analyzed FCI audit logs and FSRM Storage Reports by File Property
Deployment results analysis
Built automated Excel pivot combining results from all servers FCI .csv audit log files
Conducted user “litmus” testing based on HBI detection results
Pivot reports used to validate appropriate policy adherence for “top 10” users
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Deployment results achieved
11/8/2018
Deployment results achieved
Final scope at conclusion
Deployed to 23 file servers with >85 Terabytes of employee documents
Scanned >80M files across 26K users on a weekly basis
Detection rate statistics
HBI: rates ranged from: 0.24% %, average 1.03% for 702,373 detections
PII: rates ranged from 0.002% to 2.91%, average 0.32% for 220,373 detections
FCI scanning performance
Scanned, classified and encrypted 26 to 45 MB/sec, average of 36 MB/sec
Scanned, classified and encrypted 1440 to 2470 files/min, average of >2000 files/min
Results comparison to competing solution
Competing solution scans and encrypts ~ 54 files/min, 40X slower than FCI with no file classification capability
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. 11/8/2018
Related Resources
You can install the Data Classification Toolkit from: us/download/details.aspx?id= (use run as Admin).
- An update to the DCT to support Server 2012 R2 will be released very soon.
The Microsoft Office 2010 iFilters Pack is available from us/download/details.aspx?id=17062
iFilters are available for most formats from 3rd party companies. For more information on iFilters, visit
Learn about RMS Online at
Address known Server 2012 FCI issues by installing KB : Windows8-RT-KB x64.msu from the MS Download Center:
me if you have questions!!!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.