Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or.

Published bySonny Oesman Modified over 6 years ago

Similar presentations

Presentation on theme: "11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or."— Presentation transcript:

1 11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 11/22/2018 2:11 PM Using Dynamic Access Control for Compliance and Data Leakage Prevention Matthias Wollnik Program Manager, File Server Microsoft Corporation AI-B303 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Topics Quick introduction of Dynamic Access Control
Understand how things work behind the scenes See how this work ties in with cutting edge work in the industry Data Compliance Challenges Windows Platform Investments Windows File Server Solution Putting it Together

4 Dynamic Access Control: In a nutshell
Data Classification Expression based auditing Expression based access conditions Encryption Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content. Targeted access auditing based on document classification and user identity. Centralized deployment of audit polices using Global Audit Policies. Flexible access control lists based on document classification and multiple identities (security groups). Centralized access control lists using Central Access Policies. Automatic RMS encryption based on document classification.

5 Expression-based access rules
11/22/2018 Expression-based access rules Active Directory Domain Services File server User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Access policy For access to financial information that has high business impact, a user must be a finance department employee with a high security clearance, and must use a managed device registered with the finance department.

6 Dynamic Access Control Building Blocks
User and computer attributes can be used in ACEs User and Device Claims ACEs with conditions, including Boolean logic and relative operators Expression-Based ACEs File classifications can be used in authorization decisions Continuous automatic classification Automatic RMS encryption based on classification Classification Enhancements Central authorization/audit rules defined in AD and applied across multiple file servers Central Access and Audit Policies Allow users to request access Provide detailed troubleshooting info to admins Access Denied Assistance

7 User and Device Claims Restricted to making policy decisions based on the user’s group memberships Shadow groups are often created to reflect existing attributes as groups Groups have rules around who can be members of which types of groups No way to transform groups across AD trust boundaries No way to control access based on characteristics of user’s device Pre-2012: Security Principals Only Selected AD user/computer attributes are included in the security token Claims can be used directly in file server permissions Claims are consistently issued to all users in a forest Claims can be transformed across trust boundaries Enables newer types of policies that weren’t possible before: Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True Windows Server 2012: Security Principals, User Claims, Device Claims

8 Expression-Based ACEs
Led to group bloat Consider 500 projects, 100 countries, 10 divisions 500,000 total groups to represent every combination: ProjectZ UK Engineering Users ProjectZ Canada Engineering Users [etc…] Pre-2012: ’OR’ of groups only ACE conditions allow multiple groups with Boolean logic Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) 610 groups instead of 500,000 Windows Server 2012: ‘AND’ in expressions 3 User Claims Windows Server 2012: with Central Access Policies

9 File Classification Infrastructure: What’s New

10 File Classification Infrastructure: What’s New
Resource Property Definitions

11 File Classification Infrastructure: What’s New
In-box content classifier 3rd party classification plugin Resource Property Definitions See modified / created file FCI Save classification

12 File Classification Infrastructure: What’s New
In-box content classifier 3rd party classification plugin Resource Property Definitions See modified / created file FCI Save classification For Security

13 File Classification Infrastructure: What’s New
In-box content classifier 3rd party classification plugin Resource Property Definitions See modified / created file FCI Save classification For Security Apply Policy Match file to policy File Management Task

14 File Classification Infrastructure: What’s New
In-box content classifier 3rd party classification plugin Resource Property Definitions See modified / created file FCI Save classification For Security RMS Encrypt Match file to policy File Management Task

15 Classification demo Matthias Wollnik 11/22/2018 2:11 PM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Share Permissions NTFS Permissions Access Control Decision File Access

17 File Access Access Control Decision Share Permissions NTFS Permissions
Central Access Policy Access Control Decision File Access

18 How Access Check Works Share Security Descriptor Share Permissions
Active Directory (cached in local Registry) Cached Central Access Policy Definition File/Folder Security Descriptor Cached Central Access Rule Central Access Policy Reference Cached Central Access Rule NTFS Permissions Cached Central Access Rule Access Control Decision: Access Check – Share permissions if applicable Access Check – File permissions Access Check – Every matching Central Access Rule in Central Access Policy

19 Central Access Policies
11/22/2018 2:11 PM Central Access Policies Demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Central Access Rules Classifications on File Being Accessed Department
Engineering Sensitivity High Permission Type Target Files Permissions Engineering FTE Engineering Vendor Sales FTE Share Everyone:Full Central Access Rule 1: Engineering Docs Dept=Engineering Engineering:Modify Everyone: Read Rule 2: Sensitive Data Sensitivity=High FTE:Modify Rule 3: Sales Docs Dept=Sales Sales:Modify NTFS Vendors:Read Effective Rights: Full Full Full Modify Modify Read Modify None Modify [rule ignored – not processed] Modify Read Modify Modify None Read

21 What will happen when I deploy?
Changing Central Access Policies may have wide impact Replicating production environment for test purposes is difficult and expensive Staging Policies

22 Staging policy Active Directory Domain Services File server
User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies = High Allow | Full Control | == Contoso Staging policy Applies = High Allow | Full Control | if == Contoso) AND == High)

23 Central Access Policies with Staging Policies
11/22/2018 2:11 PM Central Access Policies with Staging Policies Demo © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Sample staging event (4818)
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Subject:                 Security ID:                  CONTOSODOM\alice                 Account Name:            alice                 Account Domain:         CONTOSODOM Object:                 Object Server:               Security                 Object Type:                  File                 Object Name:                C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results:                  Access Reasons:                READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA)                                                               Proposed Central Access Policy results that differ from the current Central Access Policy results:                  Access Reasons:               READ_CONTROL: NOT Granted by CAR “HBI Rule”                                                 ReadAttributes: NOT Granted by CAR “HBI Rule”

25 Kerberos and The New Token
Dynamic Access Control leverages Kerberos Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one principal Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC NT Token has sections User & Device data Claims and Groups! 2012 Token User Account User Groups Claims Device [other stuff] Pre-2012 Token User Account User Groups [other stuff]

26 Ad Admin File Server User Contoso DC Enable Domain to issue claims
Attempt to access resource Enable Domain to issue claims Defines claim types NT Access Token Contoso\Alice User Groups:…. Claims: Title=SDE Claim type Display Name Source Suggested values Value type User attempts to login Receives a Kerberos ticket Kerberos Ticket Contoso\Alice User Groups:…. Claims: Title=SDE User Contoso DC

27 Kerberos flow in Pre-Windows 2012
Pre-Windows 2012 File Server M-TGT User Contoso DC Pre-Windows 2012

28 Kerberos flow in Pre-Windows 2012
Pre-Windows 2012 File Server U-TGT User Contoso DC Pre-Windows 2012 M-TGT

29 Kerberos flow in Pre-Windows 2012
Pre-Windows 2012 File Server TGS (no claims) User Contoso DC Pre-Windows 2012 M-TGT U-TGT

30 Kerberos flow in Pre-Windows 2012
Pre-Windows 2012 File Server ? TGS (no claims) User Contoso DC Pre-Windows 2012 M-TGT U-TGT

31 Kerberos flow with User Claims
File Server TGS (with User Claims) User Contoso DC M-TGT U-TGT

32 Kerberos flow with User Claims
File Server ? TGS (with User Claims) User Contoso DC M-TGT U-TGT

33 Kerberos flow with Pre-Windows 8 Clients
File Server Set Policy to enable claims Pre-Windows 8 User Contoso DC

34 Kerberos flow with Pre-Windows 8 Clients
File Server TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT

35 Kerberos flow with Pre-Windows 8 Clients
File Server TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT

36 Kerberos flow with Pre-Windows 8 Clients
File Server ? TGS (no claims) TGS (with User Claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT

37 Kerberos flow with Compound Identity
File Server TGS (User and Device Groups/Claims) User Contoso DC M-TGT U-TGT

38 Kerberos flow with Compound Identity
File Server ? TGS (User and Device Groups/Claims) User Contoso DC M-TGT U-TGT

39 Across Forest boundaries
File Server Other Forest DC Publish Cross-Forest transformation Policy User Contoso DC

40 Across Forest boundaries
File Server Other Forest DC Referral TGT User Contoso DC M-TGT U-TGT

41 Across Forest boundaries
File Server Other Forest DC Referral TGT TGS (with claims) User Contoso DC M-TGT U-TGT

42 Across Forest boundaries
File Server Other Forest DC ? TGS (with claims) User Contoso DC M-TGT U-TGT

43 To the Cloud! Cloud App ADFS TGS User Contoso DC M-TGT U-TGT

44 To the Cloud! Cloud App ADFS User Contoso DC M-TGT U-TGT

45 To the Cloud! Cloud App ADFS SAML TGS User Contoso DC M-TGT U-TGT

46 To the Cloud! Cloud App ADFS ? SAML User Contoso DC M-TGT U-TGT

47 Token/Ticket Bloat Understanding the problem
Token Bloat: Amount of authorization data in the NT Token Ticket Bloat: Amount of authorization data sent over the wire Token Bloat: How does it manifest? Too many SIDs in the token (Upper bound of 1024) Ticket Bloat: How does it manifest? Authorization data is sent over the network. Over time, old group memberships linger and authorization data adds up. Might see failures in one type of application Usually indicates the limits for that wire transport have been reached.

48 Impact of Claims Ticket Bloat Windows 8 improvements
Claims is authorization data carried over the wire. Initially, some increase in ticket sizes expected. Windows 8 improvements DC compresses claims before sending them over the wire DC compresses certain types of SIDs that weren’t compressed before (Resource Domain SIDs) MaxTokenSize default increased to 48k New audit events – DC starts logging events when ticket sizes exceed specified value

49 Impact of Claims – Real Numbers
11/22/2018 2:11 PM Impact of Claims – Real Numbers First Claim 1 Boolean Claim Adds 242 Bytes User Claims Set 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg #Values: values Adds 970 Bytes Compound-ID Claims Sets User - 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg #Values: values Device - 2 Claims: 1 String – Single Valued Avg Len/value: 12 chars Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data Bytes Before Compression 120 user overhead 120 device overhead 114 per int/bool claim 8 per int/bool value 138 per string claim 2 per string character Worst-Case Analysis (assumes no compression): Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments. ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

50 Incrementally add capabilities
Current infrastructure Windows Server 2012 File Servers Access and Audit Policies based on security groups and file tagging Windows Server 2012 DCs Centrally defined access and audit policies User claims can be used by access and audit policies Windows 8 clients Add device claims to access and audit policies Better access denied experience Partner solutions and line of business applications

51 In Summary…..

52 Reduce group complexity

53 Enable Information Governance
on File Servers

54 Implement effective access control

55 We want to hear from you! Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

56 Access MMS Online to view session recordings after the event.
Resources Access MMS Online to view session recordings after the event.

57 11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "11/22/2018 2:11 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or."

Similar presentations

Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft.

Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
Understanding Active Directory

Understanding Active Directory
Active Directory and Dynamic Access Control Pete Calvert

Active Directory and Dynamic Access Control Pete Calvert
Session 1.

Session 1.
Implementing Secure Shared File Access

Implementing Secure Shared File Access
Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation.

Dynamic Access Control Overview Matthias Wollnik Program Manager, File Server Microsoft Corporation.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.

User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based.

demo © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

demo © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
demo Demo.

demo Demo.
demo QueryForeign KeyInstance /sm:body()/x:Order/x:Delivery/y:TrackingId1Z01234567893.

demo QueryForeign KeyInstance /sm:body()/x:Order/x:Delivery/y:TrackingId1Z
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Similar presentations

Ads by Google