Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft.

Published byIndia Monty Modified over 9 years ago

Similar presentations

Presentation on theme: "Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft."— Presentation transcript:

1 Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft Corporation

2

3

4 User claims User.Department = Finance User.Clearance = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High AD DS 4 Expression-based access policy File Server

5 User and computer attributes can be used in ACEs User and Device Claims ACEs with conditions, including Boolean logic and relative operators Expression-Based ACEs File classifications can be used in authorization decisions Continuous automatic classification Automatic RMS encryption based on classification Classification Enhancements Central authorization/audit rules defined in AD and applied across multiple file servers Central Access and Audit Policies Allow users to request access Provide detailed troubleshooting info to admins Access Denied Assistance

6 Restricted to making policy decisions based on the user’s group memberships Shadow groups are often created to reflect existing attributes as groups Groups have rules around who can be members of which types of groups No way to transform groups across AD trust boundaries No way to control access based on characteristics of user’s device Pre-2012: Security Principals Only Selected AD user/computer attributes are included in the security token Claims can be used directly in file server permissions Claims are consistently issued to all users in a forest Claims can be transformed across trust boundaries Enables newer types of policies that weren’t possible before: Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True Windows Server 2012: Security Principals, User Claims, Device Claims

7 Led to group bloat Consider 500 projects, 100 countries, 10 divisions 500,000 total groups to represent every combination: ProjectZ UK Engineering Users ProjectZ Canada Engineering Users [etc…] Pre-2012: ’OR’ of groups only ACE conditions allow multiple groups with Boolean logic Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) 610 groups instead of 500,000 Windows Server 2012: ‘AND’ in expressions 3 User Claims Windows Server 2012: with Central Access Policies

8

9 Resource Property Definitions

10 FCI In-box content classifier 3 rd party classification plugin See modified / created file Save classification

11 Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin See modified / created file Save classification For Security

12 Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin File Management Task See modified / created file Match file to policy Save classification For Security

13 Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin File Management Task See modified / created file Save classification For Security Match file to policy

14 Classification demo

15 CA Technologies Content-Aware Identity & Access Management Control identity, control access and control information CA DataMinder discovers, classifies and controls information Controls Collaboration & File Sharing Environments SharePoint 2010 – March 2012 Windows Server 2012 Dynamic Access Control – July 2012 Delivers precise & fine-grained access control Copyright © 2012 CA. All rights reserved. No unauthorized copying or distribution permitted.

16 Partner video Strong Classification - with CA Dataminder

17 Supercharge DAC with automated file classification Enables accurate automated file classification enterprise-wide with both attribute-based and content-based classification Deeply integrated with Windows Server 2012. dg classification can also be used to fuel powerful Governance, Compliance and Archiving solutions For more information visit us at Booth 230 (Orlando) / PP17 (Amsterdam) or at www.dynamic-access-control.com A leader in automatic file classification

18 Partner video Strong Classification - with Dataglobal

19 Share PermissionsNTFS Permissions Access Control Decision File Access

20 Share PermissionsNTFS PermissionsCentral Access Policy Access Control Decision File Access

21 File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition Access Control Decision: 1)Access Check – Share permissions if applicable 2)Access Check – File permissions 3)Access Check – Every matching Central Access Rule in Central Access Policy Share Security Descriptor Share Permissions Cached Central Access Rule

22 Demo Central Access Policies

23 Permission TypeTarget FilesPermissionsEngineering FTE Engineering Vendor Sales FTE ShareEveryone:Full Central Access Rule 1: Engineering Docs Dept=EngineeringEngineering:Modify Everyone: Read Rule 2: Sensitive DataSensitivity=HighFTE:Modify Rule 3: Sales DocsDept=SalesSales:Modify NTFSFTE:Modify Vendors:Read Effective Rights: Classifications on File Being Accessed DepartmentEngineering SensitivityHigh Read Full Modify Read Modify None Modify NoneRead [rule ignored – not processed]

24 Rule 4 Rule 1 Rule 3 Rule 2 File Server Policy A Rule 1 Link Rule 2 Link Rule 3 Link Policy B Rule 1 Link Rule 3 Link Policy C Rule 2 Link Rule 4 Link Group Policy Object File Server

25

26 Partner video Who has access to what? - easier with DAC & Jiji Technologies

27 Staging Policies

28 User claims Clearance = High | Med | Low Company = Contoso | Fabrikam User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High) Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)

29 Demo Central Access Policies with Staging Policies

30 Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOM Object: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”

31 Enterprise-wide visibility into server and application health

32

33

34

35 Pre-2012 Token User Account User Groups [other stuff] 2012 Token User Account UserGroups Claims DeviceGroups Claims [other stuff]

36 NT Access Token Contoso\Alice User Groups:…. Claims: Title=SDE Kerberos Ticket Contoso\Alice User Groups:…. Claims: Title=SDE File Server UserContoso DC Ad Admin Enable Domain to issue claims Defines claim types Claim type Display Name Source Suggested values Value type User attempts to login Receives a Kerberos ticket Attempt to access resource

37 User M-TGT Pre-Windows 2012 File Server Contoso DC Pre-Windows 2012

38 User M-TGT U-TGT Pre-Windows 2012 File Server Contoso DC Pre-Windows 2012

39 User M-TGT TGS (no claims) U-TGT Pre-Windows 2012 File Server Contoso DC Pre-Windows 2012

40 User M-TGT TGS (no claims) U-TGT Pre-Windows 2012 File Server Contoso DC Pre-Windows 2012 ?

41 File Server UserContoso DC M-TGT TGS (with User Claims) U-TGT

42 File Server UserContoso DC M-TGT TGS (with User Claims) U-TGT ?

43 File Server Pre-Windows 8 User Contoso DC Set Policy to enable claims

44 File Server Contoso DC M-TGT TGS (no claims) U-TGT Pre-Windows 8 User

45 File Server Contoso DC M-TGT TGS (no claims) U-TGT Pre-Windows 8 User

46 File Server Contoso DC M-TGTU-TGT TGS (with User Claims) TGS (no claims) Pre-Windows 8 User ?

47 File Server UserContoso DC M-TGT TGS (User and Device Groups/Claims) U-TGT

48 File Server UserContoso DC M-TGT TGS (User and Device Groups/Claims) U-TGT ?

49 File Server UserContoso DC Other Forest DC Publish Cross- Forest transformation Policy

50 File Server UserContoso DC M-TGT Referral TGT U-TGT Other Forest DC

51 File Server UserContoso DC M-TGT TGS (with claims) U-TGT Referral TGT Other Forest DC

52 File Server UserContoso DC M-TGT TGS (with claims) U-TGT Other Forest DC ?

53 UserContoso DC M-TGT TGS U-TGT ADFS Cloud App

54 UserContoso DC M-TGTU-TGT ADFS Cloud App

55 UserContoso DC M-TGTU-TGT ADFS Cloud App SAML TGS

56 UserContoso DC M-TGT SAML U-TGT ADFS Cloud App ?

57

58

59 First Claim 1 Boolean Claim Adds 242 Bytes User Claims Set 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg Len/value: 12 chars Avg #Values: 6 values Adds 970 Bytes Compound-ID Claims Sets User - 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg Len/value: 12 chars Avg #Values: 6 values Device - 2 Claims: 1 Boolean 1 String – Single Valued Avg Len/value: 12 chars Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data Worst-Case Analysis (assumes no compression): Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments. Bytes Before Compression 120user overhead 120device overhead 114per int/bool claim 8per int/bool value 138 per string claim 2 per string character

60 Windows Server 2012 Active Directory Windows Server 2012 File Server End User Microsoft SharePoint 2010 Access Policy ? ?

61 Partner video Using Central Access Policies beyond File Server: Sharepoint

62 Policy AuthorFile Server Active Directory User 1. Author policy & export to AD 2. Convert XACML to SDDL & import 3. Push out imported rules based on group policy 4. Access files 5. Check access based on rules previously defined in APS Axiomatics Policy Server (APS)

63 Partner video Using Central Access Policies beyond Windows: XACML

64 Current infrastructure Windows Server 2012 File Servers Access and Audit Policies based on security groups and file tagging Windows Server 2012 DCs Centrally defined access and audit policies User claims can be used by access and audit policies Windows 8 clients Add device claims to access and audit policies Better access denied experience Partner solutions and line of business applications

65 In Summary…..

66 Reduce group complexity

67 Enable Information Governance on File Servers

68 Implement effective access control

69

70 QnA Email: Siddharth Bhai [sbhai@microsoft.com] Matthias Wollnik[mwollnik@microsoft.com] Ask away!

71 SIA 207 – Windows Server 2012 Dynamic Access Control Overview SIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies SIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT WSV334 – Windows Server 2012 File and Storage Services Management SIA21-HOL – Using Dynamic Access Control to Automatically and Centrally Secure Data in Windows Server 2012 SIA02-TLC – Windows Server 2012 Active Directory and Dynamic Access Control Find Me Later At…

72 Talk to our Experts at the TLC #TE(sessioncode) DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver Hands-On Labs DOWNLOAD Windows Azure Windowsazure.com/ teched

73 Connect. Share. Discuss. http://northamerica.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

74 Required Slide Complete an evaluation on CommNet and enter to win!

75 Scan the Tag to evaluate this session now on myTechEd Mobile

76

77

Download ppt "Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft."

Similar presentations

Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012 Manu Pushpendran Program Manager Microsoft Corporation.

Active Directory Virtualization Safeguards and Domain Controller Cloning with Windows Server 2012 Manu Pushpendran Program Manager Microsoft Corporation.
Windows Server 2012 + Advanced Storage Solutions = Datacenter Elevation Alex Jauch Architect NetApp John Parker Technical Marketing Manager NetApp.

Windows Server Advanced Storage Solutions = Datacenter Elevation Alex Jauch Architect NetApp John Parker Technical Marketing Manager NetApp.
Kevin Donovan Program Manager, Office BI Microsoft Corporation

Kevin Donovan Program Manager, Office BI Microsoft Corporation
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;

? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.

What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.

Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
What's New in Microsoft Deployment Toolkit 2012 Michael Niehaus Senior Program Manager Microsoft Corporation.

What's New in Microsoft Deployment Toolkit 2012 Michael Niehaus Senior Program Manager Microsoft Corporation.
Cloudy Weather: How Secure Is the Cloud? David Aiken Windows Azure Microsoft Corporation.

Cloudy Weather: How Secure Is the Cloud? David Aiken Windows Azure Microsoft Corporation.
Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.

Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Best Practices for Designing and Consolidating Group Policy for Performance and Security Darren Mar-Elia Group Policy MVP, CTO & Founder SDM Software,

Best Practices for Designing and Consolidating Group Policy for Performance and Security Darren Mar-Elia Group Policy MVP, CTO & Founder SDM Software,
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
Deep Dive on Active Directory PowerShell Mudassir Ali Software Development Engineer Microsoft Corporation SIA404.

Deep Dive on Active Directory PowerShell Mudassir Ali Software Development Engineer Microsoft Corporation SIA404.
Understanding Active Directory

Understanding Active Directory
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?

Similar presentations

Ads by Google