Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory and Dynamic Access Control Pete Calvert

Published byHugh Scott Modified over 9 years ago

Similar presentations

Presentation on theme: "Active Directory and Dynamic Access Control Pete Calvert"— Presentation transcript:

1 Active Directory and Dynamic Access Control Pete Calvert (@erucsbo)

2

3

4

5 Virtualization That Just Works All Active Directory features work equally well in physical, virtual or mixed environments Simplified Deployment of Active Directory Complete integration of environment preparation, role installation and DC promotion into a single UI DCs can be deployed rapidly to ease disaster recovery and workload balancing DCs can be deployed remotely on multiple machines from a single Windows 8 machine Consistent command-line experience through Windows PowerShell enables automation of deployment tasks Simplified Management of Active Directory GUI that simplifies complex tasks such as recovering a deleted object or managing password policies Active Directory Windows PowerShell viewer shows the commands for actions performed in the GUI Active Directory Windows PowerShell support for managing replication and topology data Simplify delegation and management of service accounts

6 MiscellaneousMiscellaneous ManagementManagement Active Directory Replication & Topology Cmdlets Active Directory Platform Changes Group Managed Service Accounts

7 MiscellaneousMiscellaneous Active Directory Platform Changes

8 Dcpromo RIP Provides XML file and PowerShell command to automate adding the role Can be run remotely

9 Create IFM seed with NTDSUTIL IFM seed generation no longer requires offline defrag (on by default)

10 Adprep can still be run manually if required Checks are performed at each stage of the Wizard and any issues highlighted before the final validation

11

12

13

14 MiscellaneousMiscellaneous Active Directory Platform Changes

15 Any problems?

16 DSA-GUID = A InvocationID = E highestCommitedUSN = 4567 HW vector M,5679 DSA-GUID = A InvocationID = E highestCommitedUSN =1000 DSA-GUID = B InvocationID = M highestCommitedUSN = 3000 HW vector M,3000HW vector E,1000 Time DSA-GUID = A InvocationID = E highestCommitedUSN =4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 5679 HW vector M,5679HW vector E,4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 3000 HW vector E,1000 Restore snapshot USN rollback…

17 Send me your changes from 1000 Add users 3050 Send me your changes from 5679 There aren’t any! It gets worse! Replication OK DSA-GUID = A InvocationID = E highestCommitedUSN = 4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 3000 HW vector M,5679HW vector E,1000 DC1 DC2 Checks UTD vectors from DC2 and sends changes What happens next?

18 There aren’t any! DSA-GUID = A InvocationID = E highestCommitedUSN = 4567 DSA-GUID = B InvocationID = M highestCommitedUSN = 3050 HW vector M,5679HW vector E,1000 Send me your changes from 5679 Appears more up to date than me, that’s not right! Disable inbound and outbound replication Stop Netlogon service Write event log messages Replication log

19

20 Watch this space

21 MiscellaneousMiscellaneous Active Directory Platform Changes

22

23 PDCE W2012 CloneableDomainControllers Check for incompatible components Get-ADDCCloningExcludedApplicationList Remove incompatible components or declare them as safe Source DC XML Deploy XML to source DC or mounted vhd/vhdx copy (can be on removable media) Create new VM Cloned DC DCCloneConfig.XML If ID has changed cloning starts if XML exists

24

25

26

27

28 MiscellaneousMiscellaneous Active Directory Platform Changes

29

30

31

32 S-1-5-21-1539329446-2123584859-1544097757-5023 Domain subauthority RID

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47 MiscellaneousMiscellaneous ManagementManagement Active Directory Replication & Topology Cmdlets Active Directory Platform Changes Group Managed Service Accounts

48 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

49

50

51

52 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

53

54

55 Share PermissionsNTFS Permissions Access Control Decision File Access

56 Share PermissionsNTFS PermissionsCentral Access Policy Access Control Decision File Access

57

58 User and computer attributes can be used in ACEs User and Device Claims ACEs with conditions, including Boolean logic and relative operators Expression-Based ACEs File classifications can be used in authorization decisions Continuous automatic classification Automatic RMS encryption based on classification Classification Enhancements Central authorization/audit rules defined in AD and applied across multiple file servers Central Access and Audit Policies Allow users to request access Provide detailed troubleshooting info to admins Access Denied Assistance

59 Restricted to making policy decisions based on the user’s group memberships Shadow groups are often created to reflect existing attributes as groups Groups have rules around who can be members of which types of groups No way to transform groups across AD trust boundaries No way to control access based on characteristics of user’s device Pre-2012: Security Principals Only Selected AD user/computer attributes are included in the security token Claims can be used directly in file server permissions Claims are consistently issued to all users in a forest Claims can be transformed across trust boundaries Enables newer types of policies that weren’t possible before: Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True Windows Server 2012: Security Principals, User Claims, Device Claims

60 Led to group bloat Consider 500 projects, 100 countries, 10 divisions 500,000 total groups to represent every combination: ProjectZ UK Engineering Users ProjectZ Canada Engineering Users [etc…] Pre-2012: ’OR’ of groups only ACE conditions allow multiple groups with Boolean logic Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) 610 groups instead of 500,000 Windows Server 2012: ‘AND’ in expressions 3 User Claims Windows Server 2012: with Central Access Policies

61 User claims User.Department = Finance User.Clearance = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True) Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High AD DS 61 Expression-based access policy File Server

62

63 Resource Property Definitions

64 FCI In-box content classifier 3 rd party classification plugin See modified / created file Save classification

65 Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin See modified / created file Save classification For Security

66 Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin File Management Task See modified / created file Match file to policy Save classification For Security

67 Resource Property Definitions FCI In-box content classifier 3 rd party classification plugin File Management Task See modified / created file Save classification For Security Match file to policy

68 File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition Access Control Decision: 1)Access Check – Share permissions if applicable 2)Access Check – File permissions 3)Access Check – Every matching Central Access Rule in Central Access Policy Share Security Descriptor Share Permissions Cached Central Access Rule

69 Permission TypeTarget FilesPermissionsEngineering FTE Engineering Vendor Sales FTE ShareEveryone:Full Central Access Rule 1: Engineering Docs Dept=EngineeringEngineering:Modify Everyone: Read Rule 2: Sensitive DataSensitivity=HighFTE:Modify Rule 3: Sales DocsDept=SalesSales:Modify NTFSFTE:Modify Vendors:Read Effective Rights: Classifications on File Being Accessed DepartmentEngineering SensitivityHigh Read Full Modify Read Modify None Modify NoneRead [rule ignored – not processed]

70 Staging Policies

71 User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)

72 Deploy: Windows 8 Clients Add Device Claims in Central Access and Audit Policies Improved Access Denied Assistance Deploy: Windows Server 2012 Domain Controllers Add User Claims in Central Access and Audit Policies Deploy: Windows Server 2012 File Servers Central Access and Audit Policies based on Security Groups and File Tagging Automatic Rights Management Services (RMS) encryption Enhance (not replace) your current environment Incrementally add capabilities to your existing security settings

73

74 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

75

76

77

78 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

79

80

81

82 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

83

84

85

86 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

87

88 Protect backend services by setting services account parameter – PrincipalsAllowedToDelegateToAccount Block cross forest delegation by setting netdom trust to “no” for /EnableTGTDelegation

89 User’s Kerberos Token PAC User’s group memberships added to PAC Authorization based on group membership Pre-Windows 8 & Server 2012 User Groups Claims Device Groups Claims Windows 8 & Server 2012 Compound ID PAC contains a user’s group and claims information + Device information Authorization can be based on group membership, user and device claims

90

91

92

93 First Claim 1 Boolean Claim Adds 242 Bytes User Claims Set 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg Len/value: 12 chars Avg #Values: 6 values Adds 970 Bytes Compound-ID Claims Sets User - 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued Avg Len/value: 12 chars 1 String – Multi Valued Avg Len/value: 12 chars Avg #Values: 6 values Device - 2 Claims: 1 Boolean 1 String – Single Valued Avg Len/value: 12 chars Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data Worst-Case Analysis (assumes no compression): Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments. Bytes Before Compression 120user overhead 120device overhead 114per int/bool claim 8per int/bool value 138 per string claim 2 per string character

94 ManagementManagement Active Directory Replication & Topology Cmdlets Group Managed Service Accounts

95

96

97

98 ManagementManagement Active Directory Replication & Topology Cmdlets

99

100

101

102 In Summary…..

103 Leverage new technologies

104 Extend Identity governance reach

105 Implement effective access control

106

107 http://msdn.microsoft.com/en-au/ http://www.microsoftvirtualacademy.com/ http://channel9.msdn.com/Events/TechEd/Australia/2013 http://technet.microsoft.com/en-au/

108

Download ppt "Active Directory and Dynamic Access Control Pete Calvert"

Similar presentations

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft.

Dynamic Access Control Deep Dive Siddharth Bhai Program Manager, Active Directory Microsoft Corporation Matthias Wollnik Program Manager, File Server Microsoft.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;

? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
Advanced Active Directory Services Windows Server 2012 21 год на рынке IT образования! 17 лет с Microsoft 1991 – 2013 WWW.STARS-S.RU Алексей Кибкало.

Advanced Active Directory Services Windows Server год на рынке IT образования! 17 лет с Microsoft 1991 – Алексей Кибкало.
What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.

What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.
Lesson 16: Configuring Domain Controllers

Lesson 16: Configuring Domain Controllers
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Windows Server 2012 What’s new ? AuthorKrzysztof Pytko Wroclaw 2012

Windows Server 2012 What’s new ? AuthorKrzysztof Pytko Wroclaw 2012
What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
DANIEL PETRI, PREMIER FIELD ENGINEER, MICROSOFT. TakeawaysNew AD Features Agenda AD Enhancements Areas of Investment / Our Broad Goals Summary of Requirements.

DANIEL PETRI, PREMIER FIELD ENGINEER, MICROSOFT. TakeawaysNew AD Features Agenda AD Enhancements Areas of Investment / Our Broad Goals Summary of Requirements.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

Similar presentations

Ads by Google