Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security.

Published byGeorgiana Palmer Modified over 9 years ago

Similar presentations

Presentation on theme: "What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security."— Presentation transcript:

1 What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7 ondrej@sevecek.com | www.sevecek.com |

2 Revolution? Evolution

3 Access Control Lists (ACEs) –and NTFS File Server Resource Manager (FSRM) –and simple file classification Active Directory (AD) integrated classification –and NTFS rules with term conditions Automatic file classification with FSRM Kerberos Claims –and user attributes Kerberos CompoundId –and computer attributes Central AD defined NTFS access rules –and their enforcement with FSRM

4 Evolution FeatureServerClientSchema 2012 / DFL / FFL And logic ACLWindows 2012-- FSRM automatic classification Windows 2012 FSRM -- AD integrated classification terms Windows 2012 FSRM -schema 2012 FFL 2003 AD integrated NTFS access rules Windows 2012 FSRM -schema 2012 FFL 2003 User claimsWindows 2012-one Windows 2012 DC Computer claimsWindows 2012Windows 8 Windows 2012 local Windows 2012 DC

5 Claims, Terms, Classifications, Metadata They are just the same thing

6 Access Control Lists What is New in Security in Windows 2012

7 Until Windows 2012 Sorted in order –DENY is not always stronger Has OR logic –shadow groups –combined "AND" groups

8 Group Limits Access Token –1024 SIDs Kerberos ticket –12 kB by default –global group = 8 B –domain local group / foreign universal groups = 40 B 260 max

9 Disk Classic flow of access control NTFS Permissions Access this Computer from Network Authentication Folder Quotas Volume Quotas Windows Firewall TCP 445 Kerberos NTLM Path Owner Allow Logon Locally Authentication Kerberos NTLM Access Token UAC Restricted Access Token Sharing Permissions Allowed to Authenticate?

10 New in Windows 2012 AND logic possible Extendable with claims –FSRM file claims –user claims –device (computer) claims Requires domain membership –Windows 8, Windows 2012

11 Disk New flow of access control NTFS Permissions Access this Computer from Network Authentication Folder Quotas Volume Quotas Windows Firewall TCP 445 Kerberos NTLM Path Owner Allow Logon Locally Authentication Kerberos NTLM Access Token UAC Restricted Access Token Sharing Permissions Allowed to Authenticate? Condition ACEs

12 File Classification What is New in Security in Windows 2012

13 File Server Resource Manager (FSRM) Manual File Classification Automatic File Classification –file name wildcard –folder path –words and/or regular expressions –PowerShell code Locally vs. AD defined terms Adds file metadata –alternative NTFS streams

14 File claims and ACL File claims can be used in the new ACE conditions –only AD based file terms

15 AD defined file claims Requires Windows 2012 schema extension Requires Windows 2003 forest functional level –do not require any Windows 2012 DC –some editor like ADSI Edit or Windows 2012 ADAC Must be uploaded to FSRM servers manually

16 Kerberos Claims What is New in Security in Windows 2012

17 Kerberos ticket until Windows 2012 KDC User identity –login –SID Additional SIDs –groups –SID history

18 Good old Kerberos Client XP DC 2003 Server TGT

19 Good old Kerberos Client XP DC 2003 Server TGT TGS SIDs

20 What is new in Kerberos tickets with Windows 2012 KDC User identity –login –SID Additional SIDs –groups –SID history User claims –AD attributes in Kerberos TGT tickets

21 Requirements At least single Windows 2012 DC (KDC) Tickets are extendable If client does not understand the extension, it simple ignores its contents If server requires user claims and they are not present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)

22 Good old Kerberos supports claims as well Client XP DC 2003 Server 2012 TGT TGS DC 2012 Claims SIDs

23 Brand new Kerberos with Windows 2012 KDC Client XP DC 2012 Server 2012 TGTUser Claims

24 Brand new Kerberos with Windows 2012 KDC Client XP DC 2012 Server 2012 TGT TGS SIDs User Claims SIDs User Claims

25 What is new in Kerberos with DFL 2012 User identity –login –SID Additional SIDs –groups –SID history User claims –AD attributes in Kerberos TGT tickets Device claims –AD attributes of computers –Compound ID in Kerberos TGT tickets

26 Kerberos Compound ID with device claims Client 8 DC 2012 Server 2012 TGT Request TGTUser Claims Computer TGT Device Claims

27 Brand new Kerberos with Windows 2012 KDC Client 8 DC 2012 Server 2012 TGT TGS SIDs User Claims Device Claims User Claims Device Claims

28 Requirements At least local Windows 2012 DC (KDC) –better to have 2012 DFL for consistent behavior Clients Windows 8 or Windows 2012 –must ask for TGTs with Compound ID extension Server cannot just obtain device claims because it does not know from what device the user came

29 Central Access Rules What is New in Security in Windows 2012

30 Requirements Windows 2012 schema extension Windows 2003 forest functional level –do not require any Windows 2012 DC –some editor like ADSI Edit or Windows 2012 ADAC Uploaded to FS by using Group Policy

31 Take away What is New in Security in Windows 2012

32 Evolution FeatureServerClientSchema 2012 / DFL / FFL And logic ACLWindows 2012-- FSRM automatic classification Windows 2012 FSRM -- AD integrated classification terms Windows 2012 FSRM -schema 2012 FFL 2003 AD integrated NTFS access rules Windows 2012 FSRM -schema 2012 FFL 2003 User claimsWindows 2012-one Windows 2012 DC Computer claimsWindows 2012Windows 8 Windows 2012 local Windows 2012 DC

33 Thank you! What is New in Security in Windows 2012

Download ppt "What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security."

Similar presentations

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to Active Directory

Introduction to Active Directory
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 

Chapter 5 Managing a Server. Overview  Server management  Examine networking models  Learn how users are authenticated  Manage users and groups 
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Group Accounts; Securing Resources with Permissions

Group Accounts; Securing Resources with Permissions
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.

Similar presentations

Ads by Google