Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS.
Download ReportTranscript Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS.
Expression-based access policy
AD DS File Server
User claims
User.Department = Finance User.Clearance = High
Device claims
Device.Department = Finance Device.Managed = True
Resource properties
Resource.Department = Finance Resource.Impact = High
ACCESS POLICY
Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True) 4
User and Device Claims • User and computer attributes can be used in ACEs Expression-Based ACEs • ACEs with conditions, including Boolean logic and relative operators Classification Enhancements • File classifications can be used in authorization decisions • Continuous automatic classification • Automatic RMS encryption based on classification Central Access and Audit Policies • Central authorization/audit rules defined in AD and applied across multiple file servers Access Denied Assistance • Allow users to request access • Provide detailed troubleshooting info to admins
Pre-2012: Security Principals Only • Restricted to making policy decisions based on the user’s group memberships • Shadow groups are often created to reflect existing attributes as groups • Groups have rules around who can be members of which types of groups • No way to transform groups across AD trust boundaries • No way to control access based on characteristics of user’s device Windows Server 2012: Security Principals, User Claims, Device Claims • Selected AD user/computer attributes are included in the security token • Claims can be used directly in file server permissions • Claims are consistently issued to all users in a forest • Claims can be transformed across trust boundaries • Enables newer types of policies that weren’t possible before: • Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and
Device.Managed=True
Pre-2012: ’OR’ of groups only • Led to group bloat • Consider 500 projects, 100 countries, 10 divisions • 500,000 total groups to represent every combination: • ProjectZ UK Engineering Users • ProjectZ Canada Engineering Users [etc…] Windows Server 2012: ‘AND’ in expressions • ACE conditions allow multiple groups with Boolean logic • Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) • 610 groups instead of 500,000 Windows Server 2012: with Central Access Policies • 3 User Claims
Resource Property Definitions
Resource Property Definitions
In-box content classifier See modified / created file Save classification
FCI
3 rd party classification plugin
Resource Property Definitions
In-box content classifier See modified / created file Save classification For Security
FCI
3 rd party classification plugin
Resource Property Definitions
In-box content classifier 3 rd party classification plugin See modified / created file Save classification
FCI
For Security Match file to policy
File Management Task
Resource Property Definitions
In-box content classifier 3 rd party classification plugin See modified / created file Save classification
FCI
For Security Match file to policy
File Management Task
CA DataMinder integrates with Windows Server 2012
CA Technologies Content-Aware Identity & Access Management
Control identity, control access and control information CA DataMinder discovers, classifies and controls information
Controls Collaboration & File Sharing Environments
SharePoint 2010 – March 2012 Windows Server 2012 Dynamic Access Control – July 2012
Delivers precise & fine-grained access control
Copyright © 2012 CA. All rights reserved. No unauthorized copying or distribution permitted .
Supercharge DAC with automated file classification
For more information visit us at Booth 230 (Orlando) / PP17 (Amsterdam) or at www.dynamic-access-control.com
A leader in automatic file classification Enables accurate automated file classification enterprise-wide with both attribute-based and content-based classification Deeply integrated with Windows Server 2012.
dg classification can also be used to fuel powerful Governance, Compliance and Archiving solutions
Share Permissions NTFS Permissions Access Control Decision
Share Permissions NTFS Permissions Central Access Policy Access Control Decision
Share Security Descriptor Share Permissions File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Access Control Decision: 1) Access Check – Share permissions if applicable 2) Access Check – File permissions 3) Access Check – Every matching Central Access Rule in Central Access Policy Active Directory (cached in local Registry) Cached Central Access Policy Definition Cached Central Access Rule Cached Central Access Rule Cached Central Access Rule
Permission Type
Share Central Access Rule 1: Engineering Docs Rule 2: Sensitive Data Rule 3: Sales Docs NTFS
Target Files Classifications on File Being Accessed
Department Engineering Sensitivity High Dept=Engineering Sensitivity=High Dept=Sales
Permissions
Everyone:Full Engineering:Modify Everyone: Read FTE:Modify Sales:Modify FTE:Modify Vendors:Read
Effective Rights: Engineering FTE
Full Modify
Engineering Vendor
Full Modify
Sales FTE
Full Read Modify None [rule ignored – not processed] Modify Modify
Modify
Read
None
Modify
Read
www.jijitechnologies.com [email protected]
User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if ( @User.Company == Contoso) AND ( @User.Clearance == High)
Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Subject: Security ID: Account Name: Account Domain: Object: Object Server: Object Type: Object Name: CONTOSODOM\alice alice CONTOSODOM Security File C:\FileShare\Finance\FinanceReports\FinanceReport.xls
Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
Enterprise-wide visibility into server and application health
Pre-2012 Token User Account User Groups [other stuff] User Device 2012 Token User Account
Groups Claims Groups Claims
[other stuff]
User NT Access Token Contoso\Alice
Groups:….
Claims: Title=SDE
User Kerberos Ticket Contoso\Alice
Groups:….
Claims: Title=SDE
Claim type
Display Name Source Suggested values Value type
First Claim
1 Boolean Claim Adds 242 Bytes
Bytes Before Compression
120 user overhead 120 114 8 138 2 device overhead per int/bool claim per int/bool value per string claim per string character • • •
User Claims Set
• 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued • Avg Len/value: 12 chars 1 String – Multi Valued • Avg Len/value: 12 chars • Adds Avg #Values: 6 values 970 Bytes Worst-Case Analysis (assumes no compression): Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.
Compound-ID Claims Sets
• • • • User - 5 Claims: 1 Boolean 1 Integer 2 String – Single Valued • Avg Len/value: 12 chars 1 String – Multi Valued • Avg Len/value: 12 chars • Avg #Values: 6 values • • Device - 2 Claims: 1 Boolean 1 String – Single Valued • Avg Len/value: 12 chars Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data
Access Policy Windows Server 2012 Active Directory End User
Windows Server 2012 File Server Microsoft SharePoint 2010
2. Convert XACML to SDDL & import 3. Push out imported rules based on group policy 1. Author policy & export to AD 4. Access files 5. Check access based on rules previously defined in APS
Current infrastructure Windows Server 2012 File Servers • Access and Audit Policies based on security groups and file tagging Windows Server 2012 DCs • Centrally defined access and audit policies • User claims can be used by access and audit policies Windows 8 clients • Add device claims to access and audit policies • Better access denied experience
#TE(sessioncode) Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched
http://northamerica.msteched.com
www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn