Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS.
Download ReportTranscript Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS.
Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True) 4 User and Device Claims • User and computer attributes can be used in ACEs Expression-Based ACEs • ACEs with conditions, including Boolean logic and relative operators Classification Enhancements • File classifications can be used in authorization decisions • Continuous automatic classification • Automatic RMS encryption based on classification Central Access and Audit Policies • Central authorization/audit rules defined in AD and applied across multiple file servers Access Denied Assistance • Allow users to request access • Provide detailed troubleshooting info to admins Pre-2012: Security Principals Only • • • • • Restricted to making policy decisions based on the user’s group memberships Shadow groups are often created to reflect existing attributes as groups Groups have rules around who can be members of which types of groups No way to transform groups across AD trust boundaries No way to control access based on characteristics of user’s device Windows Server 2012: Security Principals, User Claims, Device Claims • • • • • Selected AD user/computer attributes are included in the security token Claims can be used directly in file server permissions Claims are consistently issued to all users in a forest Claims can be transformed across trust boundaries Enables newer types of policies that weren’t possible before: • Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True Pre-2012: ’OR’ of groups only • Led to group bloat • Consider 500 projects, 100 countries, 10 divisions • 500,000 total groups to represent every combination: • ProjectZ UK Engineering Users • ProjectZ Canada Engineering Users [etc…] Windows Server 2012: ‘AND’ in expressions • ACE conditions allow multiple groups with Boolean logic • Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND MemberOf(Engineering) • 610 groups instead of 500,000 Windows Server 2012: with Central Access Policies • 3 User Claims Resource Property Definitions 3rd party classification plugin In-box content classifier Resource Property Definitions See modified / created file Save classification FCI 3rd party classification plugin In-box content classifier Resource Property Definitions See modified / created file Save classification For Security FCI 3rd party classification plugin In-box content classifier Resource Property Definitions See modified / created file Save classification FCI For Security Match file to policy File Management Task 3rd party classification plugin In-box content classifier Resource Property Definitions See modified / created file Save classification FCI For Security Match file to policy File Management Task Share Permissions NTFS Permissions Access Control Decision Share Permissions NTFS Permissions Central Access Policy Access Control Decision Share Security Descriptor Share Permissions File/Folder Security Descriptor Central Access Policy Reference NTFS Permissions Access Control Decision: 1) Access Check – Share permissions if applicable 2) Access Check – File permissions 3) Access Check – Every matching Central Access Rule in Central Access Policy Active Directory (cached in local Registry) Cached Central Access Policy Definition Cached Central Access Rule Cached Central Access Rule Cached Central Access Rule Classifications on File Being Accessed Permission Type Department Engineering Sensitivity High Target Files Share Permissions Everyone:Full Engineering FTE Engineering Vendor Sales FTE Full Full Full Central Access Rule 1: Engineering Docs Dept=Engineering Engineering:Modify Everyone: Read Modify Modify Read Rule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None Modify Rule 3: Sales Docs Dept=Sales Sales:Modify NTFS FTE:Modify Vendors:Read Effective Rights: [rule ignored – not processed] Modify Read Modify Modify None Read User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company == Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy Subject: Object: Security ID: Account Name: Account Domain: Object Server: Object Type: Object Name: CONTOSODOM\alice alice CONTOSODOM Security File C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule” 2012 Token User Account User Pre-2012 Token User Account User Groups [other stuff] Groups Claims Device Groups Claims [other stuff] NT Access Token User Contoso\Alice Claim type Groups:…. Display Name Source Claims: Title=SDE Suggested values Value type Kerberos Ticket Contoso\Alice User Groups:…. Claims: Title=SDE First Claim User Claims Set Compound-ID Claims Sets 1 Boolean Claim 5 Claims: • 1 Boolean • 1 Integer • 2 String – Single Valued • Avg Len/value: 12 chars • 1 String – Multi Valued • Avg Len/value: 12 chars • Avg #Values: 6 values User - 5 Claims: • 1 Boolean • 1 Integer • 2 String – Single Valued • Avg Len/value: 12 chars • 1 String – Multi Valued • Avg Len/value: 12 chars • Avg #Values: 6 values Adds 242 Bytes Bytes Before Compression 120 user overhead 120 device overhead 114 per int/bool claim 8 per int/bool value 138 per string claim 2 per string character Adds 970 Bytes Worst-Case Analysis (assumes no compression): Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments. Device - 2 Claims: • 1 Boolean • 1 String – Single Valued • Avg Len/value: 12 chars Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data Current infrastructure Windows Server 2012 File Servers • Access and Audit Policies based on security groups and file tagging Windows Server 2012 DCs • Centrally defined access and audit policies • User claims can be used by access and audit policies Windows 8 clients • Add device claims to access and audit policies • Better access denied experience http://europe.msteched.com www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://europe.msteched.com/sessions