Seminar: Wat mag ik met Dynamic Access in Windows Server 2012Windows Server 2012 introduceert Dynamic Access. Dynamic Access is een verzameling features om ervoor te zorgen dat gebruikers en hun data conform de bedrijfsregels beschikbaar en beschermd zijn. Bestaande technieken, zoals IRM en Kerberos zijn vereenvoudigd en uitgebreid. Ook kunt u met File Classifications ervoor zorgen dat gevoelige bestanden die per ongeluk op publieke shares komen, beschermd worden dankzij “tags” die hen bijvoorbeeld aan uw afdeling Juridische zaken koppelen. Met Dynamic Access heeft u daarmee meer controle wie toegang heeft en tot welke data. Wilt u de beste beveiliging en toch uw gebruikers de mogelijkheid bieden van ‘het nieuwe werken’ of ‘bring your own device’, dan is deze techniek voor u!!

Microsoft Windows Server 2012

Windows Server 2012Dynamic AccessMarco SapComputrain | Twice | Broekhuis

Deze presentatie laat zien hoe Windows Server 2012 de moderne en flexibele werkstijl ondersteund met behulp van Dynamic Access

Agenda Windows Server 2012 Trends and Challenges Dynamic Access Get Started: Advies en Doen!

Windows Server 2012

Identity

Virtualization

Data

Development Management

The Cloud OSModern platform for the world’s apps Transforms datacenter Enables modern apps Unlocks insights on any data Empowers people-centric IT

One platform for all segments

First Server

Automated Virtualization

& Management

, Private Cloud

Virtualization Management

Enterprise

Small Business

Windows Server

• Enables small businesses around the world

• Powers many of the world’s largest datacenters

• Delivers value to organizations of all sizes

Virtualization

Automated Virtualization

& Management

Mid-market

System Center

Trends

ITCONSTRAINTS

BUDGETREDUCTIONSMULTIPLE DEVICESEXPLOSIVE

DATA GROWTH

20%

66%run

grow14%transform

Companies are under pressure to do more with less

Challenges

ALLOW CUSTOMERS& PARTNERS

ROL & DEVICEDRIVEN

PRIVILEGESAVAILABILITYENABLING

DEVICES

Companies must facilitate productivity without impacting security

Security Challenges

REPORT & AUDITCENTRALIZE & STANDARDIZEPROTECTRAPID RESPONSE

Companies need an integrated security strategy

f

Identity is Essential for Cloud Computing

USERS & DEVICES

INFRASTRUCTURE

APPS & SERVICES

IDENTITY

PUBLICPRIVATE

TRADITIONAL IT

HYBRID CLOUD

Dynamic Access

Let’s talk concepts….

Data Classification

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Automatic RMS encryption based on document classification.

Expression based auditing

Expression based access conditions Encryption

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Dynamic Access Control Building Blocks

• User and computer attributes can be used in ACEsUser and Device Claims

• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs

• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification

Classification Enhancements

• Central authorization/audit rules defined in AD and applied across multiple file servers

Central Access and Audit Policies

• Allow users to request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICYApplies to: @File.Impact = High

Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

Central Access PoliciesFile

Server

1 Data Classification

Data classification – identifying data

• Manuel Classification

• Classify data based on location inheritance

• Classify data automatically

Data Classification

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

File Classification Infrastructure

Resource Property Definitions

FCI

In-box content classifier

3rd party classificatio

n plugin

See modified / created file

Save classification

For Security

DemoData Classification

1 Data Classification

2 Central Access Policy

Expression based access control• Manage fewer security

groups by using conditional expressions

• Central! Access Policy

• Compound Identity

Flexible access control lists based on document classification and multiple identities.

Centralized access control lists using Central Access Policies.

Expression based access conditions

How Access Check Works

File/FolderSecurity Descriptor

Central Access Policy ReferenceNTFS Permissions

Active Directory (cached in local Registry)

Cached Central Access Policy Definition

Access Control Decision:1)Access Check – Share permissions if

applicable2)Access Check – File permissions3)Access Check – Every matching Central

Access Rule in Central Access Policy

ShareSecurity DescriptorShare Permissions

Cached Central Access RuleCached Central Access RuleCached Central Access Rule

Share PermissionsNTFS Permissions

Access Control

Decision

File Access

Now

Share PermissionsNTFS Permissions

Central Access Policy

Access Control

Decision

File Access

With Windows Server 2012

Central Access Rules

Permission Type Target Files Permissions EngineeringFull-Time

EngineeringPart-Time

SalesFull-Time

Share Everyone:FullRule 1: Engineering Docs Dept=Engineering Engineering:Modify

Everyone: ReadRule 2: Sensitive Data Sensitivity=High FT:ModifyRule 3: Sales Docs Dept=Sales Sales:ModifyNTFS FT:Modify

Part-Time:ReadEffective Rights:

Classifications on File Being Accessed Department EngineeringSensitivity High

Read

Full Full Full

Modify Modify Read

Modify ModifyNone

Modify Modify

Modify None Read

[rule ignored – not processed]

Kerberos and The New Token Dynamic Access Control leverages Kerberos

Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one

principal

Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC

NT Token has sections User & Device data Claims and Groups!

Pre-2012 TokenUser AccountUser Groups[other stuff]

2012 TokenUser Account

User GroupsClaims

Device GroupsClaims

[other stuff]

Overview

NT Access TokenContoso\Alice

User

Groups:….Claims: Title=SDE

Kerberos TicketContoso\Alice

User

Groups:….Claims: Title=SDE

File Server

User Contoso DC

AD Admin

Enable Domain to issue claims

Defines claim typesClaim type

Display NameSource

Suggested values

Value typeUser attempts to login

Receives a Kerberos ticket

Attempt to access resource

Kerberos Pre-Windows 2012

User M-TGT

Pre-Windows 2012 File Server

Contoso DCPre-Windows

2012U-TGT

TGS (no claims)

TGS (no claims)

?

Kerberos with ClaimsFile Server

User Contoso DC

TGS (with User Claims)

M-TGT

U-TGT

TGS (with User Claims)

?

Kerberos with Pre-Windows 8 ClientsFile Server

Pre-Windows 8 User

Contoso DC

M-TGT

U-TGT

TGS (no claims)

TGS (no claims)

? TGS (with User Claims)

Kerberos with Compound IdentityFile Server

User Contoso DC

TGS (User and Device Groups/Claims)

M-TGT

U-TGT

TGS (User and Device Groups/Claims)

?

Across Forest boundariesFile Server

User Contoso DC

Other Forest DCPublish Cross-Forest transformation Policy

Referral TGT

M-TGT

U-TGT

TGS (with claims)

Referral TGTTGS (with claims)

?

To the Cloud!

User Contoso DC

TGS

ADFS

Cloud App

M-TGT

U-TGT

SAML

TGSSAML

Central Access PolicyIn Active Directory:• Create resource property

definitions• Configure central policies• Configure ClaimsOn File Server:• Classify information• Assign central policyAt Runtime:• User access is evaluated

Windows Server 2012 Active Directory

Windows Server 2012File Server

End User

Access Policy

?

Resource Property

Definitions

Claims

DemoCentral Access Policy

In Summary…..

Reduce group complexity

Enable Information Governanceon File Servers

Implement effective access control

01Dynamic Access Control

• Manual tagging by content owners

• Automatic classification (tagging)

• Application-based tagging

Manage identity data

• Central access policies targeted based on file tags

• Expression-based access conditions with support for user claims, device claims, and file tags

• Access denied remediation

• Central audit policies that can be applied across multiple file servers

• Expression-based auditing conditions with support for user claims, device claims, and file tags

• Policy staging audits to simulate policy changes in a real environment

• Automatic Rights Management Services (RMS) protection for Microsoft Office documents based on file tags

• Near real-time protection soon after the file is tagged

• Extensibility for non-Office RMS protectors

Control access Audit access Protect data

Get startedDownload Windows Server 2012

Learn

Act

Windows Server 2012Dynamic AccessMarco SapComputrain | Twice | Broekhuis