Presentation I gave at TechMentor conference 8/21/2012 on Dynamic Access Control included in Windows Server 2012.

1. Windows Server 2012
Dynamic Access Control
David Tesar
Technical Evangelist, Microsoft
http://about.me/davidtesar
Level: 300

2. Session objectives
 Understand the new Dynamic Access Control (DAC) capabilities
built into Windows Server 2012
 Learn how to leverage DAC for data compliance and leakage
prevention

3. Data management landscape
Growth of Budget
users and data Constraints
Distributed Regulatory and
computing Business
Compliance
?
?

4. Dynamic Access Control Building
Blocks
• ACEs with conditions, including Boolean logic and relative
Expression-Based ACEs operators
User and Device Claims • User and computer attributes can be used in ACEs
• File classifications can be used in authorization decisions
Classification • Continuous automatic classification
Enhancements • Automatic RMS encryption based on classification
Central Access and • Central authorization/audit rules defined in AD and applied
Audit Policies across multiple file servers
Access Denied • Allow users to request access
Assistance • Provide detailed troubleshooting info to admins

5. Expression-Based ACEs
Pre-2012: ’OR’ of groups only
• Consider 100 countries * 10 divisions * 5 Projects
• 5,000 total groups to represent every combination:
• ProjectZ UK Engineering Users
• ProjectZ Canada Engineering Users [etc…]
Windows Server 2012: ‘AND’ in expressions
• ACE conditions allow multiple groups with Boolean logic
• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)
• ~60 groups instead of 5,000
Windows Server 2012: with Central Access Policies & Classification
• 3 User Claims

6. Conditional Expression Operators
Logical
– AND
– OR
– NOT
– Exists (resource properties)
– See MS-DTYP for processing rules

7. Expression-based access policy
AD DS File Server
User claims Device claims Resource properties
User.Department = Finance Device.Department = Finance Resource.Department = Finance
User.Clearance = High Device.Managed = True Resource.Impact = High
ACCESS POLICY
Applies to: Resource.Impact = High
Allow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed = True)
7

8. User and Device Claims
Pre-2012: Security Principals Only
• Restricted to making policy decisions based on the user’s group memberships
• Shadow groups are often created to reflect existing attributes as groups
• Groups have rules around who can be members of which types of groups
• No way to transform groups across AD trust boundaries
• No way to control access based on characteristics of user’s device
Windows Server 2012: Security Principals, User Claims, Device Claims
• Selected AD user/computer attributes are included in the security token
• Claims can be used directly in file server permissions
• Claims are consistently issued to all users in a forest
• Claims can be transformed across trust boundaries
• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and
Device.Managed=True

9. Claim type
Display Name
Source
Suggested values
Kerberos Ticket Value type
ContosoAlice
User Groups:….
Claims: Title=SDE
NT Access Token
ContosoAlice
User Groups:….
Claims: Title=SDE

11. Let’s review

12. Data classification – identifying data
 Classify data based on location inheritance
 Classify data automatically
 Data Classification Toolkit

13. Business Needs →
Storage Results
Need per-project
share
Business needs can start Ensure that
simple business-secret
But adding policies can files do not leak
out
fragment the storage
infrastructure
Complexity increases the Retain contract
chances of ineffective data for 10 years
policies and prevents
insight into business data

14. Lack of insight into your data means that you
cannot manage your costs and risks

15. Manage Data Based On
Business Value
Classify
Data
Apply policy
according to
classification

16. How can you classify information?
Location based • Based on the Folder the file is created in
• Driven by “Business owner” that sets up the folder
• Specified by Information Worker
Manual • Templates of documents can be used for default settings
• Data entry applications that marks files created by users
Automatic • Automatic classification based on content and other characteristics
classification • Great solution for classifying large amounts of existing information
Application • Line of business applications that store information on file servers
• Data management applications

17. Summary – Classify and Apply policy
Area Windows Server 2008 R2 Windows Server 2012/Windows
8
Property definition Local Global to the forest (including default
recommended definitions)
Who can classify files Administrator only Administrators, Business owners and
users
Manual classification No UI Classification UI added in explorer
What can be classified Files Folders and Files
When is the classification and file Schedule Schedule and Continuous
management tasks done
In box classification mechanisms Content, location Content (improved), location,
PowerShell
In box file management tasks Expiration, custom Expiration, custom, RMS

18. What happens when data
leaves the file server?

19. Automatic Rights Management
encryption
 Automatically protect your sensitive information
 Adhere to compliance regulations that require
data encryption

21. How do I deploy Expression
based Access Control
across my servers?

22. Central Access Policy
Active Directory
1 2 3
Define Central Access Rules (CARs) Define Central Access Policies (CAPs) Apply CAPs on File Servers
High Impact Data rule
Corporate file servers
Applies To: Resource.Impact == High Standard organization
Access conditions: policy
User.Clearance = High AND Device.IsManaged = True High Impact rule
Personal Information rule
Personal Information rule Finance department
Applies To: Resource.PII == True policy
Access conditions: High Impact Data rule User folders
Allow MemberOf( PIIAdministrators , Owner) Personal Information rule
Information wall rule Finance folders
“Information wall” rule
Applies To: Exists Resource.Department
Access conditions:
User.Department any_of Resource.Department

23. File Access without Central Access
Policy
Share Permissions Access
NTFS Permissions Control
Decision

24. File Access with Central Access Policy
Share Permissions Access
NTFS Permissions Control
Central Access Policy Decision

25. How Access Check Works
Share
Security Descriptor
Share Permissions
Active Directory
(cached in local Registry)
File/Folder Cached Central Access Policy
Security Descriptor Definition
Central Access Policy Reference Cached Central Access Rule
NTFS Permissions Cached Central Access Rule
Cached Central Access Rule
Access Control Decision:
1)Access Check – Share permissions if applicable
2)Access Check – File permissions
3)Access Check – Every matching Central Access
Rule in Central Access Policy

26. Example: Effective Access
Classifications on File Being Accessed
Department Engineering
Sensitivity High
Permission Type Target Files Permissions Engineering Engineering Sales FTE
FTE Vendor
Share Everyone:Full Full Full Full
Central Access Rule 1: Dept=Engineering Engineering:Modify
Modify Modify Read
Engineering Docs Everyone: Read
Rule 2: Sensitive Data Sensitivity=High FTE:Modify Modify None Modify
Rule 3: Sales Docs Dept=Sales Sales:Modify [rule ignored – not processed]
NTFS FTE:Modify
Modify Read Modify
Vendors:Read
Effective Rights: Modify None Read

28. How does this help me if I
have to do an audit?

29. The audit challenge
 Compliance and forensic analysis
 Difficult to control audit volume
 Inadequate support for managing audit
policies centrally
 Difficult to sift through audit noise to get
to relevant data

30. Expression based auditing
 Limit auditing to data that meets
specific classification criteria.
 Limit auditing by action and by
identity
 Add contextual information into the
audit events

31. Audit event with contextual information
An attempt was made to access an object.
Subject:
Security ID: CONTOSODOMalice
Account Name: alice
Account Domain: CONTOSODOM
Logon ID: 0x3e7
Object:
Object Server: Security
Object Type: File
Object Name: C:Finance Document
ShareFinancialStatementsMarchEmployeeStmt.xls
Handle ID: 0x8e4
Resource Attributes: S:AI(RA;;;;;WD;(
“Personally Identifiable
Information",TS,0x0,"High"))(RA;;;;;WD;(“Department_23AFE",TS,0x0,“Finance"))

32. Incrementally add capabilities
Windows 8
clients
Windows • Add device claims
Server 2012 to access and
audit policies
Windows DCs
• Better access
Server 2012 • Centrally defined denied experience
Current File Servers access and audit • Additional
policies classification
infrastructure • Access and Audit • User claims can be options
Policies based on used by access
security groups and audit policies
and file tagging
• Additional
• Classify classification
information & options
apply RMS policies

33. In summary

34. Related Content and Resources
http://channel9.msdn.com/Events/TechEd
http://edge.technet.com