440 likes | 812 Views
SIA316. Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT. Brian Puhl Technology Architect Microsoft Corporation. Session Objectives and Takeaways. Session Objective(s):
E N D
SIA316 Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT Brian Puhl Technology Architect Microsoft Corporation
Session Objectives and Takeaways • Session Objective(s): • Understand how the new Dynamic Access Control capabilities built into Windows 8 integrate with enterprise security • Recognize key benefits and limitations of Dynamic Access Control through scenario based examples • Using dynamic access control to address key challenges in managing data across the organization • Integrating Dynamic Access Control with your existing Identity Management systems
Information management challenges Data leakage Storage growth Distributed Information Regulatory compliance • Corporate information is everywhere: Desktops, Branch Offices, Data Centers, Cloud … • MSIT 1500 file servers with 110 different groups managing them • Very hard to consistently manage the information • 45% : File based storage CAGR • MSIT cost $1.60 GB/Month for managed servers • >70%: of stored data is stale • Cloud cost would be ~25 cents GB/Month • New and changing regulations (SOX, HIPPA, GLBA …) • International and local regulations • More oversight and tighter enforcement • $15M: Settlement for investment bank with SEC over records retention • 246,091,423 : Total number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 • $90 to $305 per record (Forrester: in "Calculating the Cost of a Security Breach“)
Information governance policies What is this really about? Apply appropriate access policies Audit access to information Encrypt information Apply appropriate retention to information Why should You care? • Compliance and leakage prevention are high priority for our customers • Showcase Microsoft innovation and differentiation • Microsoft consulting opportunity
Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High ACCESS POLICY For access to finance information that has high business impact, a user must be a finance department employee with a high security clearance, and be using a managed device registered with the finance department. 5
Microsoft IT Identity Environment Microsoft Online Services Consumer Services Federated Partners Online Services Windows Azure Live MFG ExO SPO OSub OCO ExO SPO OSub OCO Zune Spaces Org-ID FOPE MSIT Production Eng. Dogfood DataSynch 1700+ Applications Data Synchronization MSO MA Data Synchronization Directory Sync Tool DST ADFS V2 ADFS IT Authorize 186K user 450K machines 7 forests 17 domains RMS Services Certificate Servers B2B/B2C environment Front/Back perimeter net 10,000 user accounts 500+ Business Partners 700+ Applications and Sharepoint Sites SAP ILM 2007FIM 2010 NTDev PHX.GBL Exchange Self-serviceautogroup, ramweb,etc… Partners Feedstore Corp Windeploy Extranet 500+ partners WinSE Acct. Mgmt. B2B/B2C Resource Forest 300k+ servers MSLPA WGIA CorpNet Online
Principles for the Deployment • "Just another way to secure data" • Limit the amount of custom administration required to support • "Not trying to restrict who can use a policy, just like we don't restrict who uses a security group • Means we do not get the back-link to the servers where policies are applied to know where they could be used • What are the change control implications of doing it this way • If you change the HBI policy, you could end up breaking stuff everywhere
Applying our Principles • How do we think about GPO deployment? • IAM and InfoSec own policies linked at the root of the domain and to general use OU’s • Anyone can request an OU for their servers, and a delegated GPO • Applying this to Dynamic Access Control? • Identify generic policies and link at root of domain • Similar publishing RMS templates - relevant & generic
MSIT Dogfood Deployment Program • 4 core scenarios with strong engagement from each of the business owners • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download MS products
MSIT Dogfood Deployment • 4 core scenarios • Legal/Corporate Affairs • Rich data classification and retention using FCI • Next Generation File Management • Implement a Safe Harbor solution for services/support data • Global Payroll • Manage access to archived financial data • \\Products • Restrict the ability to download/install products
New Request Process Customer Request Create security group for target servers File share created with representative data set for scenarios (classifications) Vetted by DAC IT Team Implement Resource Properties, claims CAR’s, CAP Customer Requirements Configure Access Denied Remediation Apply policy to share and test Central or Local? Audit Required? Configure central audit policy Customer Customer Ready Central IT Joint Customer/IT
What Makes a Good Claim? • Must be an attribute in AD (not SQL, not LDS…just AD) • Well managed • Creating a security dependency on attributes that never had them • Available (populated) attributes vs. business need • Populated from managed source(s) • Can an end user go in and change the value of an attribute at will? • Does the business process that owns the attribute understand the new dependency being taken on the data
What Makes a Good Claim? • Let’s just make every AD attribute a claim! • Claims bloat == token bloat • What is the process for requesting a new claim? • General principals for AD data management apply • Is it globally relevant? • Do values change frequently? • If the data is in AD, does that make it a good claim?
Creating a New Claim Type • AD Administrative Center New Claim Type
Creating a New Claim Type • AD Administrative Center New Claim Type
Creating a New Claim Type • AD Administrative Center New Claim Type
Creating a New Claim Type • AD Administrative Center New Claim Type
Access Denied Remediation • Local settings on the file server • Configurable per share • Configurable message per folder • Remediation Options • Provide a message to the users • Enable users to send email
MSIT ADR Approach • Leverage our existing access management service • Use HTML tags to link the ADR message to the business process responsible for access control
Exception management “Identity management is exception management” • The idea: Exception guids • Extend the schema to add a dac-exceptions attribute to users • Self-service registration portal: • FS/data owners register to get a guid to tag files • New claim type enables mapping of a user to the resource User.exception= resource.exception
Exception Management • Generalizing: • Self-service management tool • Data on user account to tag files with • Multi-valued, linked attributes … … …
Exception Management FIM Managed Security Groups
Auditing • Still determining our approach to auditing • Collection and analysis of events • What is required for security/forensics vs. support/operations • Cross-team process for troubleshooting access problems • How do we manage the volume of access events? • Currently using Audit Collection Service on targeted machines? • Using policy staging to determine resultant impact (WhatIf)
Deployment Approach • Multi-forest environment • Users and resources spread over variety of client and AD operating systems • Token size concern of claims in every token (different from ADFS) • Sequencing of deployment across clients, servers, AD • When to enable the default domain controller policy to begin issuing claims (msDs-SupportEncryptionTypes) on KrbTGT account • RODC’s and their hub servers, PDC, etc… • Network and DCLocator impact of deploying in regional domain • Cross forest claims transformations How to deliver a consistent user and security experience in a complex environment
Domain Mode Not Required* * You MAY want to wait until you have all of your DC’s upgraded You SHOULD ensure that you have Windows 2012 DC’s in all sites which: • Have clients which use claims • Have resources which use claims You CAN turn off the GPO and turn claims off Remember claims are in the TGT Default 10hr time to recover
S-1-5-21-0-0-0 • Cross-forest claims assurance/filtering • Sentinel SID included in token when trusting forest DC supports claims • Downlevel DC SID filtering code will strip Sentinel SID indicating claims transformation rules have not applied TGT ClaimsGroups Sentinel SID Forest 1Windows 2012 DC Forest 2Windows 2008 R2 DC Forest 2Windows 2012File Server
S-1-5-21-0-0-0 • Cross-forest claims assurance/filtering • Sentinel SID included in token when trusting forest DC supports claims • Downlevel DC SID filtering code will strip Sentinel SID indicating claims transformation rules have not applied TGS (domain 2) ClaimsGroups Sentinel SID Forest 1Windows 2012 DC Forest 2Windows 2008 R2 DC Forest 2Windows 2012File Server
S-1-5-21-0-0-0 • Cross-forest claims assurance/filtering • Sentinel SID included in token when trusting forest DC supports claims • Downlevel DC SID filtering code will strip Sentinel SID indicating claims transformation rules have not applied TGS File Server ClaimsGroups Forest 1Windows 2012 DC Forest 2Windows 2008 R2 DC Forest 2Windows 2012File Server
Things to Consider? Deployment approach • What are the considerations for enabling Dynamic Access Control in large, complex environments? • At what point do we stop supporting legacy access and only dynamic access control to access a given resource? Identity Data Governance • When/how do we get away from SG's as claims, and use actual claims as claims - is this even a goal? • When do we consider updating the schema to add a new claim type to get it in the token? • What are the policies for enabling a new claim type?
Session Objectives and Takeaways • Session Objective(s): • Understand how the new Dynamic Access Control capabilities built into Windows 8 integrate with enterprise security • Recognize key benefits and limitations of Dynamic Access Control through scenario based examples • Using dynamic access control to address key challenges in managing data across the organization • Integrating Dynamic Access Control with your existing Identity Management systems
Related Content • SIA 207 – Windows Server 2012 Dynamic Access Control Overview • SIA 341 – Windows Server 2012 Dynamic Access Control Deep Dive for Active Directory and Central Authorization Policies • SIA 316 – Windows Server 2012 Dynamic Access Control Best Practices and Case Study Deployments in Microsoft IT SIA21-HOL – Using Dynamic Access Conrol to Automatically and Centrally Secure Data in Windows Server 2012 SIA02-TLC – Windows Server 2012 Active Directory and Dynamic Access Control Find Me Later At the Windows Server 2012 Active Directory Booth!
SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Please Complete an Evaluation Your feedback is important! Multipleways to Evaluate Sessions Be eligible to win great daily prizes and the grand prize of a $5,000 Travel Voucher! Scan the Tag to evaluate this session now on myTechEdMobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.