600 likes | 776 Views
Dynamic Access Control Deep D ive & Extensibility. Dave McPherson Sr. Program Manager 3-052. Session objectives. Dynamic Access Control. Quick introduction of Dynamic Access Control Understand how things work behind the scenes. Classification Central access policies Staging
E N D
Dynamic Access ControlDeep Dive & Extensibility Dave McPherson Sr. Program Manager 3-052
Session objectives DynamicAccessControl • Quick introduction of Dynamic Access Control • Understand how things work behind the scenes Classification Central access policies Staging Authentication and authorization flows Token bloat Extensibility
Dynamic Access Control: In a nutshell Encryption Expression-based access conditions Expression-based auditing Data Classification Automatic RMS encryption based on document classification. Flexible access control lists based on document classification and multiple identities (security groups). Centralized access control lists using Central Access Policies. Targeted access auditing based on document classification and user identity. Centralized deployment of audit polices using Global Audit Policies. Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content.
Dynamic Access Control Building Blocks • Expression-Based ACEs • User and computer attributes can be used in ACEs • User and Device Claims • ACEs with conditions, including logical and relational operators • File classifications can be used in authorization decisions • Continuous automatic classification • Automatic RMS encryption based on classification • Classification Enhancements • Central Access and Audit Policies • Central authorization/audit rules defined in AD and applied across multiple file servers • Access Denied Assistance • Allow users to self remedy or request access • Provide detailed troubleshooting info to admins
Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Conditional Access Policy Applies to: Resource.Impact = High Allow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed = True) 5
Conditional Expression Operators Logical • AND • OR • NOT • Exists (resource properties) • See MS-DTYP for processing rules Relational • =, != , <, >, <=, >=, • Member_of • Device_Member_of • Member_of_Any • Device_Member_of_Any • Any_of • Contains • NOT*
Conditional Expressions in Windows • Extension of the CALLBACK_ACE_TYPE • Allows custom ACE behavior • Previously only available through AuthzAPI • Expression goes into the ApplicationData section • (prefix 4 ‘xtra’ bytes) • SDDL • A normal ACE: (A;CIOI;GA;;;AU) • A conditional ACE: • (XA;CIOI;GA;;;AU(@User.smartcard == 1 || @Device.managed == 1) && @Resource.deptAny_of {"Sales","HR"}))
Access Control Policy Extensibility • Security Descriptor Definition Language (SDDL) • CBAC ACEs managed as SDDL strings • Added / removed from SDDL strings via standard string manipulation functions • AddConditionalAce • AddResourceAttributeAce • Managing Claims in AD • Powershell/ LDAP • Managing Central Access Policies • PowerShell / LDAP
DynamicAccessControl • File Classification Infrastructure
File Classification Infrastructure • FCI Released in WS08R2 • Classified based on rules run at specified schedules • Not continuous • Not for access control • No UI for manual classification
File Classification Infrastructure Resource Property Definitions
File Classification Infrastructure 3rd party classification plugin In-box content classifier FCI Resource Property Definitions See modified / created file Save classification
File Classification Infrastructure 3rd party classification plugin In-box content classifier FCI Resource Property Definitions See modified / created file Save classification For Security
File Classification Infrastructure 3rd party classification plugin In-box content classifier FCI Resource Property Definitions See modified / created file Save classification For Security Apply Policy Match file to policy File Management Task
File Classification Infrastructure 3rd party classification Extensibility In-box content classifier FCI Resource Property Definitions See modified / created file Save classification For Security RMS Encrypt Match file to policy File Management Task
DynamicAccessControl • Central Access Policies
Central Access Policy Active Directory 3 2 1 DefineCentral Access Rules (CARs) Apply CAPs on File Servers Define Central Access Policies (CAPs) High Impact Data rule Applies To: Resource.Impact == High Access conditions: User.Clearance = High AND Device.IsManaged = True Corporate file servers Standard organization policy High Impact rule Personal Information rule Personal Information rule Applies To: Resource.PII == True Access conditions: Allow MemberOf( PIIAdministrators , Owner) Finance department policy High Impact Data rule Personal Information rule Information wall rule User folders Financefolders “Information wall” rule Applies To: Exists Resource.Department Access conditions: User.Departmentany_ofResource.Department
File Access without Central Access Policy File Access Share Permissions Access Control Decision NTFS Permissions
File Access with Central Access Policy File Access Share Permissions Access Control Decision NTFS Permissions Central Access Policy
How Access Check Works ShareSecurity Descriptor Share Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition File/FolderSecurity Descriptor Cached Central Access Rule Central Access Policy Reference Cached Central Access Rule NTFS Permissions Cached Central Access Rule • Access Control Decision: • Access Check – Share permissions if applicable • Access Check – File permissions • Access Check – Every matching Central Access Rule in Central Access Policy
DynamicAccessControl • Staging Policies
What will happen when I deploy? • Changing Central Access Policies may have wide impact • Replicating production environment for test purposes is difficult and expensive Staging Policies
Staging policy Active Directory File server User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company ==Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company ==Contoso) AND (@User.Clearance ==High)
DynamicAccessControl • Behind the Scenes
Kerberos and The New Token • Dynamic Access Control leverages Kerberos • Windows 8 Kerberos extensions • Compound ID – binds a user to the device to be authorized as one principal • Domain Controller issues groups and claims • DC enumerates user claims • Claims delivered in Kerberos PAC • NT Token has sections • User & Device data • Claims and Groups!
Ad Admin Enable Domain to issue claims Contoso DC Defines claim types User attempts to login Receives a Kerberos ticket File Server User Attempt to access resource
Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 M-TGT Pre-Windows 2012 File Server User
Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 U-TGT Pre-Windows 2012 File Server User M-TGT
Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 TGS (no claims) Pre-Windows 2012 File Server User M-TGT U-TGT
Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 ? Pre-Windows 2012 File Server User TGS (no claims) M-TGT U-TGT
Kerberos flow with User Claims File Server TGS (with User Claims) User Contoso DC M-TGT U-TGT
Kerberos flow with User Claims File Server ? User Contoso DC TGS (with User Claims) M-TGT U-TGT
Kerberos flow with Pre-Windows 8 Clients File Server Set Policy to enable claims Pre-Windows 8 User Contoso DC
Kerberos flow with Pre-Windows 8 Clients File Server TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT
Kerberos flow with Pre-Windows 8 Clients File Server TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT
Kerberos flow with Pre-Windows 8 Clients File Server ? S4UToSelf() TGS (with User Claims) TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT
Kerberos flow with Compound Identity File Server TGS (User and Device Groups/Claims) User Contoso DC M-TGT U-TGT M-TGT U-TGT
Kerberos flow with Compound Identity File Server ? TGS (User and Device Groups/Claims) User Contoso DC M-TGT U-TGT
Across Forest boundaries File Server Other Forest DC Publish Cross-Forest transformation Policy User Contoso DC M-TGT U-TGT
Across Forest boundaries File Server Other Forest DC Referral TGT User Contoso DC M-TGT U-TGT
Across Forest boundaries File Server Other Forest DC Referral TGT TGS (with claims) User Contoso DC M-TGT U-TGT
Across Forest boundaries File Server Other Forest DC ? TGS (with claims) User Contoso DC M-TGT U-TGT
To the Cloud! Cloud App ADFS TGS User Contoso DC M-TGT U-TGT
To the Cloud! Cloud App ADFS User Contoso DC M-TGT U-TGT
To the Cloud! Cloud App ADFS TGS SAML User Contoso DC M-TGT U-TGT
To the Cloud! Cloud App ADFS ? SAML User Contoso DC M-TGT U-TGT