1 / 58

Dynamic Access Control Deep D ive & Extensibility

Dynamic Access Control Deep D ive & Extensibility. Dave McPherson Sr. Program Manager 3-052. Session objectives. Dynamic Access Control. Quick introduction of Dynamic Access Control Understand how things work behind the scenes. Classification Central access policies Staging

starbuck
Download Presentation

Dynamic Access Control Deep D ive & Extensibility

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dynamic Access ControlDeep Dive & Extensibility Dave McPherson Sr. Program Manager 3-052

  2. Session objectives DynamicAccessControl • Quick introduction of Dynamic Access Control • Understand how things work behind the scenes Classification Central access policies Staging Authentication and authorization flows Token bloat Extensibility

  3. Dynamic Access Control: In a nutshell Encryption Expression-based access conditions Expression-based auditing Data Classification Automatic RMS encryption based on document classification. Flexible access control lists based on document classification and multiple identities (security groups). Centralized access control lists using Central Access Policies. Targeted access auditing based on document classification and user identity. Centralized deployment of audit polices using Global Audit Policies. Classify your documents using resource properties stored in Active Directory. Automatically classify documents based on document content.

  4. Dynamic Access Control Building Blocks • Expression-Based ACEs • User and computer attributes can be used in ACEs • User and Device Claims • ACEs with conditions, including logical and relational operators • File classifications can be used in authorization decisions • Continuous automatic classification • Automatic RMS encryption based on classification • Classification Enhancements • Central Access and Audit Policies • Central authorization/audit rules defined in AD and applied across multiple file servers • Access Denied Assistance • Allow users to self remedy or request access • Provide detailed troubleshooting info to admins

  5. Expression-based access policy File Server AD DS User claims User.Department = Finance User.Clearance = High Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Conditional Access Policy Applies to: Resource.Impact = High Allow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed = True) 5

  6. User and Device Claims

  7. Expression-Based ACEs

  8. Conditional Expression Operators Logical • AND • OR • NOT • Exists (resource properties) • See MS-DTYP for processing rules Relational • =, != , <, >, <=, >=, • Member_of • Device_Member_of • Member_of_Any • Device_Member_of_Any • Any_of • Contains • NOT*

  9. Conditional Expressions in Windows • Extension of the CALLBACK_ACE_TYPE • Allows custom ACE behavior • Previously only available through AuthzAPI • Expression goes into the ApplicationData section • (prefix 4 ‘xtra’ bytes) • SDDL • A normal ACE: (A;CIOI;GA;;;AU) • A conditional ACE: • (XA;CIOI;GA;;;AU(@User.smartcard == 1 || @Device.managed == 1) && @Resource.deptAny_of {"Sales","HR"}))

  10. Access Control Policy Extensibility • Security Descriptor Definition Language (SDDL) • CBAC ACEs managed as SDDL strings • Added / removed from SDDL strings via standard string manipulation functions • AddConditionalAce • AddResourceAttributeAce • Managing Claims in AD • Powershell/ LDAP • Managing Central Access Policies • PowerShell / LDAP

  11. DynamicAccessControl • File Classification Infrastructure

  12. File Classification Infrastructure • FCI Released in WS08R2 • Classified based on rules run at specified schedules • Not continuous • Not for access control • No UI for manual classification

  13. File Classification Infrastructure

  14. File Classification Infrastructure Resource Property Definitions

  15. File Classification Infrastructure 3rd party classification plugin In-box content classifier FCI Resource Property Definitions See modified / created file Save classification

  16. File Classification Infrastructure 3rd party classification plugin In-box content classifier FCI Resource Property Definitions See modified / created file Save classification For Security

  17. File Classification Infrastructure 3rd party classification plugin In-box content classifier FCI Resource Property Definitions See modified / created file Save classification For Security Apply Policy Match file to policy File Management Task

  18. File Classification Infrastructure 3rd party classification Extensibility In-box content classifier FCI Resource Property Definitions See modified / created file Save classification For Security RMS Encrypt Match file to policy File Management Task

  19. DynamicAccessControl • Central Access Policies

  20. Central Access Policy Active Directory 3 2 1 DefineCentral Access Rules (CARs) Apply CAPs on File Servers Define Central Access Policies (CAPs) High Impact Data rule Applies To: Resource.Impact == High Access conditions: User.Clearance = High AND Device.IsManaged = True Corporate file servers Standard organization policy High Impact rule Personal Information rule Personal Information rule Applies To: Resource.PII == True Access conditions: Allow MemberOf( PIIAdministrators , Owner) Finance department policy High Impact Data rule Personal Information rule Information wall rule User folders Financefolders “Information wall” rule Applies To: Exists Resource.Department Access conditions: User.Departmentany_ofResource.Department

  21. File Access without Central Access Policy File Access Share Permissions Access Control Decision NTFS Permissions

  22. File Access with Central Access Policy File Access Share Permissions Access Control Decision NTFS Permissions Central Access Policy

  23. How Access Check Works ShareSecurity Descriptor Share Permissions Active Directory (cached in local Registry) Cached Central Access Policy Definition File/FolderSecurity Descriptor Cached Central Access Rule Central Access Policy Reference Cached Central Access Rule NTFS Permissions Cached Central Access Rule • Access Control Decision: • Access Check – Share permissions if applicable • Access Check – File permissions • Access Check – Every matching Central Access Rule in Central Access Policy

  24. DynamicAccessControl • Staging Policies

  25. What will happen when I deploy? • Changing Central Access Policies may have wide impact • Replicating production environment for test purposes is difficult and expensive Staging Policies

  26. Staging policy Active Directory File server User claims Clearance = High | Med | Low Company = Contoso | Fabrikam Resource properties Department = Finance | HR | Engg Impact = High | Med | Low Current Central Access policy for high impact data Applies to: @File.Impact = High Allow | Full Control | if @User.Company ==Contoso Staging policy Applies to: @File.Impact = High Allow | Full Control | if (@User.Company ==Contoso) AND (@User.Clearance ==High)

  27. Sample staging event (4818)

  28. DynamicAccessControl • Behind the Scenes

  29. Kerberos and The New Token • Dynamic Access Control leverages Kerberos • Windows 8 Kerberos extensions • Compound ID – binds a user to the device to be authorized as one principal • Domain Controller issues groups and claims • DC enumerates user claims • Claims delivered in Kerberos PAC • NT Token has sections • User & Device data • Claims and Groups!

  30. Ad Admin Enable Domain to issue claims Contoso DC Defines claim types User attempts to login Receives a Kerberos ticket File Server User Attempt to access resource

  31. Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 M-TGT Pre-Windows 2012 File Server User

  32. Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 U-TGT Pre-Windows 2012 File Server User M-TGT

  33. Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 TGS (no claims) Pre-Windows 2012 File Server User M-TGT U-TGT

  34. Kerberos flow in Pre-Windows 2012 Contoso DC Pre-Windows 2012 ? Pre-Windows 2012 File Server User TGS (no claims) M-TGT U-TGT

  35. Kerberos flow with User Claims File Server TGS (with User Claims) User Contoso DC M-TGT U-TGT

  36. Kerberos flow with User Claims File Server ? User Contoso DC TGS (with User Claims) M-TGT U-TGT

  37. Kerberos flow with Pre-Windows 8 Clients File Server Set Policy to enable claims Pre-Windows 8 User Contoso DC

  38. Kerberos flow with Pre-Windows 8 Clients File Server TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT

  39. Kerberos flow with Pre-Windows 8 Clients File Server TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT

  40. Kerberos flow with Pre-Windows 8 Clients File Server ? S4UToSelf() TGS (with User Claims) TGS (no claims) Pre-Windows 8 User Contoso DC M-TGT U-TGT

  41. Kerberos flow with Compound Identity File Server TGS (User and Device Groups/Claims) User Contoso DC M-TGT U-TGT M-TGT U-TGT

  42. Kerberos flow with Compound Identity File Server ? TGS (User and Device Groups/Claims) User Contoso DC M-TGT U-TGT

  43. Across Forest boundaries File Server Other Forest DC Publish Cross-Forest transformation Policy User Contoso DC M-TGT U-TGT

  44. Across Forest boundaries File Server Other Forest DC Referral TGT User Contoso DC M-TGT U-TGT

  45. Across Forest boundaries File Server Other Forest DC Referral TGT TGS (with claims) User Contoso DC M-TGT U-TGT

  46. Across Forest boundaries File Server Other Forest DC ? TGS (with claims) User Contoso DC M-TGT U-TGT

  47. To the Cloud! Cloud App ADFS TGS User Contoso DC M-TGT U-TGT

  48. To the Cloud! Cloud App ADFS User Contoso DC M-TGT U-TGT

  49. To the Cloud! Cloud App ADFS TGS SAML User Contoso DC M-TGT U-TGT

  50. To the Cloud! Cloud App ADFS ? SAML User Contoso DC M-TGT U-TGT

More Related