What is new in security in Windows 2012 or Dynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7 [email protected] | www.sevecek.com |
Dec 31, 2015
What is new in security in Windows 2012orDynamic Access Control
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | CEHv7
[email protected] | www.sevecek.com |
Revolution?
Evolution
Evolution
• Access Control Lists (ACEs)– and NTFS
• File Server Resource Manager (FSRM)– and simple file classification
• Active Directory (AD) integrated classification– and NTFS rules with term conditions
• Automatic file classification with FSRM• Kerberos Claims
– and user attributes
• Kerberos CompoundId– and computer attributes
• Central AD defined NTFS access rules– and their enforcement with FSRM
EvolutionFeature Server Client Schema 2012 /
DFL / FFL
And logic ACL Windows 2012 - -
FSRM automatic classification
Windows 2012FSRM
- -
AD integrated classification terms
Windows 2012FSRM
- schema 2012FFL 2003
AD integrated NTFS access rules
Windows 2012FSRM
- schema 2012FFL 2003
User claims Windows 2012 - one Windows 2012 DC
Computer claims Windows 2012 Windows 8Windows 2012
local Windows 2012 DC
Claims, Terms, Classifications, Metadata
• They are just the same thing
Access Control Lists
What is New in Security in Windows 2012
Until Windows 2012
• Sorted in order– DENY is not always stronger
• Has OR logic– shadow groups– combined "AND" groups
Group Limits
• Access Token– 1024 SIDs
• Kerberos ticket– 12 kB by default– global group = 8 B– domain local group / foreign universal groups = 40 B
• 260 max
Disk
Classic flow of access control
NTFS PermissionsAcc
ess
this
Com
pute
rfr
om N
etw
ork
Authentication
Folder Quotas
Volume Quotas
Win
dow
s F
irew
all
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sha
ring
Per
mis
sion
s
Allo
we
d t
o A
uth
en
tica
te?
New in Windows 2012
• AND logic possible• Extendable with claims
– FSRM file claims– user claims– device (computer) claims
• Requires domain membership– Windows 8, Windows 2012
Disk
New flow of access control
NTFS PermissionsA
cces
s th
is C
ompu
ter
from
Net
wor
k
Authentication
Folder Quotas
Volume Quotas
Win
dow
s F
irew
all
TCP 445 Kerberos
NTLM
Path
Owner
Allow Logon Locally
Authentication Kerberos
NTLM
Access TokenUAC Restricted
Access Token
Sha
ring
Per
mis
sion
s
Allo
we
d t
o A
uth
en
tica
te?
Condition ACEs
File Classification
What is New in Security in Windows 2012
File Server Resource Manager (FSRM)
• Manual File Classification• Automatic File Classification
– file name wildcard– folder path– words and/or regular expressions– PowerShell code
• Locally vs. AD defined terms• Adds file metadata
– alternative NTFS streams
File claims and ACL
• File claims can be used in the new ACE conditions– only AD based file terms
AD defined file claims
• Requires Windows 2012 schema extension• Requires Windows 2003 forest functional level
– do not require any Windows 2012 DC– some editor like ADSI Edit or Windows 2012 ADAC
• Must be uploaded to FSRM servers manually
Kerberos Claims
What is New in Security in Windows 2012
Kerberos ticket until Windows 2012 KDC
• User identity– login– SID
• Additional SIDs– groups– SID history
Good old Kerberos
ClientXP
DC2003
Server
TGT
Good old Kerberos
ClientXP
DC2003
Server
TGT
TGS
TGS
SIDs
SIDs
What is new in Kerberos tickets with Windows 2012 KDC
• User identity– login– SID
• Additional SIDs– groups– SID history
• User claims– AD attributes in Kerberos TGT tickets
Requirements
• At least single Windows 2012 DC (KDC)• Tickets are extendable• If client does not understand the extension, it simple
ignores its contents• If server requires user claims and they are not
present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)
Good old Kerberos supports claims as well
ClientXP
DC2003
Server2012
TGT
TGS
TGS
DC2012
ClaimsSIDs
SIDs
Brand new Kerberos with Windows 2012 KDC
ClientXP
DC2012
Server2012
TGT User Claims
Brand new Kerberos with Windows 2012 KDC
ClientXP
DC2012
Server2012
TGT
TGS
TGS
SIDs
User Claims
SIDs
User Claims
User Claims
What is new in Kerberos with DFL 2012
• User identity– login– SID
• Additional SIDs– groups– SID history
• User claims– AD attributes in Kerberos TGT tickets
• Device claims– AD attributes of computers– Compound ID in Kerberos TGT tickets
Kerberos Compound ID with device claims
Client8
DC2012
Server2012
TGT Request
TGT User Claims
Computer TGT
Device Claims
Brand new Kerberos with Windows 2012 KDC
Client8
DC2012
Server2012
TGT
TGS
TGS
SIDs
SIDs
User Claims
User Claims
Device Claims
User Claims
Device Claims
Device Claims
Requirements
• At least local Windows 2012 DC (KDC)– better to have 2012 DFL for consistent behavior
• Clients Windows 8 or Windows 2012– must ask for TGTs with Compound ID extension
• Server cannot just obtain device claims because it does not know from what device the user came
Central Access Rules
What is New in Security in Windows 2012
Requirements
• Windows 2012 schema extension• Windows 2003 forest functional level
– do not require any Windows 2012 DC– some editor like ADSI Edit or Windows 2012 ADAC
• Uploaded to FS by using Group Policy
Take away
What is New in Security in Windows 2012
EvolutionFeature Server Client Schema 2012 /
DFL / FFL
And logic ACL Windows 2012 - -
FSRM automatic classification
Windows 2012FSRM
- -
AD integrated classification terms
Windows 2012FSRM
- schema 2012FFL 2003
AD integrated NTFS access rules
Windows 2012FSRM
- schema 2012FFL 2003
User claims Windows 2012 - one Windows 2012 DC
Computer claims Windows 2012 Windows 8Windows 2012
local Windows 2012 DC
Thank you!
What is New in Security in Windows 2012