Windows 8 Dynamic Access Control John Craddo ck Infrastructure and security Architect XTSeminars Ltd
Dec 21, 2014
February 2012What you are about to learn is
based on a pre-released product and may not accurately reflect the
functionality of the RTM version
With Windows 8 you can:• Create simpler authorization
models for file based resources
• Stop creating 1000s of groups to control access
• Classify files• Control access to files based
on AD attributes (claims)• Deploy the access model
Text/Icon/PicText/Icon/Pic
Text/Icon/PicText/Icon/Pic
Defining the requirements• Sales Consultants from the regional sales
departments must have read/write access to their region’s sales documents• They are not allowed to access sales documents for other
regions• Sales Managers must have access to sales
documents in all regions• Sales documents with high business impact must
only be viewable by Sales Managers• The access model must be applied across multiple
file servers in the Active Directory forest
A nice to have• High impact documents should only be accessible
from client machines that are managed by the Corp Sales department
How many different designs can you come up with?
Sales UK RW
UK
Sales
US
HI UK
HI US
Sales US RW
Sales HI UK RW
Sales HI US RW
UK Sales
US Sales
Sales Managers
How do we guarantee HI documents are placed in the correct folders?
Today’s Challenges
No way to tag files and apply authorization and auditing based on
file typeCreation of complex folder structures
No way to create ACLs based on expressions
Requires complex group structuresToken bloat
ACLs defined using groups Token bloat
Device state not supported in authorization decisions
No simple solutionServer isolation using Ipsec?
Leads to
Windows 8 to the rescue…
No way to tag files and apply authorization and auditing ased on file type
Files can be classified (tagged) and policies applied based on the files classification
No way to create ACLs based on expressions
Requires complex group structures
Expression based access control and auditing
ACLs defined using groups Expressions can containing groups, users,
and user and device claims
Device state not supported in authorization decisions
Access based on compound IDUser and device claims
Resolution
And there’s more• Policies can be created centrally and deployed
across multiple servers• Auditing supports policy staging• The proposed changes can be reviewed, before applying
them• Automatic RMS protection of documents through
classification (tagging)• File retention policies• Access deny remediation
Resource Classification
Step 1: Define resource properties
Step 2: Add properties to property list
Step 3: Deploy to file servers
Windows 8 ServerFile server role
Central Access Rules
User Group Member of Value UK SalesAND Resource Country Any of Value UKAND Resource Impact Any of Value Mod/low
Allow access if:
Applying access rules
Step 1: Define Central Access Rules
Step 2: Add rules to a Central Access Policy
Step 3: Deploy to file serversusing group policy
Windows 8 ServerFile server role
It just got simpler!
UK
Sales
US
UK Sales
US Sales
Sales Managers
Access based on Central Access
Policyand file and folder
classification
Classification Options
Windows 8 ServerFile server role
Text/Icon/Pic
Manual
File Classificatio
n Infrastructur
e
In-built classifier
3rd party classifierplug-in
Application
Adding Claims to the Kerberos Token
User’s Kerberos
Token
PAC
User’s group memberships added to PACAuthorization based on group membership
Pre-Windows 8
UserGroups
Claims
DeviceGroups
Claims
Windows 8Compound ID
PAC contains a user’s group and
claims information+
Device information
Authorization based on group membership, user and device claims
Enabling CBACStep 1: Define user and device attributes to be presented as claimsStep 2: Enable KDC support for CBAC viagroup policy
Step 4: Deploy CAP to file servers using group policy
Windows 8 ServerFile server role
Step 3: Update Central Access Policy to include claims
Claim Types
CAP
And Simpler!
• No groups• We even solved the “nice to have”• High impact documents should only be accessible from
client machines that are managed by the Corp Sales department
UK
Sales
US
Access based on Central Access
Policy, file and folder classification,
andCBAC
Summary
• Think about your current management model for user and device attributes• CBAC will map attributes to claims making them security
sensitive
Classification allows you to target policies
forAuthorizationEncryptionRetention
Access Rulesallows you to created rich authorization and auditing
policies
Access Rulesallows you to simplify folder
and group structures
CBACallows you to
base authorization
and auditing on user and device
claims
TechEd 2012• I will be speaking a TechEd 2012• Precon: Building Federated External Access for Microsoft
SharePoint 2010• Other breakouts
Consulting Services on Request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
John CraddockInfrastructure and security ArchitectXTSeminars Ltd
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.