user and computer attributes can be used in aces aces with conditions, including logical and...

Dynamic Access ControlDeep Dive & Extensibility

Dave McPhersonSr. Program Manager3-052

Quick introduction of Dynamic Access Control

Understand how things work behind the scenesDynamic

AccessControl

Session objectives

• Classification

• Central access policies

• Staging

• Authentication and authorization flows

• Token bloat

Extensibility

Dynamic Access Control: In a nutshell

Data Classification

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Automatic RMS encryption based on document classification.

Expression-based auditing

Expression-based access conditions

Encryption

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

Dynamic Access Control Building Blocks

• User and computer attributes can be used in ACEs

• ACEs with conditions, including logical and relational operatorsUser and Device Claims

Expression-Based ACEs

• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification

Classification Enhancements

• Central authorization/audit rules defined in AD and applied across multiple file servers

Central Access and Audit Policies

• Allow users to self remedy or request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance

User claimsUser.Department = Finance

User.Clearance = High

Conditional Access Policy

Applies to: Resource.Impact = HighAllow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed

= True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

5

Expression-based access policy

File Server

User and Device Claims

• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device

Pre-2012: Security Principals Only

• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:

• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True

Windows Server 2012: Security Principals, User Claims, Device Claims

Expression-Based ACEs

• Led to group bloat• Consider an org with 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:

• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]

Pre-2012: ’OR’ of groups only

• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND

MemberOf(Engineering)• 610 groups instead of 500,000

Windows Server 2012: ‘AND’ in expressions

• 3 User Claims + 3 Resource properties

Windows Server 2012: with Central Access Policies & Classification

Conditional Expression Operators

Logical AND OR NOT Exists (resource

properties)

See MS-DTYP for processing rules

Relational =, != , <, >, <=, >=, Member_of Device_Member_of Member_of_Any Device_Member_of_Any Any_of Contains NOT*

Conditional Expressions in Windows

Extension of the CALLBACK_ACE_TYPE Allows custom ACE behavior Previously only available through AuthzAPI Expression goes into the ApplicationData section

(prefix 4 ‘xtra’ bytes)

SDDL A normal ACE: (A;CIOI;GA;;;AU) A conditional ACE: (XA;CIOI;GA;;;AU(@User.smartcard == 1 ||

@Device.managed == 1) && @Resource.dept Any_of {"Sales","HR"}))

Access Control Policy Extensibility

• Security Descriptor Definition Language (SDDL) CBAC ACEs managed as SDDL strings Added / removed from SDDL strings via standard string manipulation

functions AddConditionalAce AddResourceAttributeAce

• Managing Claims in AD Powershell / LDAP

• Managing Central Access Policies PowerShell / LDAP

File Classification Infrastructure

DynamicAccessControl

File Classification Infrastructure• FCI Released in WS08R2• Classified based on rules run

at specified schedules• Not continuous• Not for access control• No UI for manual classification

File Classification Infrastructure

File Classification Infrastructure

Resource Property Definitions

File Classification Infrastructure

Resource Property Definitions

FCI

In-box content classifier

3rd party classification plugin

See modified / created file

Save classification

File Classification Infrastructure

Resource Property Definitions

FCI

In-box content classifier

3rd party classification plugin

See modified / created file

Save classification

For Security

File Classification Infrastructure

Resource Property Definitions

FCI

In-box content classifier

3rd party classification plugin

File Managemen

t Task

See modified / created file

Match file to policy

Apply Policy

Save classification

For Security

File Classification Infrastructure

Resource Property Definitions

FCI

In-box content classifier

3rd party classificati

on Extensibilit

y

File Managemen

t Task

See modified / created file

RMS Encrypt

Save classification

For Security

Match file to policy

Central Access Policies

DynamicAccessControl

Active Directory

Central Access Policy

Finance folders

User folders

Standard organization policyHigh Impact rulePersonal Information ruleFinance department policyHigh Impact Data rulePersonal Information ruleInformation wall rule

Corporate file serversHigh Impact Data rule

Applies To: Resource.Impact == HighAccess conditions: User.Clearance = High AND Device.IsManaged = True

Personal Information ruleApplies To: Resource.PII == TrueAccess conditions: Allow MemberOf( PIIAdministrators , Owner)

“Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department

2

Define Central Access Policies (CAPs)Define Central Access Rules (CARs)1

Apply CAPs on File Servers

3

File AccessShare Permissions

File Access without Central Access Policy

Access Control

DecisionNTFS Permissions

File Access

File Access with Central Access Policy

Access Control

Decision

Share Permissions

NTFS Permissions

Central Access Policy

How Access Check Works

File/FolderSecurity Descriptor

Central Access Policy Reference

NTFS Permissions

Active Directory (cached in local Registry)

Cached Central Access Policy Definition

Access Control Decision:1)Access Check – Share permissions if

applicable2)Access Check – File permissions3)Access Check – Every matching Central

Access Rule in Central Access Policy

ShareSecurity Descriptor

Share Permissions

Cached Central Access RuleCached Central Access RuleCached Central Access Rule

Staging PoliciesDynamicAccessControl

What will happen when I deploy?

Changing Central Access Policies may have wide impact

Replicating production environment for test purposes is difficult and expensive

Staging Policies

Staging policy

User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam

Active Directory File serverResource properties

Department = Finance | HR | EnggImpact = High | Med | Low

Current Central Access policy for high impact dataApplies to: @File.Impact = High

Allow | Full Control | if @User.Company == ContosoStaging policy

Applies to: @File.Impact = HighAllow | Full Control | if (@User.Company == Contoso) AND

(@User.Clearance == High)

Sample staging event (4818)Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy

Subject:                Security ID:                  CONTOSODOM\alice                Account Name:            alice                Account Domain:         CONTOSODOMObject:                Object Server:               Security                Object Type:                  File                Object Name:                C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results:                 Access Reasons:                READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA)                                                              Proposed Central Access Policy results that differ from the current Central Access Policy results:                 Access Reasons:               READ_CONTROL: NOT Granted by CAR “HBI Rule”                                                ReadAttributes: NOT Granted by CAR “HBI Rule”

Behind the ScenesDynamicAccessControl

Kerberos and The New Token

Dynamic Access Control leverages Kerberos Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one

principal

Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC

NT Token has sections User & Device data Claims and Groups!

Pre-2012 Token

User Account

User Groups

[other stuff]

2012 Token

User Account

User Groups

Claims

Device Groups

Claims

[other stuff]

NT Access Token

Contoso\Alice

User

Groups:….

Claims: Title=SDE

Kerberos Ticket

Contoso\Alice

User

Groups:….

Claims: Title=SDE

File ServerUser

Contoso DC

Ad Admin Enable Domain to issue claims

Defines claim types

Claim type

Display Name

Source

Suggested values

Value type

User attempts to login

Receives a Kerberos ticket

Attempt to access resource

Kerberos flow in Pre-Windows 2012

M-TGT

Contoso DCPre-Windows

2012

Pre-Windows 2012 File ServerUser

Kerberos flow in Pre-Windows 2012

U-TGT

Contoso DCPre-Windows

2012

Pre-Windows 2012 File ServerUser

M-TGT

Kerberos flow in Pre-Windows 2012

TGS (no claims)

Contoso DCPre-Windows

2012

Pre-Windows 2012 File ServerUser

M-TGT

U-TGT

Kerberos flow in Pre-Windows 2012

User

M-TGT

U-TGTTGS (no claims)

?

Contoso DCPre-Windows

2012

Pre-Windows 2012 File Server

Kerberos flow with User Claims

File Server

TGS (with User Claims)

Contoso DC

User

M-TGT

U-TGT

Kerberos flow with User Claims

TGS (with User Claims)

?File Server

Contoso DC

User

M-TGT

U-TGT

Kerberos flow with Pre-Windows 8 Clients

Set Policy to enable claims

Contoso DC

File Server

Pre-Windows 8 User

Kerberos flow with Pre-Windows 8 Clients

TGS

(no

clai

ms)

File Server

Contoso DC

Pre-Windows 8 User

M-TGT

U-TGT

Kerberos flow with Pre-Windows 8 Clients

TGS (no claims)

Contoso DC

File Server

Pre-Windows 8 User

M-TGT

U-TGT

File Server

Kerberos flow with Pre-Windows 8 Clients

Pre-Windows 8 User

M-TGT

U-TGT

TGS (no claims)

TGS (with User

Claims)

?

Contoso DC

S4UToSelf(

)

Kerberos flow with Compound Identity

TGS

(Use

r and

Dev

ice

Group

s/Cl

aim

s)

M-

TGT

U-TGT

Contoso DC

File Server

User

M-TGT

U-TGT

File Server

Kerberos flow with Compound Identity

TGS (User and Device Groups/Claims)

?

Contoso DC

User

M-TGT

U-TGT

Across Forest boundaries

Other Forest DC

Publish Cross-Forest transformation Policy

Contoso DC

File Server

User

M-TGT

U-TGT

Across Forest boundaries

Referral TGT

Other Forest DC

File Server

Contoso DC

User

M-TGT

U-TGT

Across Forest boundaries

TGS (with claims)

Referral TGT

Other Forest DCContoso

DC

File Server

User

M-TGT

U-TGT

Across Forest boundaries

Other Forest DC

TGS (with claims)

?

File Server

Contoso DC

User

M-TGT

U-TGT

To the Cloud!

TGS

ADFS

Cloud App

Contoso DC

User

M-TGT

U-TGT

To the Cloud! Cloud App

Contoso DCADFS

User

M-TGT

U-TGT

To the Cloud!

SAMLTGS

ADFSContoso

DC

Cloud App

User

M-TGT

U-TGT

To the Cloud!

SAML

?Contoso DC

Cloud App

ADFS

User

M-TGT

U-TGT

Token/Ticket Bloat

Understanding the problem Token Bloat: Amount of authorization data in the NT Token Ticket Bloat: Amount of authorization data sent over the wire

Token Bloat: How does it manifest? Too many SIDs in the token (Upper bound of 1024)

Ticket Bloat: How does it manifest? Authorization data is sent over the network.

Over time, old group memberships linger and authorization data adds up. Might see failures in one type of application

Usually indicates the limits for that wire transport have been reached.

Impact of Claims

Ticket Bloat Claims is authorization data carried over the wire. Initially, some

increase in ticket sizes expected.

Windows 8 improvements DC compresses claims before sending them over the wire DC compresses certain types of SIDs that weren’t compressed before

(Resource Domain SIDs) MaxTokenSize default increased to 48k New audit events – DC starts logging events when ticket sizes exceed

specified value

Impact of Claims – Real Numbers

First Claim

1 Boolean Claim

Adds 242 Bytes

User Claims Set

5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued

• Avg Len/value: 12 chars• 1 String – Multi Valued

• Avg Len/value: 12 chars• Avg #Values: 6 values

Adds 970 Bytes

Compound-ID Claims Sets

User - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued

• Avg Len/value: 12 chars• 1 String – Multi Valued

• Avg Len/value: 12 chars• Avg #Values: 6 values

Device - 2 Claims:• 1 Boolean• 1 String – Single Valued

• Avg Len/value: 12 chars

Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data

Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.

Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character

Incrementally add capabilities

Current infrastructure

Windows Server 2012 File Servers• Access and Audit

Policies based on security groups and file tagging

Windows Server 2012 DCs• Centrally defined

access and audit policies

• User claims can be used by access and audit policies

Windows 8 clients• Add device

claims to access and audit policies

• Better access denied experience

Part

ner

solu

tion

s an

d lin

e o

f b

usi

ness

ap

plic

ati

on

s

Many partner solutions!

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Quick introduction of Dynamic Access Control

Understand how things work behind the scenesFile ClassificationCentral Access Policies & StagingAuthentication & Authorization flowsToken bloat

Extensibility

In Review: Session Objectives And Takeaways

• Dynamic Access Control Dev Extensibility http://msdn.microsoft.com/en-us/library/windows/desktop/Hh802756(v=vs.85).aspx

• Follow us on Twitter @WindowsAzure

• Get Started: www.windowsazure.com/build

Resources

Please submit session evals on the Build Windows 8 App or at http://aka.ms/BuildSessions

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.