Dynamic Access Control Overview Matthias Wollnik Program
Manager, File Server Microsoft Corporation
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
demo Location based classification Automatic content based
classification Data Classification demo
Slide 8
x 50 Country 50 Groups Department x 20 1000 Groups Sensitive
2000 Groups!
Slide 9
demo Country based central access rule Expression based ACL
demo
Slide 10
User claims User.Department = Finance User.Clearance = High
ACCESS POLICY Applies to: @File.Impact = High Allow | Read, Write |
if (@User.Department == @File.Department) AND (@Device.Managed ==
True) Device claims Device.Department = Finance Device.Managed =
True Resource properties Resource.Department = Finance
Resource.Impact = High AD DS 10 File Server
Slide 11
demo Country based central access rule Central Access Policy
with user claims
Slide 12
Windows Server 2012 Active Directory Windows Server 2012 File
Server End User Access Policy ? Resource Property Definitions User
Claims
Slide 13
No conditional expressions Using groups with conditional
expressions Using user claims
Slide 14
Slide 15
Slide 16
Slide 17
demo Automatic Rights Management Protection
Slide 18
Slide 19
DCT Database 4. Report 1. Import 2. Export 3. Deploy OOB
Knowledge Scale (#File Servers) Hybrid Environment Staging File
Server Production File Servers Windows 2008 R2 Windows 2012 Collect
Domain Controller (Active Directory) Management Client
Slide 20
Slide 21
Slide 22
Slide 23
An attempt was made to access an object. Subject: Security
ID:CONTOSODOM\alice Account Name:alice Account Domain: CONTOSODOM
Logon ID:0x3e7 Object: Object Server:Security Object Type:File
Handle ID:0x8e4 Resource Attributes: S:AI(RA;;;;;WD;( Personally
Identifiable
Information",TS,0x0,"High"))(RA;;;;;WD;(Department_23AFE",TS,0x0,Finance"))
Object Name:C:\Finance Document
Share\FinancialStatements\MarchEmployeeStmt.xls
Slide 24
demo Expression Based Auditing
Slide 25
Event collected to central repository for analysis and
reporting Windows Server 2012 Active Directory Windows Server 2012
File Server End User Access Policy ? Resource Property Definitions
User Claims
Slide 26
Slide 27
DAC Partners
Slide 28
Slide 29
Department x 50 x 20 Country Sensitive ACCESS POLICY Applies
to: @File.Impact = High Allow | Read, Write | if (@User.Department
== @File.Department) AND (@Device.Managed == True) StealthAUDIT for
Windows Server 2012 Dynamic Access Control
http://www.stealthbits.com/
Slide 30
Identify where groups are being used and who owns them Clean
Up, Consolidate & Secure Conditional Permissions Central Access
Policies & Claims Impact Analysis & Group Reduction Apply,
Lock Down & Maintain Discover your environment Design new
security model Implement
Data Loss Prevention
http://www.ca.com/us/data-security-solutions.aspx
http://www.dynamicaccesscontrol.com
http://www.websense.com/content/ data-security-overview.aspx CA
DataMinder dg classification
Slide 34
Data Loss Prevention Dynamic Access Control Dynamic Content
Classification and Control 1: Create2: Analyze3: Classify4: Tag5:
Enforce
Slide 35
CA Technologies Content-Aware Identity & Access Management
Control identity, control access and control information CA
DataMinder discovers, classifies and controls information Controls
Collaboration & File Sharing Environments SharePoint 2010 March
2012 Windows Server 2012 Dynamic Access Control July 2012 Delivers
precise & fine-grained access control Copyright 2012 CA. All
rights reserved. No unauthorized copying or distribution
permitted.
Slide 36
Supercharge DAC with automated file classification Enables
accurate automated file classification enterprise-wide with both
attribute-based and content-based classification Deeply integrated
with Windows Server 2012. dg classification can also be used to
fuel powerful Governance, Compliance and Archiving solutions For
more information visit us at Booth 230 (Orlando) / PP17 (Amsterdam)
or at www.dynamic-access-control.com A leader in automatic file
classification
Slide 37
http://www.gigatrust.com Dynamic Policy Enforcer
Slide 38
FCI CLASSIFY PROTECT D YNAMIC P OLICY P ROTECTOR Windows 8
Server D YNAMIC P OLICY M ODULE Desktop 4 4 1 1 2 2 2 2 3 3 4 4 1 1
AD Admin Center Access Policies Claims Properties Dynamic Access
Control USE LICENSE 3 3 Legend: User Claims Resource Properties
Access Policy GigaTrust Product Component GigaTrust Contact:
[email protected] AD RMS Windows 8 Server static
Slide 39
http://www.nextlabs.com/html/?q=microsoft_solutions
http://www.titus.com/ http://www.axiomatics.com/dynamic-access-
sddl-xacml-windows-server-2012 Titus Metadata Security for
SharePoint Control Center for Windows Server 2012 Dynamic Access
Control Axiomatics Policy Server
Slide 40
Slide 41
Windows Server 2012 Active Directory Windows Server 2012 File
Server End User Microsoft SharePoint 2010 Access Policy ? ?
Slide 42
Policy AuthorFile Server Active Directory User 1. Author policy
& export to AD 2. Convert XACML to SDDL & import 3. Push
out imported rules based on group policy 4. Access files 5. Check
access based on rules previously defined in APS Axiomatics Policy
Server (APS)
Enterprise-wide visibility into server and application
health
Slide 46
Slide 47
Slide 48
Slide 49
In Summary..
Slide 50
Reduce group complexity
Slide 51
Simplify access control
Slide 52
Implement effective access control
Slide 53
SIA 207 Windows Server 2012 Dynamic Access Control Overview SIA
341 Windows Server 2012 Dynamic Access Control Deep Dive for Active
Directory and Central Authorization Policies SIA 316 Windows Server
2012 Dynamic Access Control Best Practices and Case Study
Deployments in Microsoft IT SIA21-HOL Using Dynamic Access Conrol
to Automatically and Centrally Secure Data in Windows Server 2012
SIA02-TLC Windows Server 2012 Active Directory and Dynamic Access
Control Find Me Later At the Windows Server booth
Slide 54
Connect. Share. Discuss. http://europe.msteched.com Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning TechNet Resources for IT Professionals
http://microsoft.com/technet Resources for Developers
http://microsoft.com/msdn
Slide 55
Evaluations http://europe.msteched.com/sessions Submit your
evals online
Slide 56
Slide 57
Resource 1 Resource 2 Resource 3 Resource 4 Required Slide
*delete this box when your slide is finalized Track PMs will supply
the content for this slide, which will be inserted during the final
scrub.