Dynamic Access ControlDeep Dive & Extensibility
Dave McPhersonSr. Program Manager3-052
Quick introduction of Dynamic Access Control
Understand how things work behind the scenesDynamic
AccessControl
Session objectives
• Classification
• Central access policies
• Staging
• Authentication and authorization flows
• Token bloat
Extensibility
Dynamic Access Control: In a nutshell
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression-based auditing
Expression-based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEs
• ACEs with conditions, including logical and relational operatorsUser and Device Claims
Expression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to self remedy or request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
User claimsUser.Department = Finance
User.Clearance = High
Conditional Access Policy
Applies to: Resource.Impact = HighAllow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed
= True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
5
Expression-based access policy
File Server
User and Device Claims
• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device
Pre-2012: Security Principals Only
• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Windows Server 2012: Security Principals, User Claims, Device Claims
Expression-Based ACEs
• Led to group bloat• Consider an org with 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:
• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]
Pre-2012: ’OR’ of groups only
• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)• 610 groups instead of 500,000
Windows Server 2012: ‘AND’ in expressions
• 3 User Claims + 3 Resource properties
Windows Server 2012: with Central Access Policies & Classification
Conditional Expression Operators
Logical AND OR NOT Exists (resource
properties)
See MS-DTYP for processing rules
Relational =, != , <, >, <=, >=, Member_of Device_Member_of Member_of_Any Device_Member_of_Any Any_of Contains NOT*
Conditional Expressions in Windows
Extension of the CALLBACK_ACE_TYPE Allows custom ACE behavior Previously only available through AuthzAPI Expression goes into the ApplicationData section
(prefix 4 ‘xtra’ bytes)
SDDL A normal ACE: (A;CIOI;GA;;;AU) A conditional ACE: (XA;CIOI;GA;;;AU(@User.smartcard == 1 ||
@Device.managed == 1) && @Resource.dept Any_of {"Sales","HR"}))
Access Control Policy Extensibility
• Security Descriptor Definition Language (SDDL) CBAC ACEs managed as SDDL strings Added / removed from SDDL strings via standard string manipulation
functions AddConditionalAce AddResourceAttributeAce
• Managing Claims in AD Powershell / LDAP
• Managing Central Access Policies PowerShell / LDAP
File Classification Infrastructure
DynamicAccessControl
File Classification Infrastructure• FCI Released in WS08R2• Classified based on rules run
at specified schedules• Not continuous• Not for access control• No UI for manual classification
File Classification Infrastructure
File Classification Infrastructure
Resource Property Definitions
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
For Security
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
Match file to policy
Apply Policy
Save classification
For Security
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classificati
on Extensibilit
y
File Managemen
t Task
See modified / created file
RMS Encrypt
Save classification
For Security
Match file to policy
Central Access Policies
DynamicAccessControl
Active Directory
Central Access Policy
Finance folders
User folders
Standard organization policyHigh Impact rulePersonal Information ruleFinance department policyHigh Impact Data rulePersonal Information ruleInformation wall rule
Corporate file serversHigh Impact Data rule
Applies To: Resource.Impact == HighAccess conditions: User.Clearance = High AND Device.IsManaged = True
Personal Information ruleApplies To: Resource.PII == TrueAccess conditions: Allow MemberOf( PIIAdministrators , Owner)
“Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department
2
Define Central Access Policies (CAPs)Define Central Access Rules (CARs)1
Apply CAPs on File Servers
3
File AccessShare Permissions
File Access without Central Access Policy
Access Control
DecisionNTFS Permissions
File Access
File Access with Central Access Policy
Access Control
Decision
Share Permissions
NTFS Permissions
Central Access Policy
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy Reference
NTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity Descriptor
Share Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
Staging PoliciesDynamicAccessControl
What will happen when I deploy?
Changing Central Access Policies may have wide impact
Replicating production environment for test purposes is difficult and expensive
Staging Policies
Staging policy
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Active Directory File serverResource properties
Department = Finance | HR | EnggImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == ContosoStaging policy
Applies to: @File.Impact = HighAllow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)
Sample staging event (4818)Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
Behind the ScenesDynamicAccessControl
Kerberos and The New Token
Dynamic Access Control leverages Kerberos Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one
principal
Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC
NT Token has sections User & Device data Claims and Groups!
Pre-2012 Token
User Account
User Groups
[other stuff]
2012 Token
User Account
User Groups
Claims
Device Groups
Claims
[other stuff]
NT Access Token
Contoso\Alice
User
Groups:….
Claims: Title=SDE
Kerberos Ticket
Contoso\Alice
User
Groups:….
Claims: Title=SDE
File ServerUser
Contoso DC
Ad Admin Enable Domain to issue claims
Defines claim types
Claim type
Display Name
Source
Suggested values
Value type
User attempts to login
Receives a Kerberos ticket
Attempt to access resource
Kerberos flow in Pre-Windows 2012
M-TGT
Contoso DCPre-Windows
2012
Pre-Windows 2012 File ServerUser
Kerberos flow in Pre-Windows 2012
U-TGT
Contoso DCPre-Windows
2012
Pre-Windows 2012 File ServerUser
M-TGT
Kerberos flow in Pre-Windows 2012
TGS (no claims)
Contoso DCPre-Windows
2012
Pre-Windows 2012 File ServerUser
M-TGT
U-TGT
Kerberos flow in Pre-Windows 2012
User
M-TGT
U-TGTTGS (no claims)
?
Contoso DCPre-Windows
2012
Pre-Windows 2012 File Server
Kerberos flow with User Claims
File Server
TGS (with User Claims)
Contoso DC
User
M-TGT
U-TGT
Kerberos flow with User Claims
TGS (with User Claims)
?File Server
Contoso DC
User
M-TGT
U-TGT
Kerberos flow with Pre-Windows 8 Clients
Set Policy to enable claims
Contoso DC
File Server
Pre-Windows 8 User
Kerberos flow with Pre-Windows 8 Clients
TGS
(no
clai
ms)
File Server
Contoso DC
Pre-Windows 8 User
M-TGT
U-TGT
Kerberos flow with Pre-Windows 8 Clients
TGS (no claims)
Contoso DC
File Server
Pre-Windows 8 User
M-TGT
U-TGT
File Server
Kerberos flow with Pre-Windows 8 Clients
Pre-Windows 8 User
M-TGT
U-TGT
TGS (no claims)
TGS (with User
Claims)
?
Contoso DC
S4UToSelf(
)
Kerberos flow with Compound Identity
TGS
(Use
r and
Dev
ice
Group
s/Cl
aim
s)
M-
TGT
U-TGT
Contoso DC
File Server
User
M-TGT
U-TGT
File Server
Kerberos flow with Compound Identity
TGS (User and Device Groups/Claims)
?
Contoso DC
User
M-TGT
U-TGT
Across Forest boundaries
Other Forest DC
Publish Cross-Forest transformation Policy
Contoso DC
File Server
User
M-TGT
U-TGT
Across Forest boundaries
Referral TGT
Other Forest DC
File Server
Contoso DC
User
M-TGT
U-TGT
Across Forest boundaries
TGS (with claims)
Referral TGT
Other Forest DCContoso
DC
File Server
User
M-TGT
U-TGT
Across Forest boundaries
Other Forest DC
TGS (with claims)
?
File Server
Contoso DC
User
M-TGT
U-TGT
To the Cloud!
TGS
ADFS
Cloud App
Contoso DC
User
M-TGT
U-TGT
To the Cloud! Cloud App
Contoso DCADFS
User
M-TGT
U-TGT
To the Cloud!
SAMLTGS
ADFSContoso
DC
Cloud App
User
M-TGT
U-TGT
To the Cloud!
SAML
?Contoso DC
Cloud App
ADFS
User
M-TGT
U-TGT
Token/Ticket Bloat
Understanding the problem Token Bloat: Amount of authorization data in the NT Token Ticket Bloat: Amount of authorization data sent over the wire
Token Bloat: How does it manifest? Too many SIDs in the token (Upper bound of 1024)
Ticket Bloat: How does it manifest? Authorization data is sent over the network.
Over time, old group memberships linger and authorization data adds up. Might see failures in one type of application
Usually indicates the limits for that wire transport have been reached.
Impact of Claims
Ticket Bloat Claims is authorization data carried over the wire. Initially, some
increase in ticket sizes expected.
Windows 8 improvements DC compresses claims before sending them over the wire DC compresses certain types of SIDs that weren’t compressed before
(Resource Domain SIDs) MaxTokenSize default increased to 48k New audit events – DC starts logging events when ticket sizes exceed
specified value
Impact of Claims – Real Numbers
First Claim
1 Boolean Claim
Adds 242 Bytes
User Claims Set
5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Adds 970 Bytes
Compound-ID Claims Sets
User - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Device - 2 Claims:• 1 Boolean• 1 String – Single Valued
• Avg Len/value: 12 chars
Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data
Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.
Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character
Incrementally add capabilities
Current infrastructure
Windows Server 2012 File Servers• Access and Audit
Policies based on security groups and file tagging
Windows Server 2012 DCs• Centrally defined
access and audit policies
• User claims can be used by access and audit policies
Windows 8 clients• Add device
claims to access and audit policies
• Better access denied experience
Part
ner
solu
tion
s an
d lin
e o
f b
usi
ness
ap
plic
ati
on
s
Many partner solutions!
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Quick introduction of Dynamic Access Control
Understand how things work behind the scenesFile ClassificationCentral Access Policies & StagingAuthentication & Authorization flowsToken bloat
Extensibility
In Review: Session Objectives And Takeaways
• Dynamic Access Control Dev Extensibility http://msdn.microsoft.com/en-us/library/windows/desktop/Hh802756(v=vs.85).aspx
• Follow us on Twitter @WindowsAzure
• Get Started: www.windowsazure.com/build
Resources
Please submit session evals on the Build Windows 8 App or at http://aka.ms/BuildSessions
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.