Windows Server 2012

DYNAMIC ACCESS

CONTROL

YOUR PRESENTER

Senior Trainer at CTE Solutions, Inc. Training for 18 years Working in IT since ‘89 MCSA: Windows Server 2008, MCSE: Security

MCITP: Server Administrator on Windows Server 2008 and Enterprise Messaging Administrator on Exchange 2007, MCTS, MCSE 2003/2000/NT, MCSA, MCP+I, MCT, ITIL V3 Foundations, ITIL RCV, ITIL OSA, CompTIA CTT+, Security+, Network+, A+, EIEIO+

Gérald F. Tessier

WHAT PROBLEM IS DAC TRYING TO SOLVE?

ACCESS CONTROL, AS WE KNOW IT

TRADITIONAL APPROACH

A G L P

A G DL

P

DIRECTORY SERVICE ADMINS

HRrocks

G-SalesG-Marketing

G-Engineering

RESOURCE ADMINS

G-MarketingG-EngineeringG-SalesManagers

L-MarketingPrinterUsersL-SalesDocAuthors

L-EngineeringDBEditors

PrintReadWriteCreate

ReadWrite

UPDATE GLOBAL GROUPS

G-BloodServicesTechnician

s

DILIGENCE, PERSEVERENCE, ADHERENCE

• Special Assignments• Changing Business• Legal Requirements

• Resource Evolution

DECENTRALIZED & DELEGATED?

G-CanadaEngineeringUsers

ProjectX

L-ProjectXAdmins

DECENTRALIZED & DELEGATED?

G-CanadaEngineeringU

sersProjectX

L-ProjectXAdmins

G-CanadaProjectXEngineeringUsersG-CanadaProjectXFinanceUsers

G-CanadaProjectXSalesUsers

• 500 Projects• 100 Countries• 10 Divisions

500 000 Groups

PROCESS INTEGRATION, ANYONE?

ITHR

HOW MANY GROUPS DO YOU HAVE?

1000?

10000?

100000?

DYNAMIC ACCESS CONTROL

CAP

FileClassifications

Claims

Remediation

IN A NUTSHELL

Data Classification

Flexible access control lists based on document classification and multiple identities (security groups).

Centralized access control lists using Central Access Policies.

Targeted access auditing based on document classification and user identity.

Centralized deployment of audit polices using Global Audit Policies.

Automatic RMS encryption based on document classification.

Expression based auditing

Expression based access conditions

Encryption

Classify your documents using resource properties stored in Active Directory.

Automatically classify documents based on document content.

UNDERSTANDING EXPRESSIONS

ALLOW MODIFY IF MEMBEROF (PROJECTX)

AND MEMBEROF (CANADA) AND MEMBEROF (ENGINEERING)

• 500 Projects

• 100 Countries

• 10 Divisions

610 Groups

PART 1:FILE CLASSIFICATION INSTRUCTURE

AUTOMATED CLASSIFICATION

Resource Property Definitions

FCI

In-box content classifier

3rd party classificatio

n plugin

File Management

Task

See modified / created file

RMS Encryp

t

Save classificatio

n

Match file to policy

MANUAL CLASSIFICATION

PART 2:CENTRAL ACCESS POLICIES

CAP

EXPRESSION-BASED ACCESS POLICY

User claimsUser.Department =

FinanceUser.Clearance = High

ACCESS POLICY

Applies to: @File.Impact = HighAllow | Read, Write | if (@User.Department ==

@File.Department) AND (@Device.Managed == True)

Device claimsDevice.Department =

FinanceDevice.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

CAP SELECTION

CAP RULES

CENTRAL ACCESS RULES

Permission Type Target Files Permissions Engineering FTE

Engineering Vendor

Sales FTE

Share Everyone:Full

Central Access Rule 1: Engineering Docs

Dept=Engineering

Engineering:Modify

Everyone: Read

Rule 2: Sensitive Data

Sensitivity=High

FTE:Modify

Rule 3: Sales Docs Dept=Sales Sales:Modify

NTFS FTE:ModifyVendors:Read

Effective Rights:

Classifications on File Being Accessed

Department Engineering

Sensitivity High

Read

Full Full Full

Modify Modify Read

Modify ModifyNone

Modify Modify

Modify None Read

[rule ignored – not processed]

STAGING POLICY

User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam

Resource propertiesDepartment = Finance | HR |

EngImpact = High | Med | Low

Current Central Access policy for high impact dataApplies to: @File.Impact = High

Allow | Full Control | if @User.Company == Contoso

Staging policyApplies to: @File.Impact = High

Allow | Full Control | if (@User.Company == Contoso) AND (@User.Clearance == High)

SAMPLE STAGING EVENT (4818)

Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy

Subject:                Security ID:                  CONTOSODOM\alice                Account Name:            alice                Account Domain:         CONTOSODOMObject:                Object Server:               Security                Object Type:                  File                Object Name:                C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results:                 Access Reasons:                READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA)                                                              Proposed Central Access Policy results that differ from the current Central Access Policy results:                 Access Reasons:             READ_CONTROL: NOT Granted by CAR “HBI Rule”                                                ReadAttributes: NOT Granted by CAR “HBI Rule”

Presentation has been recorded and will be made available on skydrive

Offi cial Microsoft Courses Available: 20410 - Installing and Configuring Windows Server 2012 20411 - Administering Windows Server 2012 20412 - Configuring Advance Windows Server 2012

Services *

Contact Gerry – gerry@ctesolutions.com

Connect with CTE on Twitter - @CTESolutions

THANK YOU FOR YOUR PARTICIPATION!