Windows server 2012 Wat mag ik met Dynamic Access
-
Upload
computrain-de-it-opleider -
Category
Technology
-
view
473 -
download
1
Transcript of Windows server 2012 Wat mag ik met Dynamic Access
Seminar: Wat mag ik met Dynamic Access in Windows Server 2012Windows Server 2012 introduceert Dynamic Access. Dynamic Access is een verzameling features om ervoor te zorgen dat gebruikers en hun data conform de bedrijfsregels beschikbaar en beschermd zijn. Bestaande technieken, zoals IRM en Kerberos zijn vereenvoudigd en uitgebreid. Ook kunt u met File Classifications ervoor zorgen dat gevoelige bestanden die per ongeluk op publieke shares komen, beschermd worden dankzij “tags” die hen bijvoorbeeld aan uw afdeling Juridische zaken koppelen. Met Dynamic Access heeft u daarmee meer controle wie toegang heeft en tot welke data. Wilt u de beste beveiliging en toch uw gebruikers de mogelijkheid bieden van ‘het nieuwe werken’ of ‘bring your own device’, dan is deze techniek voor u!!
Microsoft Windows Server 2012
Windows Server 2012Dynamic AccessMarco SapComputrain | Twice | Broekhuis
Deze presentatie laat zien hoe Windows Server 2012 de moderne en flexibele werkstijl ondersteund met behulp van Dynamic Access
Agenda Windows Server 2012 Trends and Challenges Dynamic Access Get Started: Advies en Doen!
Windows Server 2012
Identity
Virtualization
Data
Development Management
The Cloud OSModern platform for the world’s apps Transforms datacenter Enables modern apps Unlocks insights on any data Empowers people-centric IT
One platform for all segments
First Server
Automated Virtualization
& Management
, Private Cloud
Virtualization Management
Enterprise
Small Business
Windows Server
• Enables small businesses around the world
• Powers many of the world’s largest datacenters
• Delivers value to organizations of all sizes
Virtualization
Automated Virtualization
& Management
Mid-market
System Center
Trends
ITCONSTRAINTS
BUDGETREDUCTIONSMULTIPLE DEVICESEXPLOSIVE
DATA GROWTH
20%
66%run
grow14%transform
Companies are under pressure to do more with less
Challenges
ALLOW CUSTOMERS& PARTNERS
ROL & DEVICEDRIVEN
PRIVILEGESAVAILABILITYENABLING
DEVICES
Companies must facilitate productivity without impacting security
Security Challenges
REPORT & AUDITCENTRALIZE & STANDARDIZEPROTECTRAPID RESPONSE
Companies need an integrated security strategy
f
Identity is Essential for Cloud Computing
USERS & DEVICES
INFRASTRUCTURE
APPS & SERVICES
IDENTITY
PUBLICPRIVATE
TRADITIONAL IT
HYBRID CLOUD
Dynamic Access
Let’s talk concepts….
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEsUser and Device Claims
• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICYApplies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
Central Access PoliciesFile
Server
1 Data Classification
Data classification – identifying data
• Manuel Classification
• Classify data based on location inheritance
• Classify data automatically
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classificatio
n plugin
See modified / created file
Save classification
For Security
DemoData Classification
1 Data Classification
2 Central Access Policy
Expression based access control• Manage fewer security
groups by using conditional expressions
• Central! Access Policy
• Compound Identity
Flexible access control lists based on document classification and multiple identities.
Centralized access control lists using Central Access Policies.
Expression based access conditions
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy ReferenceNTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity DescriptorShare Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
Share PermissionsNTFS Permissions
Access Control
Decision
File Access
Now
Share PermissionsNTFS Permissions
Central Access Policy
Access Control
Decision
File Access
With Windows Server 2012
Central Access Rules
Permission Type Target Files Permissions EngineeringFull-Time
EngineeringPart-Time
SalesFull-Time
Share Everyone:FullRule 1: Engineering Docs Dept=Engineering Engineering:Modify
Everyone: ReadRule 2: Sensitive Data Sensitivity=High FT:ModifyRule 3: Sales Docs Dept=Sales Sales:ModifyNTFS FT:Modify
Part-Time:ReadEffective Rights:
Classifications on File Being Accessed Department EngineeringSensitivity High
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
Kerberos and The New Token Dynamic Access Control leverages Kerberos
Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one
principal
Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC
NT Token has sections User & Device data Claims and Groups!
Pre-2012 TokenUser AccountUser Groups[other stuff]
2012 TokenUser Account
User GroupsClaims
Device GroupsClaims
[other stuff]
Overview
NT Access TokenContoso\Alice
User
Groups:….Claims: Title=SDE
Kerberos TicketContoso\Alice
User
Groups:….Claims: Title=SDE
File Server
User Contoso DC
AD Admin
Enable Domain to issue claims
Defines claim typesClaim type
Display NameSource
Suggested values
Value typeUser attempts to login
Receives a Kerberos ticket
Attempt to access resource
Kerberos Pre-Windows 2012
User M-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012U-TGT
TGS (no claims)
TGS (no claims)
?
Kerberos with ClaimsFile Server
User Contoso DC
TGS (with User Claims)
M-TGT
U-TGT
TGS (with User Claims)
?
Kerberos with Pre-Windows 8 ClientsFile Server
Pre-Windows 8 User
Contoso DC
M-TGT
U-TGT
TGS (no claims)
TGS (no claims)
? TGS (with User Claims)
Kerberos with Compound IdentityFile Server
User Contoso DC
TGS (User and Device Groups/Claims)
M-TGT
U-TGT
TGS (User and Device Groups/Claims)
?
Across Forest boundariesFile Server
User Contoso DC
Other Forest DCPublish Cross-Forest transformation Policy
Referral TGT
M-TGT
U-TGT
TGS (with claims)
Referral TGTTGS (with claims)
?
To the Cloud!
User Contoso DC
TGS
ADFS
Cloud App
M-TGT
U-TGT
SAML
TGSSAML
Central Access PolicyIn Active Directory:• Create resource property
definitions• Configure central policies• Configure ClaimsOn File Server:• Classify information• Assign central policyAt Runtime:• User access is evaluated
Windows Server 2012 Active Directory
Windows Server 2012File Server
End User
Access Policy
?
Resource Property
Definitions
Claims
DemoCentral Access Policy
In Summary…..
Reduce group complexity
Enable Information Governanceon File Servers
Implement effective access control
01Dynamic Access Control
• Manual tagging by content owners
• Automatic classification (tagging)
• Application-based tagging
Manage identity data
• Central access policies targeted based on file tags
• Expression-based access conditions with support for user claims, device claims, and file tags
• Access denied remediation
• Central audit policies that can be applied across multiple file servers
• Expression-based auditing conditions with support for user claims, device claims, and file tags
• Policy staging audits to simulate policy changes in a real environment
• Automatic Rights Management Services (RMS) protection for Microsoft Office documents based on file tags
• Near real-time protection soon after the file is tagged
• Extensibility for non-Office RMS protectors
Control access Audit access Protect data
Get startedDownload Windows Server 2012
Learn
Act
Windows Server 2012Dynamic AccessMarco SapComputrain | Twice | Broekhuis