Introducing Dynamic Access Control

Dynamic Access Control represents several feature enhancements introduced with Windows Server 2012 Server that work together to improve authorization management for Windows Server 2012 file servers. 

• Kerberos support for user claims and device authorization information
• Support for conditional expressions in permission and audit entries
• File classification, and central access policies provide an end-to-end authorization management solution.
• Include conditional expression support in Global Object Access Auditing.
• Automatic Rights Management Services (RMS) encryption for sensitive Office documents (not included in this document).
• Access denied assistance to ease the burden of troubleshooting share access problems (not included in this document).

 

What Is Dynamic Access Control?

In Windows Server 2012, you will be able to apply data governance across your file servers to control who can access information and to audit who has accessed information. Dynamic Access Control provides:

• Identify data – Automatic and manual classification of files can be applied to tag data in file servers across the organization
• Control access to files - Central access policies enable organizations to apply safety net policies. For example, you could define who can access health information within the organization.
• Audit access to files - Central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
• Apply RMS protection - Automatic Rights Management Services (RMS) encryption for sensitive Office documents. For example, you could configure RMS to encrypt all documents containing HIPAA information.

This feature set is based on infrastructure investments that can be further leveraged by partners and line-of-business applications and provide great value for organizations that use Active Directory.  This infrastructure includes:

• A new Windows authorization and audit engine that can process conditional expressions and central policies.
• Kerberos authentication support for user claims and device claims.
• Improvements to the File Classification Infrastructure.
• RMS extensibility support so that partners can provide solutions that encrypt non-Office files.

 

Conditional Expressions for Permission Entries

Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by introducing a conditional access permission entry.  Windows Server 2012 takes advantage of conditional access permission entries by inserting user claims, device claims, and resource properties, into conditional expressions.  Windows Server 2012 security evaluates these expressions and allows or denies access based on results of the evaluation.  Securing access to resources through claims is known as claims-based access control.  Claims-based access control works with traditional access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment.

 

File Classification Infrastructure

Windows Server 2008 R2 introduced File Classification Infrastructure (FCI).  FCI provides:

• The ability to define classification properties
• Automatically classify files based on location and content
• Apply file management tasks such as file expiration and custom commands based on classification
• Produce reports that show the distribution of a classification property on the file server.

With Windows Server 2012, the File Classification Infrastructure is claims aware.  This enhancement allows FCI to present resource properties as classification properties.  Administrators can choose classifications manually using Windows Explorer.  Alternatively, they can use the File Server Resource Manager (FSRM) to perform continuous classification.  Resource properties allow claims-based access control to evaluate how claims about the user relate to claims about the resource.  Windows accomplishes this evaluation through conditional access control entries, which is an additional layer to traditional authorization.  FCI in Windows Server 2012 also supports:

• Security properties so that they can be used for authorization decisions in the new authorization expressions
• Continuous classification which will classify files a few seconds after they are created or modified on the server
• Manual classification to allow information owners and users to classify files using explorer
• Folder based inherited classification that allows information owners to tag a folder and all the files that are in that folder as well as newly created files in that folder

 

Central Access Policies

Central Access policy is a new feature of Windows Server 2012.  Central Access Policies allow administrators to create access policies that apply to Windows Server 2012 file servers using Group Policy.  Each Central Access Policy object can contain one or more Central Access rules.  Administrators can configure applicability, and permissions within each Central Access policy rule.  Windows stores Central Access policies and rules centrally in Windows Server Active Directory.  This provides a centralized approach to manage authorization on Windows Server 2012 file servers.

Purpose/Benefits

Dynamic Access Control focuses on four main end-to-end scenarios:

• Central access policy for access to files – enable organizations to set safety net policies that reflect the business and regulatory compliance.
• Auditing for compliance and analysis – Enable targeted auditing across file servers for compliance reporting and forensic analysis
• Protecting sensitive information – Identifying and protecting sensitive information both in a Windows Server 2012 environment and when it leaves the Windows Server 2012 environment
• Access denied assistance– Improve access denied experience to reduce the helpdesk load and incident time for troubleshooting access denied

Technical Overview

Dynamic Access Control is not a single feature, but rather a file server solution built using a Windows Server 2012 infrastructure to provide a versatile and flexible end-to-end authorization scenario. Windows Server 2012 enhancements that make up Dynamic Access Control include

• Direct claims support in Kerberos
• Support in Active Directory to store user and device claims and resource properties
• Support in Active Directory for storing Central Access Policy objects
• Support for deploying Central Access Policy objects using Group Policy
• Support for claims-based file authorization and auditing for file system using Group Policy and Global Object Access Auditing.
• New Advanced Security Settings user interface that includes a conditional expression editor and improved Effective Access functionality that is used for modeling and troubleshooting access control
• Claim Transformation Policy objects to transform claims traversing Active Directory forest trusts

 

Prerequisites

Claims-based authorization and auditing requires:

•    Windows Server 2012

•    At least one Windows Server 2012 domain controller accessible by the Windows client in the user's domain

•    At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust

• Windows 8 client (required when using device claims)

 

Foundation Technologies

Dynamic Access Control relies on many technologies.  Dynamic Access Control combines many different Windows Server 2012 technologies to provide a robust, flexible, and granular authorization and auditing experience.  Some of the fundamental technologies used by Dynamic Access Control include:

• Network protocols (includes TCP/IP, RPC, SMB, LDAP)
• Name resolution (DNS)
• Active Directory and its dependent technologies
• Microsoft's Kerberos v5 implementation including Kerberos armoring (FAST) and Compound authentication
• Windows Security (LSA, Netlogon)

 

Functional Description

Dynamic Access Control provides a flexible way to apply and manage access and auditing to domain-based file servers.  Dynamic Access Control accomplishes flexibility by leveraging claims in the authentication token, resource properties on the resource, and conditional expressions within permission and auditing entries.  With this combination of features, you can now grant access to file and folders based on Active Directory attributes.  For example, the user Alice is granted access to the file server share because the department attribute on her user object in Active Directory contains the value Accounting. 

Ease of management is accomplished by creating Central Access Policy objects.  Each Central Access Policy object includes one or more linked Central Access Rule objects.  Each Central Access Rule object contains one or more permission entries.  Central Access Policy objects allow you to define access for files and folder one time, and then deploy that access to multiple shares on multiple file servers through Group Policy.

 

Basic Deployment of most Dynamic Access Control scenarios

One feature of Dynamic Access Control is to use claims-based access control for authorization and auditing.  You use a pragmatic approach when deploying claims-based access control to file servers.  The following overview provides the order in which you deploy claim-based authorization and auditing, but also serves as the order in which you troubleshoot claims-base access control.

1. Deploy Windows Server 2012 and optionally Windows 8 clients if you need to use device claims.
2. Enable Windows 8 Kerberos clients to support claims and Windows Server 2012 domain controllers to support claims.
3. Create and enable user and device claim types, use existing security groups, or use a combination of both.
4. Provide data on user and computer attributes used to source claim types.  Provide the object identifier (OID) for the issuance policy used to source the certificate-based claim type.
5. Create and enable Resource Property objects.
6. Classify file and folders.
7. Create conditional expressions directly on the resource or deploy using Central Access policy using Group Policy, or Global Object Access Auditing.

 

Deploy Windows Server 2012 and Windows 8

Claims-based authorization and auditing requires

• A Windows Server 2012 domain controller
• A domain-joined Windows Server 2012 file server
• A domain-joined Windows 8 computer (only needed when using device claims)

Claims-based authorization and auditing requires Windows Server 2012 and Windows 8 for a few reasons. 

 Domain controller

 

The first requirement is a Windows Server 2012 domain controller.  This new authorization and auditing mechanism requires extensions to Active Directory.  These new extensions build Windows claim types, which is where Windows stores claims for an Active Directory forest. 

 

Another dependency upon which claims authorization relies in the Kerberos Key Distribution Center (KDC).  The Windows Server 2012 KDC contains Kerberos enhancements required to transport claims within a Kerberos ticket and compound authentication.  Windows Server 2012 KDC also includes an enhancement to support Kerberos armoring. 

 

 

Note:

Your environment only requires a Windows Server 2012 KDC when you base authorization decisions on claims that are sourced from Active Directory attributes or certificates.  Authorization decisions based on group memberships, including conditional expressions that use the memberOf operator do not require a Windows Server 2012 KDC.

 Lastly, the Security Accounts Manager (SAM) portion of the Windows Server 2012 domain controller understands claim types, where they are stored, and claims transformation.  The KDC relies on the SAM to retrieve claim information that it uses in Kerberos tickets.

Claim-based authorization and auditing does not have a forest functional or domain functional requirement.  You can implement and configure claims with a mixture of Windows Server 2008 and 2008 R2 domain controllers provided the domain has an adequate number Windows Server 2012 domain controllers to support authentication requests that include claim information.

 

File Server

The next requirement for claim-based authorization and auditing is a Windows Server 2012 file server.  When a user connects to a file share, the file server performs an access check to the share using the credentials of the incoming connection.  This means the file server determines access to share.  This also means that various components on the file server must be claims aware, such as the Local Security Authority and the Kerberos application server.  The file server hosting the share must be a Windows Server 2012 file server to read claims and device authorization data from a Kerberos ticket, translate those security identifiers (SIDs) and claims from the ticket into an authentication token, and compare the authorization data in the token against conditional expressions included in the security descriptor.

 

Windows 8 Member Computer (required for device claims)

Windows 8 member computers are required for claim-based authorization and auditing when using device claims.  A Windows Server 2012 domain controller issues claims in Kerberos tickets when the Kerberos client requests claims in its request.  Domain joined Windows 8 computers request claim information when they make Kerberos requests and, these computers understand how to locate a claims-aware domain controller.  Also, Kerberos client requests from Windows Server 2012 member computers include the device’s (computer) ticket-granting ticket (TGT) when the domain controller supports Dynamic Access Control.

You can use claim-based authorization with member computers running previous versions of Windows provided the file server hosting the files is running Windows Server 2012, you configured the Microsoft network server: Attempt S4U2Self to obtain claim information local security policy setting to default or enabled, and the file server can successfully communicate with a Windows Server 2012 domain controller.  Windows Server 2012 file servers automatically enable S4U2Self when you deploy one or more Central Access policies to the file server.

 Enable support for Dynamic Access Control

You must enable Windows 8 computers and Windows Server 2012 file servers to support claims and compound authentication. 

KDC

You enable claim support by creating a Group Policy object that includes the Group Policy setting KDC support for claims, compound authentication and Kerberos armoring.  You apply this Group Policy object to the Domain Controllers organization unit (OU) to apply this setting to all domain controllers in the OU.  Windows Server 2012 domain controllers read this configuration while other domain controllers ignore this setting. 

Kerberos client

You enable claim support in the Windows 8 and Windows Server 2012 Kerberos client by creating a Group Policy object that includes the Group Policy setting **Kerberos client support for claims, compound authentication and Kerberos armoring. ** The Windows 8 and Windows Server 2012 Kerberos clients do not request claims, armor Kerberos requests, or perform compound authentication by default-- you must enable it.

After you enable claim support on the KDC and the Kerberos client, reboot domain-joined Windows Server 2012 member servers and Windows 8 computers to ensure these computers use Kerberos armoring and request claims.  You should not need to reboot the domain controllers.

Create claim types

The domain controllers can now issue claims; however, you need to configure claim types before the domain controller can issue claims.  Using the Active Directory Administrative Center, you create attribute-based claim types that source their information from user and computer attributes. You can create certificate-based claim types using the Active Directory module for Windows PowerShell.  Also, you can create transformation-based claim types, which are used exclusively for the purpose of transforming claims across forest trusts.

Windows stores the claim types you create in the configuration partition of Active Directory.  All domains within that forest share the claim types and domain controllers from those respective domain issue claim information during user and computer authentication.

Important:

It is important that information contained in Active Directory attributes used to source claim types contain accurate information, or remain blank.  Incorrect attribute information can lead to unexpected access to information using claims-based authorization.  As a best practice, validate the accuracy of attribute information or clear the values of attributes that you intend to use a source attributes for claim types.

 Populate attributes used as claim sources

The Active Directory forest partition stores claim types that domain controllers can issue.  You source these claims types based on Active Directory attributes such as department or country.  You need to configure your computer and user accounts in Active Directory with the information that is correct for the respective user or computer.  Windows Server 2012 domain controllers do not issue a claim for an attribute-based claim type when the attribute for the authenticating principal is empty.  Therefore, ensure you configure attributes that source claim types with correct information.

Important:

Dynamic Access Control enables you to use user and computer attribute data for authorization information.  Therefore, you need to secure these attributes as appropriate for your environment.

 Create Resource Property objects

The Windows access check needs information included on files and folders to validate claims.  The way to configure this information on these resources is to create Resource Property objects.  Resource property objects define the additional properties that appear on file and folders.  Windows uses these properties for compliancy and reporting as well as authorization and auditing.  Use the Active Directory Administrative Center to create and manage global resource properties and the Resource Property lists to which they belong.

Classify files and folders

Creating Resource Property objects provides you the ability to select properties to include on the files and folders.  Now, you must configure the resource properties you want to apply to those files and folders and the values for those properties.  Windows uses the values in these properties with the values from user and device claims when evaluating file authorization and auditing.

Secure Resources using Conditional Expressions

With user and device claims, and resource properties configured, you then need to protect the file and folders using conditional expressions that evaluate user and device claims against values within resource properties, or constant values.  You do this one of two ways.  You can create conditional expressions directly in the security descriptor using the advanced security settings editor.  Alternatively, you can create Central Access rules and link those rules to Central Access Policy objects. Then, you can deploy Central Access policy objects to file servers using Group Policy and configure the share to use the Central Access Policy object.  Central Access Policies is the most efficient preferred method of securing files and folders.

You can add conditional expression directly in the security descriptor for auditing purposes.  Or, you can use Windows Security policy and deploy claim-based auditing to files and folders using Global Object Access Auditing.