1 / 33

What is new in security in Windows 2012 or Dynamic Access Control

What is new in security in Windows 2012 or Dynamic Access Control. Ing. Ondřej Ševeček | GOPAS a. s. | MCM: Directory Services | MVP: Enterprise Security | CEHv7 ondrej@sevecek.com | www.sevecek.com |. Revolution?. Evolution. Evolution. Access Control Lists (ACEs) and NTFS

xiu
Download Presentation

What is new in security in Windows 2012 or Dynamic Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What is new in security in Windows 2012orDynamic Access Control Ing. Ondřej Ševeček | GOPAS a.s.| MCM: DirectoryServices | MVP: EnterpriseSecurity | CEHv7 ondrej@sevecek.com | www.sevecek.com |

  2. Revolution? Evolution

  3. Evolution • Access Control Lists (ACEs) • and NTFS • File Server Resource Manager (FSRM) • and simple file classification • Active Directory (AD) integrated classification • and NTFS rules with term conditions • Automatic file classification with FSRM • Kerberos Claims • and user attributes • Kerberos CompoundId • and computer attributes • Central AD defined NTFS access rules • and their enforcement with FSRM

  4. Evolution

  5. Claims, Terms, Classifications, Metadata • They are just the same thing

  6. Access Control Lists What is New in Security in Windows 2012

  7. Until Windows 2012 • Sorted in order • DENY is not always stronger • Has OR logic • shadow groups • combined "AND" groups

  8. Group Limits • Access Token • 1024 SIDs • Kerberos ticket • 12 kB by default • global group = 8 B • domain local group / foreign universal groups = 40 B • 260 max

  9. Authentication Classic flow of access control Kerberos NTLM Allow Logon Locally Access this Computerfrom Network Sharing Permissions UAC Restricted Access Token Authentication TCP 445 Windows Firewall Kerberos NTLM NTFS Permissions Allowed to Authenticate? Folder Quotas Access Token Path Volume Quotas Owner Disk

  10. New in Windows 2012 • AND logic possible • Extendable with claims • FSRM file claims • user claims • device (computer) claims • Requires domain membership • Windows 8, Windows 2012

  11. Authentication New flow of access control Kerberos NTLM Allow Logon Locally Access this Computerfrom Network Sharing Permissions UAC Restricted Access Token Authentication TCP 445 Windows Firewall Kerberos NTLM NTFS Permissions Condition ACEs Allowed to Authenticate? Folder Quotas Access Token Path Volume Quotas Owner Disk

  12. File Classification What is New in Security in Windows 2012

  13. File Server Resource Manager (FSRM) • Manual File Classification • Automatic File Classification • file name wildcard • folder path • words and/or regular expressions • PowerShell code • Locally vs. AD defined terms • Adds file metadata • alternative NTFS streams

  14. File claims and ACL • File claims can be used in the new ACE conditions • only AD based file terms

  15. AD defined file claims • Requires Windows 2012 schema extension • Requires Windows 2003 forest functional level • do not require any Windows 2012 DC • some editor like ADSI Edit or Windows 2012 ADAC • Must be uploaded to FSRM servers manually

  16. Kerberos Claims What is New in Security in Windows 2012

  17. Kerberos ticket until Windows 2012 KDC • User identity • login • SID • Additional SIDs • groups • SID history

  18. Goodold Kerberos Server Client XP TGT DC2003

  19. Goodold Kerberos Server Client XP SIDs TGS TGT TGS SIDs DC2003

  20. What is new in Kerberos tickets with Windows 2012 KDC • User identity • login • SID • Additional SIDs • groups • SID history • User claims • AD attributes in Kerberos TGT tickets

  21. Requirements • At least single Windows 2012 DC (KDC) • Tickets are extendable • If client does not understand the extension, it simple ignores its contents • If server requires user claims and they are not present in the TGS ticket, it can just ask a Windows 2012 DC directly (secure channel)

  22. Goodold Kerberos supportsclaims as well Client XP Server 2012 SIDs TGS TGT Claims TGS SIDs DC 2003 DC 2012

  23. Brand new Kerberos with Windows 2012 KDC Server 2012 Client XP TGT User Claims DC 2012

  24. Brand new Kerberos with Windows 2012 KDC Server 2012 Client XP TGS SIDs User Claims User Claims TGT TGS SIDs User Claims DC 2012

  25. What is new in Kerberos with DFL 2012 • User identity • login • SID • Additional SIDs • groups • SID history • User claims • AD attributes in Kerberos TGT tickets • Device claims • AD attributes of computers • Compound ID in Kerberos TGT tickets

  26. Kerberos Compound ID with device claims Server 2012 Client 8 TGT Request Computer TGT TGT User Claims Device Claims DC 2012

  27. Brand new Kerberos with Windows 2012 KDC Server 2012 Client 8 TGS SIDs User Claims Device Claims TGT User Claims Device Claims TGS SIDs User Claims DC 2012 Device Claims

  28. Requirements • At least local Windows 2012 DC (KDC) • better to have 2012 DFL for consistent behavior • Clients Windows 8 or Windows 2012 • must ask for TGTs with Compound ID extension • Server cannot just obtain device claims because it does not know from what device the user came

  29. Central Access Rules What is New in Security in Windows 2012

  30. Requirements • Windows 2012 schema extension • Windows 2003 forest functional level • do not require any Windows 2012 DC • some editor like ADSI Edit or Windows 2012 ADAC • Uploaded to FS by using Group Policy

  31. Take away What is New in Security in Windows 2012

  32. Evolution

  33. Thank you! What is New in Security in Windows 2012

More Related