What is new in security in Windows 2012
or
Dynamic Access Control
Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | CEHv7
ondrej@sevecek.com | www.sevecek.com |
Revolution?
Evolution
Evolution
• Access Control Lists (ACEs)
– and NTFS
• File Server Resource Manager (FSRM)
– and simple file classification
• Active Directory (AD) integrated classification
– and NTFS rules with term conditions
• Automatic file classification with FSRM
• Kerberos Claims
– and user attributes
• Kerberos CompoundId
– and computer attributes
• Central AD defined NTFS access rules
– and their enforcement with FSRM
Evolution
Feature
Server
Client
Schema 2012 / DFL
/ FFL
And logic ACL
Windows 2012
-
-
FSRM automatic
classification
Windows 2012
FSRM
-
-
AD integrated
classification terms
Windows 2012
FSRM
-
schema 2012
FFL 2003
AD integrated NTFS
access rules
Windows 2012
FSRM
-
schema 2012
FFL 2003
User claims
Windows 2012
-
one Windows 2012
DC
Computer claims
Windows 2012
Windows 8
Windows 2012
local Windows 2012
DC
Claims, Terms, Classifications, Metadata
• They are just the same thing
Access Control Lists
What is New in Security in Windows 2012
Until Windows 2012
• Sorted in order
– DENY is not always stronger
• Has OR logic
– shadow groups
– combined "AND" groups
Group Limits
• Access Token
– 1024 SIDs
• Kerberos ticket
– 12 kB by default
– global group = 8 B
– domain local group / foreign universal groups = 40 B
• 260 max
Authentication
Kerberos
Classic flow of access control
NTLM
Kerberos
NTLM
Allowed to Authenticate?
Windows Firewall
TCP 445
Sharing Permissions
Authentication
Access this Computer
from Network
Allow Logon Locally
Access Token
UAC
Restricted
Access Token
NTFS Permissions
Folder Quotas
Path
Volume Quotas
Owner
Disk
New in Windows 2012
• AND logic possible
• Extendable with claims
– FSRM file claims
– user claims
– device (computer) claims
• Requires domain membership
– Windows 8, Windows 2012
Authentication
Kerberos
New flow of access control
NTLM
Kerberos
NTLM
Allowed to Authenticate?
Windows Firewall
TCP 445
Sharing Permissions
Authentication
Access this Computer
from Network
Allow Logon Locally
Access Token
UAC
Restricted
Access Token
NTFS Permissions
Condition ACEs
Folder Quotas
Path
Volume Quotas
Owner
Disk
File Classification
What is New in Security in Windows 2012
File Server Resource Manager (FSRM)
• Manual File Classification
• Automatic File Classification
–
–
–
–
file name wildcard
folder path
words and/or regular expressions
PowerShell code
• Locally vs. AD defined terms
• Adds file metadata
– alternative NTFS streams
File claims and ACL
• File claims can be used in the new ACE conditions
– only AD based file terms
AD defined file claims
• Requires Windows 2012 schema extension
• Requires Windows 2003 forest functional level
– do not require any Windows 2012 DC
– some editor like ADSI Edit or Windows 2012 ADAC
• Must be uploaded to FSRM servers manually
Kerberos Claims
What is New in Security in Windows 2012
Kerberos ticket until Windows 2012 KDC
• User identity
– login
– SID
• Additional SIDs
– groups
– SID history
Good old Kerberos
Client
XP
TGT
DC
2003
Server
Good old Kerberos
Client
XP
TGS
TGT
TGS
DC
2003
SIDs
SIDs
Server
What is new in Kerberos tickets with
Windows 2012 KDC
• User identity
– login
– SID
• Additional SIDs
– groups
– SID history
• User claims
– AD attributes in Kerberos TGT tickets
Requirements
• At least single Windows 2012 DC (KDC)
• Tickets are extendable
• If client does not understand the extension, it simple
ignores its contents
• If server requires user claims and they are not
present in the TGS ticket, it can just ask a Windows
2012 DC directly (secure channel)
Good old Kerberos supports claims as well
Client
XP
TGS
SIDs
Server
2012
TGT
TGS
DC
2003
SIDs
Claims
DC
2012
Brand new Kerberos with Windows 2012
KDC
Server
2012
Client
XP
TGT
DC
2012
User Claims
Brand new Kerberos with Windows 2012
KDC
Client
XP
TGS
SIDs
User Claims
User Claims
TGT
TGS
SIDs
User Claims
DC
2012
Server
2012
What is new in Kerberos with DFL 2012
• User identity
– login
– SID
• Additional SIDs
– groups
– SID history
• User claims
– AD attributes in Kerberos TGT tickets
• Device claims
– AD attributes of computers
– Compound ID in Kerberos TGT tickets
Kerberos Compound ID with device claims
Server
2012
Client
8
TGT Request
Computer TGT
TGT
User Claims
Device Claims
DC
2012
Brand new Kerberos with Windows 2012
KDC
Client
8
TGS
SIDs
User Claims
Device Claims
TGT
User Claims
Device Claims
TGS
SIDs
User Claims
DC
2012
Device Claims
Server
2012
Requirements
• At least local Windows 2012 DC (KDC)
– better to have 2012 DFL for consistent behavior
• Clients Windows 8 or Windows 2012
– must ask for TGTs with Compound ID extension
• Server cannot just obtain device claims because it
does not know from what device the user came
Central Access Rules
What is New in Security in Windows 2012
Requirements
• Windows 2012 schema extension
• Windows 2003 forest functional level
– do not require any Windows 2012 DC
– some editor like ADSI Edit or Windows 2012 ADAC
• Uploaded to FS by using Group Policy
Take away
What is New in Security in Windows 2012
Evolution
Feature
Server
Client
Schema 2012 / DFL
/ FFL
And logic ACL
Windows 2012
-
-
FSRM automatic
classification
Windows 2012
FSRM
-
-
AD integrated
classification terms
Windows 2012
FSRM
-
schema 2012
FFL 2003
AD integrated NTFS
access rules
Windows 2012
FSRM
-
schema 2012
FFL 2003
User claims
Windows 2012
-
one Windows 2012
DC
Computer claims
Windows 2012
Windows 8
Windows 2012
local Windows 2012
DC
Thank you!
What is New in Security in Windows 2012