![Page 1: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/1.jpg)
Seminar: Wat mag ik met Dynamic Access in Windows Server 2012Windows Server 2012 introduceert Dynamic Access. Dynamic Access is een verzameling features om ervoor te zorgen dat gebruikers en hun data conform de bedrijfsregels beschikbaar en beschermd zijn. Bestaande technieken, zoals IRM en Kerberos zijn vereenvoudigd en uitgebreid. Ook kunt u met File Classifications ervoor zorgen dat gevoelige bestanden die per ongeluk op publieke shares komen, beschermd worden dankzij “tags” die hen bijvoorbeeld aan uw afdeling Juridische zaken koppelen. Met Dynamic Access heeft u daarmee meer controle wie toegang heeft en tot welke data. Wilt u de beste beveiliging en toch uw gebruikers de mogelijkheid bieden van ‘het nieuwe werken’ of ‘bring your own device’, dan is deze techniek voor u!!
Microsoft Windows Server 2012
![Page 2: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/2.jpg)
Windows Server 2012Dynamic AccessMarco SapComputrain | Twice | Broekhuis
![Page 3: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/3.jpg)
Deze presentatie laat zien hoe Windows Server 2012 de moderne en flexibele werkstijl ondersteund met behulp van Dynamic Access
Agenda Windows Server 2012 Trends and Challenges Dynamic Access Get Started: Advies en Doen!
![Page 4: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/4.jpg)
Windows Server 2012
![Page 5: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/5.jpg)
Identity
Virtualization
Data
Development Management
The Cloud OSModern platform for the world’s apps Transforms datacenter Enables modern apps Unlocks insights on any data Empowers people-centric IT
![Page 6: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/6.jpg)
One platform for all segments
First Server
Automated Virtualization
& Management
, Private Cloud
Virtualization Management
Enterprise
Small Business
Windows Server
• Enables small businesses around the world
• Powers many of the world’s largest datacenters
• Delivers value to organizations of all sizes
Virtualization
Automated Virtualization
& Management
Mid-market
System Center
![Page 7: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/7.jpg)
Trends
ITCONSTRAINTS
BUDGETREDUCTIONSMULTIPLE DEVICESEXPLOSIVE
DATA GROWTH
20%
66%run
grow14%transform
Companies are under pressure to do more with less
![Page 8: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/8.jpg)
Challenges
ALLOW CUSTOMERS& PARTNERS
ROL & DEVICEDRIVEN
PRIVILEGESAVAILABILITYENABLING
DEVICES
Companies must facilitate productivity without impacting security
![Page 9: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/9.jpg)
Security Challenges
REPORT & AUDITCENTRALIZE & STANDARDIZEPROTECTRAPID RESPONSE
Companies need an integrated security strategy
f
![Page 10: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/10.jpg)
Identity is Essential for Cloud Computing
USERS & DEVICES
INFRASTRUCTURE
APPS & SERVICES
IDENTITY
PUBLICPRIVATE
TRADITIONAL IT
HYBRID CLOUD
![Page 11: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/11.jpg)
Dynamic Access
![Page 12: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/12.jpg)
Let’s talk concepts….
![Page 13: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/13.jpg)
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression based auditing
Expression based access conditions Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
![Page 14: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/14.jpg)
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEsUser and Device Claims
• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
![Page 15: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/15.jpg)
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICYApplies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
Central Access PoliciesFile
Server
![Page 16: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/16.jpg)
1 Data Classification
![Page 17: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/17.jpg)
Data classification – identifying data
• Manuel Classification
• Classify data based on location inheritance
• Classify data automatically
Data Classification
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
![Page 18: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/18.jpg)
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classificatio
n plugin
See modified / created file
Save classification
For Security
![Page 19: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/19.jpg)
DemoData Classification
![Page 20: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/20.jpg)
1 Data Classification
2 Central Access Policy
![Page 21: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/21.jpg)
Expression based access control• Manage fewer security
groups by using conditional expressions
• Central! Access Policy
• Compound Identity
Flexible access control lists based on document classification and multiple identities.
Centralized access control lists using Central Access Policies.
Expression based access conditions
![Page 22: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/22.jpg)
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy ReferenceNTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity DescriptorShare Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
![Page 23: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/23.jpg)
Share PermissionsNTFS Permissions
Access Control
Decision
File Access
Now
![Page 24: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/24.jpg)
Share PermissionsNTFS Permissions
Central Access Policy
Access Control
Decision
File Access
With Windows Server 2012
![Page 25: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/25.jpg)
Central Access Rules
Permission Type Target Files Permissions EngineeringFull-Time
EngineeringPart-Time
SalesFull-Time
Share Everyone:FullRule 1: Engineering Docs Dept=Engineering Engineering:Modify
Everyone: ReadRule 2: Sensitive Data Sensitivity=High FT:ModifyRule 3: Sales Docs Dept=Sales Sales:ModifyNTFS FT:Modify
Part-Time:ReadEffective Rights:
Classifications on File Being Accessed Department EngineeringSensitivity High
Read
Full Full Full
Modify Modify Read
Modify ModifyNone
Modify Modify
Modify None Read
[rule ignored – not processed]
![Page 26: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/26.jpg)
Kerberos and The New Token Dynamic Access Control leverages Kerberos
Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one
principal
Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC
NT Token has sections User & Device data Claims and Groups!
Pre-2012 TokenUser AccountUser Groups[other stuff]
2012 TokenUser Account
User GroupsClaims
Device GroupsClaims
[other stuff]
![Page 27: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/27.jpg)
Overview
NT Access TokenContoso\Alice
User
Groups:….Claims: Title=SDE
Kerberos TicketContoso\Alice
User
Groups:….Claims: Title=SDE
File Server
User Contoso DC
AD Admin
Enable Domain to issue claims
Defines claim typesClaim type
Display NameSource
Suggested values
Value typeUser attempts to login
Receives a Kerberos ticket
Attempt to access resource
![Page 28: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/28.jpg)
Kerberos Pre-Windows 2012
User M-TGT
Pre-Windows 2012 File Server
Contoso DCPre-Windows
2012U-TGT
TGS (no claims)
TGS (no claims)
?
![Page 29: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/29.jpg)
Kerberos with ClaimsFile Server
User Contoso DC
TGS (with User Claims)
M-TGT
U-TGT
TGS (with User Claims)
?
![Page 30: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/30.jpg)
Kerberos with Pre-Windows 8 ClientsFile Server
Pre-Windows 8 User
Contoso DC
M-TGT
U-TGT
TGS (no claims)
TGS (no claims)
? TGS (with User Claims)
![Page 31: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/31.jpg)
Kerberos with Compound IdentityFile Server
User Contoso DC
TGS (User and Device Groups/Claims)
M-TGT
U-TGT
TGS (User and Device Groups/Claims)
?
![Page 32: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/32.jpg)
Across Forest boundariesFile Server
User Contoso DC
Other Forest DCPublish Cross-Forest transformation Policy
Referral TGT
M-TGT
U-TGT
TGS (with claims)
Referral TGTTGS (with claims)
?
![Page 33: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/33.jpg)
To the Cloud!
User Contoso DC
TGS
ADFS
Cloud App
M-TGT
U-TGT
SAML
TGSSAML
![Page 34: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/34.jpg)
Central Access PolicyIn Active Directory:• Create resource property
definitions• Configure central policies• Configure ClaimsOn File Server:• Classify information• Assign central policyAt Runtime:• User access is evaluated
Windows Server 2012 Active Directory
Windows Server 2012File Server
End User
Access Policy
?
Resource Property
Definitions
Claims
![Page 35: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/35.jpg)
DemoCentral Access Policy
![Page 36: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/36.jpg)
In Summary…..
![Page 37: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/37.jpg)
Reduce group complexity
![Page 38: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/38.jpg)
Enable Information Governanceon File Servers
![Page 39: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/39.jpg)
Implement effective access control
![Page 40: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/40.jpg)
01Dynamic Access Control
• Manual tagging by content owners
• Automatic classification (tagging)
• Application-based tagging
Manage identity data
• Central access policies targeted based on file tags
• Expression-based access conditions with support for user claims, device claims, and file tags
• Access denied remediation
• Central audit policies that can be applied across multiple file servers
• Expression-based auditing conditions with support for user claims, device claims, and file tags
• Policy staging audits to simulate policy changes in a real environment
• Automatic Rights Management Services (RMS) protection for Microsoft Office documents based on file tags
• Near real-time protection soon after the file is tagged
• Extensibility for non-Office RMS protectors
Control access Audit access Protect data
![Page 41: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/41.jpg)
Get startedDownload Windows Server 2012
Learn
Act
![Page 42: Windows server 2012 Wat mag ik met Dynamic Access](https://reader036.vdocuments.pub/reader036/viewer/2022081521/5461bf61af79595e398b6d67/html5/thumbnails/42.jpg)
Windows Server 2012Dynamic AccessMarco SapComputrain | Twice | Broekhuis