Introduction to Dynamic Access Control in Windows Server 2012: Innovations in the File Server Audit System

We continue to translate and publish materials related to Windows Server 2012 and updates to staffed Microsoft audit systems. We invite interested readers to familiarize themselves with the story of an employee of the Windows Server team about the new features of Dynamic Access Control.


Hello, my name is Nir Ben-Zvi, I work in the Windows Server team. I am pleased to present to you today a new set of functions for Dynamic Access Control (Dynamic Access Control), which is available in Windows Server 2012.

First, I will briefly talk about the planning process, then we will look at the new Central Access Policy model and describe what's new in the File Server, a solution that we have embedded in Windows Server 2012. I also have a gradual implementation that you don’t need It was to move the whole environment to Windows Server 2012 if you need to use this feature. In the end, we will consider issues related to what decisions of our partners will help expand the proposed functionality of our solutions.
Introduction
')
In modern (read: complex) IT infrastructures, data creation occurs at staggering speed in distributed systems; at the same time access to this data from multiple devices. Compliance with the requirements of standards for information security and the need to protect confidential information from leaks - one of the most important problems for business and IT. In order for these problems to be successfully solved, it is necessary to control who got access to certain information, and it is desirable that it is desirable that, when exercising such control, information on access is presented as clearly as possible.
We were aware of the problems facing the business and IT a couple of years ago when we planned what Windows Server 2012 would be like. Here are just a few frequently encountered requests from our customers:

• Centralized control of access to information, both on the basis of business requests, and in order to meet the requirements of standards
• Access to information should be audited for the purpose of analyzing and fulfilling the requirements of information security standards.
• Confidential information should be protected.
• Content owners should be responsible for their information - administrators should not do other than their work.
• A key aspect is maintaining the productivity of professionals working with information
We took a look at the individual positions in the organization and their interaction in the process of fulfilling requests from business, and regulating bodies, in order to present an adequate set of technologies and solutions.
Thus, the list of positions involved in solving the identified problems begins with the CSO / CIO, which identifies needs from a business perspective and meeting the requirements of standards. They are followed by IT administrators who manage the systems and content owners who control the actual information. As for those who work directly with information, the influence of the applied solutions on them should be minimal (ideally, it should not be at all).



To help organizations meet regulatory requirements and solve their business challenges, we ultimately focused on the following areas:
• Identification of information that must be managed to achieve its goals.
• Application of access policies to information
• Audit of access to information
• Information Encryption
These tasks have been translated into a set of Windows features that make data protection possible with Windows solutions and partner solutions.
• The ability to configure central access and audit policies in Active Directory has been added. These policies are based on conditional requirements (see below); however, the number of security groups for access control can be significantly reduced:
o Who is the user
o What device does it use
o What data is accessed
• Requests (claims) are integrated into Windows authentication (Kerberos), so that users and devices can be described not only by the security groups in which they belong, but also by requests, for example: “User from the Department of Finance”, and “Category User’s access (security clearance) is high. ”
• The File Classification Infrastructure infrastructure has been improved, allowing content owners and users to identify (tag) their data, so IT administrators can create targeted policies based on these tags. This feature works along with the ability of the file classification infrastructure to automatically classify files based on their content or other characteristics.
• Rights Management Services are integrated to automatically protect (encrypt) confidential information on servers, so even when it leaves the server, it is protected.

Central Access Policies

Central access policies can be compared to insurance that an organization applies on its servers. These policies improve (but do not replace) the local access policy (for example, discretionary ACLs) that apply to information. For example, if a local DACL file allows access to a specific user, but the Central Policy denies access to the same user, then he will not be able to access the file (and vice versa).

The initiative to introduce and strengthen central access policies springs from various causes and from various levels of organization:
• Policy related to compliance with regulations: This policy is consistent with the requirements of regulations and business and is aimed at protecting the correct (adequately established) access to information that is managed. For example, to give access to information that falls under the regulatory documents “US-EU Safe Harbor”, only to a specific group of users.
• Departmental Permissions Policy: Each department in an organization has certain data requirements that they would like to protect (strengthen). This situation is often found in organizations with an extensive organizational structure. For example, the finance department wants to limit access to financial information only to financial workers.
• Need to know policy: This policy ensures that access is allowed only to those who need to know. For example:
o Vendors should access information and edit only files that are related to the projects they are working on.
o In financial institutions, “walls” between information are important, for example, analysts should not have access to broker information, and brokers should not have access to analytical information.
Central audit policies

Central Audit Policy is a powerful tool that allows you to keep your organization safe. One of the key objectives of security auditing is to comply with the requirements of information security standards. Industry standards such as SOX, HIPPA, PCI, and others require organizations to follow a strict set of rules related to information security and data privacy (privacy). The work of auditors is to establish the presence (or absence) of such policies, thereby proving the fulfillment (or non-fulfillment) of the requirements of these standards. In addition, a security audit allows you to record anomalous behavior, identify and avoid security holes, and limit unauthorized behavior — any important user activity is recorded, and such records can be used during an investigation.

Windows Server 2012 allows administrators to develop audit policies using expressions that take into account what information users access and who these users are, so an organization can audit access to only certain information, no matter where was not. This opens the door to more targeted and at the same time easy to use audit policies. Now you can implement scenarios that until now have been difficult to implement. For example, you can easily develop audit policies that are listed below:
• Audit of all who do not have a high tolerance category and who nevertheless try to gain access to “important” information
• Audit of all vendors who are trying to access documents on projects they are not working on.

This helps regulate the scope of audit events and only limits them to more important ones, so you can track access to information on different servers without creating a huge number of records.

In addition, information tagging is recorded in audit events, so that using the event collection mechanism, contextual reports can be generated, for example: Who has accessed Important information for the last three months.
File Server Solution

Based on this infrastructure, we developed a complete solution for the Windows Server 2012 Active Directory, the Windows Server 2012 File Server and the Windows 8 client. This solution allows you to:
• Identify data using automatic and manual file classification.
• Control access to files across all servers, applying a guarantee (safety net) of central access policies. For example, you can control who gets network health information throughout your organization.
• Audit file access on file servers; use central audit policies to enforce information security standards and conduct investigations. For example, you can determine who gained access to highly confidential information over the past three months.
• Data encryption by automatically applying rights management services (RMS) encryption to confidential documents. For example, you can configure the RMS to encrypt all documents that contain information protected by HIPAA.



In order to support deployment across multiple file servers in an organization, we also provide the Data Classification Toolkit, which allows you to customize and generate reports among multiple servers.
The beta version of the Data Classification Toolkit can be downloaded here.

Concept of gradual implementation

One of the key principles of DAC development is incremental implementation. You can start using this function as soon as you have a need to solve the problems facing your company in terms of auditing file servers and accessing information.

You can use most of the Dynamic Access Control features in the Windows Server 2012 file server and the updated Active Directory domain scheme. Adding a minimum number of Windows Server 2012 domain controllers allows for the inclusion of user requests, etc. Each part of the system that you upgrade will give you more options, but to set the speed of implementation is at your discretion.

Partner Solutions

Partner solutions and a range of business applications can increase the efficiency of using Windows infrastructure investments for Dynamic Access Control, providing value to organizations using Active Directory. Here are just some examples of partner solutions that were presented at the conference last year:
• Integrating Data Leakage Prevention systems with automatic content classification
• Centralized analysis of audit data
• Authorization of Rights Management Services (Rights Management Services) using Central Access Policies
• A lot others…

via Technet