Changes in AD Windows Server 2012. Part 1. Dynamic Access Control

WindowsITPro has published an interesting article Windows Server 2012 Active Directory Security Changes , devoted to key changes in Active Directory in Windows Server 2012.
The article is large, so I decided to break it into two parts. In the first part, we will focus on Dynamic Access Control (Dynamic Access Control), which represents a big step forward in the authorization model in Windows and Active Directory. The second part will look at other changes in AD Server 2012 that relate to security issues, namely:

• New security management features in ADAC (AD Recycle Bin and Granular Password Policies),
• Group-managed service accounts (Group Managed Service Accounts)
• Primary computers.

I want to note that the language of the article is quite complicated, so translation in some places may limp. I apologize in advance for this.

Dynamic Access Control: Applications Deal

Dynamic access control is the most fundamental change in security that is included in Server 2012. Dynamic access control integrates a claims-based access control (CBAC) model with Windows and AD. Requests (claims) are peculiar statements about users or devices (for example, “My account name is JanDC”, “I am in the sales department”, etc.) that are issued by trusted sources. Microsoft first introduced CBAC in Active Directory Federation Services v 1.0 (ADFS v1) in Windows Server 2003.

Applications can provide a flexible mechanism for exchanging trusted identity attributes between ADFS servers. Organizations can now use claims to protect data in a file and folder stored on domain-joined machines running Windows Server 2012 or Windows 8. Domain controllers in Server 2012 can issue (quotas statements) during user or machine authentication; This is done by including the application in the authentication ticket (authentication ticket) of the user or machine. (For more information about applications and how Microsoft uses them, see the MSDN A Guide to Claims-based Identity and Access Contro l.)

Dynamic access control is based on several new and improved data authorization features in Windows that are designed to:

• Classification and tagging data
• Application Required Access Control Settings (CBAC)
• Data Access Audit
• Data encryption

From the developers' point of view, numerous changes have been made to dynamic access control in key Windows components, services, and protocols. They concern AD, group policy objects, DNS, Kerberos, Local Security Authority (LSA), and Netlogon processes, as well as network protocols such as Server Message Block (SMB), LDAP, and remote procedure call (RPC). Microsoft introduced several changes to Server 2012, which were caused by the advent of dynamic access control:

• Expansion of domain controller logic and Kerberos Key Distribution Center (KDC) in order to activate the issue of applications and authentication tokens
• Kerberos token format change for transporting requests
• Added alternate data streams (ADS) to NTFS, added custom properties for files and folders
• Enabled storage of confidential expressions in the ACL file and folder for flexible access control and audit settings
• The AD scheme has been extended, which now allows centralized storage of properties and policies for dynamic access control.

Central Access Policies

Dynamic access control can use AD to store central access policies (CAP); This is done in order to apply these policies to domain members. In the Advanced Security Settings dialog box for folders, the Central Policy tab has been added (shown in Figure 1). From this tab, administrators can select the central access policy (CAP) they want to assign to a given folder. Now you can set the access policy for files and folders in your domain or forest based on the values ​​of standard and custom attributes of your AD objects (users or computers). For example, you can deny a user access to a network folder on a file server if the Department attribute of a user object AD does not contain the value “Sales” or “Marketing.” This flexible authorization logic is very different from the logic that was before (user and group SID ).
')


Central access policies (CAPs) can be set from the Dynamic Access Control (DAC) container, which is presented in the updated Active Directory Administrative Center (ADAC), as shown in Figure 2, or using PowerShell cmdlets. Using the same tools, you can activate claim support for AD objects (users and computers) and add values ​​to these attributes. The Server 2012 domain controller will add statement (statement statements) to the user and computer authorization tokens only if the attributes of these objects really contain information and are associated with the activated type of claim. Before your domain controller in Windows Server 2012 can issue applications, this feature must be enabled; Note that CDs in Server 2012 are not active by default for using CBAC. To enable CBAC, use the Domain Controller support for Dynamic Access Control and Kerberos armoring group policy object in the \ Computer Configuration \ Policies \ Administrative Templates \ System \ KDC container. To use GPOs to distribute CAPs to your machines, you can use the Central Access Policy group policy object option in the \ Computer Configuration \ Policies \ Windows Settings \ Security Settings \ File System container.

File and folder access auditing in Windows Server 2012

With the introduction of dynamic access control, applications can be flexibly used not only to delegate access to files and folders, but also to audit access to them. For example, in Server 2012, we can configure an audit rule to track all users who have been granted or denied access to folders that are marked “confidential” (the “confidential” property). To centrally define audit settings for files and folders based on requests, use the Global Object Access Auditing GPO, which Microsoft introduced in Windows Server 2008 R2 and is now enhanced with dynamic access control.

Administrators can set flexible settings for access control and auditing access to files and folders; This can be done both as an addition and independently of centrally defined CAPs. The dialog boxes were modified in Advanced Security Settings in Windows 8 and Server 2012, so that you can set conditional expressions when setting up authorization and auditing of files and folders. Figure 3 shows this new interface, thereby illustrating the definition of the resolution, which includes the conditional expression in a folder called SharedData.

Data classification

In addition to auditing and access control, Dynamic Access Control also provides new flexible data classification mechanisms. Now you can add custom properties to the file or folder, which are called the global resource properties (global resource properties); This is done through the auditing and access control settings dialog boxes. Again, you can do the same with the ADAC or PowerShell cmdlets. To propagate these custom properties to your domain computers, Microsoft has equipped Windows 8 and Server 2012 clients with special extensions that use LDAP to connect to AD and retrieve these properties. This new classification feature gives you flexible data classification based on the attributes you select and, accordingly, apply protection.

You can classify files and folders manually using the Classification tab in the file or folder properties, as shown in Figure 4. This tab appears only on systems that have the installed Desktop Experience feature and which host the File Server Resource Manager role service

Automate the file classification process

The file classification process can be automated by using the File Classification Infrastructure (FCI) function. FCI was introduced in Server 2008 R2 and allows administrators to define custom classification labels (tags), set classification rules and expiration dates, and generate classification reports. Administrators can manage FCI directly from File Server Resource Manager (FSRM). FCI can be used with the RMS Bulk Protection Tool to automatically apply RMS protection to files .

This is a fairly short introduction to dynamic access control. Detailed information (configuration, configuration, problem solving) can be found in white paper from Microsoft (" Understand and Troubleshoot Dynamic Access Control in Windows Server 8 Beta ".)