One of the big security challenges in a Windows domain environment is ensuring that files—all files, not just the ones you know about—have the correct security applied to them. According to Microsoft, despite the popularity of SharePoint, file servers remain the largest (80 percent) repository of enterprise data. Periodic audits for regulatory compliance are expensive and difficult to accomplish. Adding to this challenge is the fact that in the current Windows Server file environment, there’s a gap between the overall information security policy and the actual boots-on-the-ground implementation of these policies on file servers throughout the domain. Anyone who has had to administer a server knows there are many opportunities for exceptions to slip through in an environment where tens, hundreds, or even thousands of file servers must be individually configured to meet corporate policy.
Windows Server 8 Dynamic Access Control is a new file-system authorization mechanism that gives IT the ability to define central file-access policies at the domain level that apply to every file server in the domain. Dynamic Access Control provides a “safety net,” in addition to any existing share and NTFS permissions, which ensures that regardless of how the share and NTFS permissions might be changing on a day-to-day basis, this central overriding policy will still be enforced.
Dynamic Access Control marks the first incorporation of claims into the core Windows authorization (access control) model. A claim is an assertion about an object, issued by a trusted identity provider. Claims have existed for a while in the internet security world, where they’re at the core of federated identity technology. Claims are manipulated in this area by a security token service (STS) such as Active Directory Federation Services (AD FS), which transforms data in Kerberos tokens into claims that can be consumed by web services.
In the Windows Server 8 access control model, claims are Active Directory (AD) attributes that have been defined for use with Central Access Policies. You can set claims for both users (“User.company==FTE”) and devices (“Device.managed==true”). This is easily done in using the Active Directory Administrative Center (ADAC), where there’s a new Claim Based Access container at the same hierarchy level as the domain. This kind of claim-based access gives you a degree of granularity and flexibility not available before. In fact, the product was originally named “claim-based access control,” but was renamed to Dynamic Access Control because the new access control system has more to it than just claims.
Deploying centralized file-access policies through Dynamic Access Control is a four-part process. The first—and arguably the hardest—step is to identify and classify file server data. These classifications are set by NTFS tags and require the file server be running Windows Server 8. This tagging can be done by several methods. Data can be tagged/classified based on application; by a sophisticated automatic mechanism that can, for example, search for Social Security formats or the words “<your company> Confidential”; by folder; or it can be tagged manually by the file server content owner.
While this classification process is going on, Information Security can build Central Access Policies that will apply to the different file classifications. These policies are far more flexible and specific than anything previously available in Windows access control; you can use expression-based access conditions with support for user claims, device claims, and file tags. When the policies are applied, there’s a highly customizable Access Denied remediation mechanism that guides the user to a specific URL or generates an email message, to get the situation corrected if necessary.
Once the policies are applied, you can also define centralized audit policies that can be applied across multiple files servers as well. Similarly to the access policies, these audit policies are defined with expression-based auditing conditions with support for user claims, device claims, and file tags. And since there’s a big gap between a policy as it’s initially thought up and how it looks when it hits the real world, there’s a built-in mechanism that works like Group Policy’s Resultant Set of Policy (RSoP) to test against the target file servers in what-if simulations before the policies are ever activated.
Finally, you can choose to automatically protect certain types of Office data classification with Rights Management Service (RMS) based on file tagging. Part of Dynamic Access Control, this capability doesn’t require a separate AD RMS installation. RMS provides near real-time protection within a few seconds of when the document is tagged. Dynamic Access Control also has extensibility to protect non-Office RMS protectors.
A lot of work had to be done to various Windows components to make this high-level capability work. AD had to be updated to comprehend claims. NTFS was updated to be able to use regular expressions in file system ACLs in addition to security principals such as users and groups. This is a huge added value for administrators, because once they upgrade to Windows Server 8, they can immediately take advantage of the extra flexibility this provides—even if any centralized policies haven’t been configured. For example, using regular expressions, you can easily create the equivalent of ANDing groups together; in previous versions, you could only OR them together. For example, you can express directly that to access a certain set of files you must be a member of the Full-Time Employees group AND a member of the Finance group, without having to create all the nested groups (Finance group is nested in Full-Time Employees group is nested in Domain Users) required in our current model.
Modifications to the core authentication platform are critical to making Dynamic Access Control work. To make claims available to the new access control model without redesigning AD authentication, claims are stored in the Privilege Attribute Certificate (PAC) field inside the Kerberos ticket. This is the same place where the user’s SID and group membership SIDs are stored, so it would seem that extracting claim information would be a fairly straightforward process. The downside of this design choice is that the PAC has a limited size, and some companies are running up against token-bloat issues when a user is a member of too many groups. Of course, the additional flexibility of Dynamic Access Control will hopefully reduce the number of groups a user must be a member of.
Dynamic Access Control in Windows Server 8 is limited to the NTFS file system. Why? As it was described to me by Senior Program Manager Robert Deluca, Windows Server 8 was designed by scenario-based engineering, and the most compelling initial scenario to solve was that of centralized access control and compliance. They’re starting with this scenario, and as they gain experience with this release, it might expand to encompass other areas (such as claims-based authentication and authorization).
This new Windows Server 8 capability isn’t just a very powerful security and compliance feature. It’s also a basis for more authorization flexibility in future versions of Windows. And probably to the relief of IT pros concerned about job security, implementing it will be a good-sized project to keep them busy for quite a while.
Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.
