Changes in AD Windows Server 2012. Part 1. Dynamic access control

An interesting Windows Server 2012 Active Directory Security Changes article on key changes to Active Directory in Windows Server 2012 was published on WindowsITPro . This
article is large, so I decided to split it into two parts. In the first part, we will focus on Dynamic Access Control, which represents a big step forward in the authorization model in Windows and Active Directory. The second part will discuss other changes in AD Server 2012 that relate to security issues, namely:

• New security management features in ADAC (GUI GUI and granular password policies)
• Group Managed Service Accounts
• Primary computers.

I want to note that the language of the article is quite complicated, so the translation may be lame in places. I apologize in advance for this.

Dynamic access control: it's all about applications

Dynamic access control is the most fundamental security change that is included in Server 2012. Dynamic access control integrates a claims-based access control (CBAC) access model with the Windows and AD models. Claims are claims about users or devices (for example, “My JanDC account name”, “I am in the sales department”, etc.), which are issued by trusted sources. Microsoft first introduced CBAC in Active Directory Federation Services v 1.0 (ADFS v1) in Windows Server 2003.

Claims can provide a flexible mechanism for exchanging trusted identity attributes between ADFS servers. Organizations can now use claims to protect data in a file and folder stored on domain-joined machines under Windows Server 2012 or Windows 8. Domain controllers in Server 2012 can issue claim statements during user or machine authentication; this is done by including the application in the authentication ticket of the user or machine. (For more information on applications and how Microsoft uses them, see the MSDN A Guide to Claims-based Identity and Access Contro l.)

Dynamic access control is based on several new and improved data authorization features in Windows, which are designed to:

• Data classification and tagging
• Apply Application-Based Access Control Settings (CBAC)
• Data Access Audit
• Data encryption.

From the developers' point of view, numerous changes to key components, services, and Windows protocols have been made to dynamic access control. They concern AD, Group Policy Objects, DNS, Kerberos, Local Security Authority (LSA), and Netlogon processes, as well as network protocols such as Server Message Block (SMB), LDAP, and remote procedure call (RPC). Microsoft introduced several changes to Server 2012 that were driven by the advent of dynamic access control:

• Extension of the domain controller and Kerberos Key Distribution Center (KDC) logic in order to activate the issuance of applications and authentication tokens
• Changing the format of the Kerberos token for the transportation of applications
• Added alternate data streams (ADS) to NTFS, added support for custom properties for files and folders
• Storage of confidential expressions in ACL file and folders is included for flexible access control and audit settings
• The AD scheme is expanded, which now allows for centralized storage of properties and policies of dynamic access control.

Central Access Policies

Dynamic access control can use AD to store central access policies (CAP); this is done in order to apply these policies to domain members. In the Advanced Security Settings dialog box for folders, the Central Policy tab has been added (shown in Figure 1). From this tab, administrators can select the Central Access Policy (CAP) that they want to assign to the specified folder. Now you can set the access policy for files and folders in your domain or forest, based on the values ​​of the standard and custom attributes of your AD objects (users or computers). For example, you can deny a user access to a network folder on a file server if the Department attribute of the AD user object does not contain the value “Sales” or “Marketing.



Central Access Policies (CAPs) can be set from the Dynamic Access Control (DAC) container, which is presented in the updated Active Directory Administrative Center (ADAC), which is shown in Figure 2, or using PowerShell cmdlets. Using the same tools, you can activate claim statements for AD objects (users and computers) and add values ​​to these attributes. Server 2012 domain controller will add claim statements to user and computer authorization tokens only if the attributes of these objects really contain information and are associated with the activated type of application. Before your domain controller in Windows Server 2012 can issue applications, this function must be enabled; keep in mind that CDs in Server 2012 are not active by default to use CBAC.\ Computer Configuration \ Policies \ Administrative Templates \ System \ KDC . To use GPOs to distribute CAP to your machines, you can use the Central Access Policy GPO option in the \ Computer Configuration \ Policies \ Windows Settings \ Security Settings \ File System container .

Auditing file and folder access in Windows Server 2012

With the introduction of dynamic access control, applications can be flexibly used not only to delegate access to files and folders, but also to audit access to them. For example, in Server 2012, we can configure an audit rule to track all users who have been granted or denied access to folders that are marked as “confidential” (property “confidential”). To centrally set audit settings for files and folders based on requests, use the Global Object Access Auditing GPO , which Microsoft introduced in Windows Server 2008 R2 and which is now enhanced with dynamic access control.

Administrators can set flexible settings for access control and audit of access to files and folders; this is done both as an add-on and independently of centrally defined CAPs. The dialog boxes in Advanced Security Settings in Windows 8 and Server 2012 have been changed so that you can set conditional expressions when setting up authorization and audit of files and folders. Figure 3 shows this new interface, thereby illustrating the definition of permission that a conditional expression includes in a folder called SharedData.

Data classification

In addition to auditing and access control, Dynamic Access Control also provides new flexible data classification mechanisms. Now you can add custom properties to a file or folder, which are called global resource properties; this is done through the audit and access control settings dialog boxes. Again, you can do the same with ADAC or PowerShell cmdlets. To propagate these custom properties to your domain computers, Microsoft has provided Windows 8 and Server 2012 clients with special extensions that use LDAP to connect to AD and retrieve these properties. This new classification feature allows you to flexibly classify data based on your chosen attributes and, accordingly, apply protection.

You can classify files and folders manually using the Classification tab in the file or folder properties, as shown in Figure 4. This tab appears only on systems that have the Desktop Experience feature installed and which host the File Server Resource Manager role service

Automating the file classification process

The file classification process can be automated by using the File Classification Infrastructure (FCI) feature. FCI was introduced in Server 2008 R2 and allows administrators to define custom classification labels (tags), establish classification rules and expiration dates, and generate classification reports. Administrators can manage FCI directly from File Server Resource Manager (FSRM). FCI can be used with the RMS Bulk Protection Tool to automatically apply RMS protection to files .

This is a fairly short introduction to dynamic access control. Detailed information (setup, configuration, problem solving) can be found in white paper from Microsoft (" Understand and Troubleshoot Dynamic Access Control in Windows Server 8 Beta .")