Dynamic Access Control presents a major shift
Microsoft has positioned its most recent server OS, Windows Server 2012, as a fundamental building block for private cloud environments. The new server OS includes numerous changes to the Hyper-V virtual machine manager, including new security features to allow for better and more flexible network isolation between the virtual machines (VMs) of tenants that use the same Hyper-V instance. But Server 2012 also includes important changes to another crucial element of Microsoft-rooted private clouds: Active Directory (AD).
In this article, I focus on some key security changes that Microsoft bundles with Server 2012 AD. There's much to say about Dynamic Access Control, which represents a big shift in the Windows and AD authorization model. In addition, Server 2012 AD includes some smaller but no less important security-related changes.
Dynamic Access Control: All About Claims
Dynamic Access Control is probably the most fundamental security change that Microsoft incorporates in Server 2012. Dynamic Access Control integrates the claims-based access control (CBAC) model with the Windows OS and AD. Claims are statements about users or devices (e.g., "My account name is JanDC," "I am a member of the sales department") and are issued by a trusted authority. Microsoft first introduced CBAC in Active Directory Federation Services version 1 (ADFS v1), which was bundled with Windows Server 2003.
Claims can provide a flexible mechanism for exchanging trustworthy identity attributes between ADFS servers. Organizations can now use claims to protect the file and folder data stored on domain-joined Server 2012 or Windows 8 machines. Server 2012 domain controllers (DCs) can issue claim statements as part of the user and machine authentication process, by embedding the claims in the user's or machine's authentication ticket. (For more information on claims and how Microsoft leverages them, read "A Guide to Claims-based Identity and Access Control.")
Dynamic Access Control is built on several new and enhanced Windows data-authorization features for classifying and labeling data, applying CBAC settings, auditing access to data, and encrypting data. Under the hood, Dynamic Access Control relies on numerous Microsoft engineering changes to key Windows components, services, and protocols. These include AD, Group Policy Objects (GPOs), DNS, Kerberos, the Local Security Authority (LSA), and the Netlogon processes, as well as network protocols such as Server Message Block (SMB), LDAP, and remote procedure call (RPC). Microsoft has made several Dynamic Access Control–driven changes in Server 2012, including the following:
- Extending the DC and Kerberos Key Distribution Center (KDC) logic, to enable the issuing of claims in authentication tokens
- Changing the Kerberos token format, to enable the transportation of claims
- Adding alternate data streams (ADS) in NTFS, to attach custom properties to files and folders
- Enabling the storage of conditional expressions in the ACLs of file and folders, to enable more flexible access control and auditing settings
- Extending the AD schema, to allow centralized storage of Dynamic Access Control properties and policies
Dynamic Access Control can leverage AD to store central access policies (CAPs) and GPOs and to push these policies to domain members. Microsoft also added a Central Policy tab (which Figure 1 shows) in the Advanced Security Settings dialog box for folders. From this tab, administrators can choose the CAP that they want to assign to a given folder. Thanks to these changes, you can now grant access to files and folders in your domain or forest, based on the values of standard or custom attributes of your AD user and machine objects. For example, you can now refuse a user access to a file server share if the Department attribute of the AD user object doesn't contain the value "Sales" or "Marketing." This new flexible authorization logic is very different from the user- and group-SID–based logic that we've been using for years.
You can define CAPs from the Dynamic Access Control container in the revamped Active Directory Administrative Center (ADAC), which Figure 2 shows, or by using Windows PowerShell cmdlets. You can call on the same tools to enable claim support for an AD user or machine object attribute and to add values to these attributes. A Server 2012 DC will add claim statements to user and computer authentication tokens only for the user and computer object attributes that actually contain information and that are linked to an enabled claim type. Before your Server 2012 DCs can issue claims, you must explicitly enable them to issue claim statements; indeed, Server 2012 DCs are disabled for CBAC by default. To enable CBAC, use the Domain Controller support for Dynamic Access Control and Kerberos armoring GPO setting in the \Computer Configuration\Policies\Administrative Templates\System\KDC container. To use GPOs to push CAPs to your machines, you can use the new Central Access Policy GPO option in the \Computer Configuration\Policies\Windows Settings\Security Settings\File System container.