Upload
anna-dyal
View
226
Download
0
Tags:
Embed Size (px)
Citation preview
AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING
KEITH BREWER – DYNAMIC ACCESS CONTROL
20
14
DMVMUG Reston, VA http://dmvmug.com
Dynamic Access Control
Control who can access my data
Manage fewer security groups
Protect compliance information
The access control challenge
Dynamic Access Control
Technical Features
Kerberos support for user claims and device authorization information
Support for conditional expressions in permission and audit entries
File classification, and central access policies provide an end-to-end authorization management solution.
Include conditional expression support in Global Object Access Auditing.
Automatic Rights Management Services (RMS) encryption for sensitive Office documents (not included in this document).
Access denied remediation to ease the burden of troubleshooting share access problems (not included in this document).
Dynamic Access Control
New features included in Windows Server 2012
Scenarios
Identify data – Automatic and manual classification of files can be applied to tag data in file servers across the organization
Control access to files - Central access policies enable organizations to apply safety net policies. For example, you could define who can access health information within the organization.
Audit access to files - Central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.
Apply RMS protection - Automatic Rights Management Services (RMS) encryption for sensitive Office documents. For example, you could configure RMS to encrypt all documents containing HIPAA information.
Dynamic Access Control
Benefits
Central access policy for access to files – enable organizations to set safety net policies that reflect the business and regulatory compliance.
Auditing for compliance and analysis – Enable targeted auditing across file servers for compliance reporting and forensic analysis
Protecting sensitive information – Identifying and protecting sensitive information both in a Windows Server 2012 environment and when it leaves the Windows Server 2012 environment
Access denied assistance– Improve access denied experience to reduce the helpdesk load and incident time for troubleshooting access denied
Dynamic Access Control
Prerequisites
Windows Server 2012
At least one Windows Server 2012 domain controller accessible by the Windows client in the user's domain
At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust
Windows 8 client (required when using device claims)
Dynamic Access Control Building Blocks
• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs
• User and computer attributes can be used in ACEsUser and Device Claims
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to request access• Provide detailed troubleshooting info to admins
Access Denied Assistance
Expression-Based Access Conditions
x 50Country
50 GroupsDepartment
x 20 1000 GroupsRestricted Access
2000 Groups!
2000 groups71 groups with conditional expressionsMemberOf(US_SG) AND MemberOf(Finance_SG) AND MemberOf(AllowRestricted_SG)
…or…3 User Claims!
Selected AD user/computer attributes are included in the security token
Claims can be used directly in file server permissions
Claims are consistently issued to all users in a forest
Claims can be transformed across trust boundaries
Enables newer types of policies that weren’t possible before:
Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
User and Device Claims
User claimsUser.Department = Finance
User.Clearance = High
ACCESS POLICY
Applies to: @Resource.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND
(@Device.Managed == True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
11
Central access policies
File Server
Demo:Central Access Policy
Claim Support in Windows Server 2012
Claim Information within the PAC
Previously included information
User security identifiers
Group security identifiers
Windows Server 2012
User claims
Device security identifiers
Device group security identifiers
Device claims (optional)
KDC asks DSA to retrieve claim information from Active Directory
KDC inserts claims retrieved by DSA into PAC
Claim Support in Windows Server 2012
Microsoft Confidential - For Internal Use Only
Flexible Authentication Secure Tunnel (FAST)
Known as Kerberos Armoring in Windows 8 (RFC6113)
Benefits
Protects user pre-authentication data generated from passwords from offline dictionary attacks
Protects user Kerberos authentication from KDC error spoofing to downgrade to NTLM
Creates a tunnel between the client and the KDC during AS and TGS exchanges
Windows 8 armors the AS exchange by using the device’s TGT to protect the request
Windows 8 armors the TGS exchange by using the user’s TGT to protect the request
Claim Support in Windows Server 2012
Microsoft Confidential - For Internal Use Only
Compound Authentication
An extension of Kerberos armoring (FAST) that allows clients to provide the device’s TGT
Compound Authentication enables a Windows 8 KDC to issue service tickets that include device authorization data
Device authorization data includes:
Device groups
Device claims
Access tokens created from issued service tickets also include device authorization data
Claim Support in Windows Server 2012
Microsoft Confidential - For Internal Use Only
Compound Authentication - Requirements
Windows 8 Domain Controller
Support for Dynamic Access Control and Kerberos armoring
Device must support Compound Authentication (Windows 8)
Resource device must support Compound Authentication
Applications that support Compound Authentication should register their support for Compound Authentication, or
You can enable the Kerberos Group Policy setting Support compound authentication
Never: KDC will not provide compound authentication.
Automatic: Once a Dynamic Access Control aware application is installed, the KDC will always provide compound authentication and after the last Dynamic Access Control aware application is removed the KDC will not provide compound authentication.
Always: KDC will always provide compound authentication.
Claim Support in Windows Server 2012
17 Microsoft Confidential - For Internal Use Only
Dynamic Access Control leverages Kerberos
Windows 8 Kerberos extensions
Compound ID – binds a user to the device to be authorized as one principal
Domain Controller issues groups and claims
DC enumerates user claims
Claims delivered in Kerberos PAC
NT Token has sections
User & Device data
Claims and Groups!
Kerberos and The New Token
Pre-2012 Token
User Account
User Groups
[other stuff]
2012 Token
User Account
User Groups
Claims
Device Groups
Claims
[other stuff]
Incrementally add capabilities
Current infrastructure
Windows Server 2012 File Servers• Access and
Audit Policies based on security groups and file tagging
• Expression-Based ACEs
Windows Server 2012 DCs• Centrally
defined access and audit policies
• User claims can be used by access and audit policies
Windows 8 clients• Add device
claims to access and audit policies
• Better access denied experience
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy Reference
NTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity Descriptor
Share Permissions
Cached Central Access Rule
Cached Central Access Rule
Cached Central Access Rule
Demo:Expression-Based ACL
AD Domain Controller Cloning
AD Domain Controller CloningBefore you clone
When it makes sense to use
Considerations before using
Preparation and Pre-Reqs
How it works
What is this VM Generation ID you speak of?
From then (prior to 2012) to now
Step – by – Step
Before you CloneWhen to use it
Primarily for rolling out a number of Virtual Domain Controllers
Initial rollout of 2012
Disaster Recovery Restore
Lab or Test environment
Increase capacity in large environments (Cloud)
Things to consider
History – Microsoft wanted to implement a safeguard for VMs
Volume Generation ID must be supported by Virtualization Technology
Name of DC will be that of original appended w/ -CLNnnnn
Prep includes a few commands
STILL not recommended to restore from snapshots (Safeguard)
Before you Clone (cont’d)Prep and Pre-Reqs
Hypervisor that supports VM-Generation ID (Server 2012)
Deployed 2012 DC in a domain containing 2012 PDCe
Add Source DC to “Cloneable Domain Controllers” group
Run PowerShell cmdlets
Get-ADDCCloningExcludedApplicationList
New-ADDCCloneConfigFile
Export then import VM
NOTE: The following server roles are not supported for cloning:
Dynamic Host Configuration Protocol (DHCP)
Active Directory Certificate Services (AD CS)
Active Directory Lightweight Directory Services (AD LDS)
How it worksWhat is VM Generation ID
AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controller’s computer object
From then…..
Problems occur when replication is attempted and we experience USN Rollback (Event ID 2095)
How it works (Cont’d)What is VM Generation ID
AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controller’s computer object
To now (Server 2012)
When VM restored or rebooted, VMGID is compared to what’s in the DIT (AD Database)
If different, invocationID reset & RID pool discarded
How it worksStep-by-Step
(Assuming you’ve added the clone-able DC to the Security Group)
Create the configuration file
Shutdown the Source DC / VM
Export and Import VM
Power New VM on and verify
IF there is a failure – Reboot will result in DSRM
More on troubleshooting can be found HERE
Create Configuration File
1. Checks for PDCe unless offline switch used
2. Verify Source DC is member of “Cloneable Domain Controllers” group
3. Check against applications that may not support cloning
Allow List: C:\Windows\System32\DefaultDCCloneAllowList.xml
New-ADDCCloneConfigFile -IPv4Address 10.2.1.10 -IPv4DefaultGateway 10.2.1.1 -IPv4SubnetMask 255.255.255.0 -IPv4DNSResolver 10.1.1.10,10.1.1.11 -Static -SiteName CORPDR
Create Configuration File (Cont’d)
XML Files Used
DefaultDCCloneAllowList.xml- Default of allowed Services on a DC
CustomDCCloneAllowList.xml- Created if GenerateXML switch used
when using PS cmdlet above
DCCloneConfig.xml- This is what is ultimately used on
boot for cloning and renamed once used.
- Location can be one of the following- %windir%\NTDS- Location of DIT- Root of any recoverable media
Get-ADDCCloningExcludedApplicationList
Short Q & A
References
Introduction to AD DS Virtualizationhttp://technet.microsoft.com/en-us/library/hh831734.aspx
Detect and Recover from USN Rollbackhttp://support.microsoft.com/kb/875495
TechNet Blog – AskPFE : Virtual Domain Controller Cloning in Windows Server 2012http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx
DC Cloning Troubleshootinghttp://technet.microsoft.com/en-us/library/jj574207.aspx
20
14
DMVMUG Reston, VA http://dmvmug.com
Domain Controller Cloning
Speakers Blog:http://blogs.technet.com/b/askpfeplat/
Email: [email protected]
Need more information on DMVMUGVisit www.dmvmug.com
Questions?