AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING

KEITH BREWER – DYNAMIC ACCESS CONTROL

20

14

DMVMUG Reston, VA http://dmvmug.com

Dynamic Access Control

Control who can access my data

Manage fewer security groups

Protect compliance information

The access control challenge

Dynamic Access Control

Technical Features

Kerberos support for user claims and device authorization information

Support for conditional expressions in permission and audit entries

File classification, and central access policies provide an end-to-end authorization management solution.

Include conditional expression support in Global Object Access Auditing.

Automatic Rights Management Services (RMS) encryption for sensitive Office documents (not included in this document).

Access denied remediation to ease the burden of troubleshooting share access problems (not included in this document).

Dynamic Access Control

New features included in Windows Server 2012

Scenarios

Identify data – Automatic and manual classification of files can be applied to tag data in file servers across the organization

Control access to files - Central access policies enable organizations to apply safety net policies. For example, you could define who can access health information within the organization.

Audit access to files - Central audit policies for compliance reporting and forensic analysis. For example, you could identify who accessed highly sensitive information.

Apply RMS protection - Automatic Rights Management Services (RMS) encryption for sensitive Office documents. For example, you could configure RMS to encrypt all documents containing HIPAA information.

Dynamic Access Control

Benefits

Central access policy for access to files – enable organizations to set safety net policies that reflect the business and regulatory compliance.

Auditing for compliance and analysis – Enable targeted auditing across file servers for compliance reporting and forensic analysis

Protecting sensitive information – Identifying and protecting sensitive information both in a Windows Server 2012 environment and when it leaves the Windows Server 2012 environment

Access denied assistance– Improve access denied experience to reduce the helpdesk load and incident time for troubleshooting access denied

Dynamic Access Control

Prerequisites

Windows Server 2012

At least one Windows Server 2012 domain controller accessible by the Windows client in the user's domain

At least one Windows Server 2012 domain controller in each domain when using claims across a forest trust

Windows 8 client (required when using device claims)

Dynamic Access Control Building Blocks

• ACEs with conditions, including Boolean logic and relative operatorsExpression-Based ACEs

• User and computer attributes can be used in ACEsUser and Device Claims

• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification

Classification Enhancements

• Central authorization/audit rules defined in AD and applied across multiple file servers

Central Access and Audit Policies

• Allow users to request access• Provide detailed troubleshooting info to admins

Access Denied Assistance

Expression-Based Access Conditions

x 50Country

50 GroupsDepartment

x 20 1000 GroupsRestricted Access

2000 Groups!

2000 groups71 groups with conditional expressionsMemberOf(US_SG) AND MemberOf(Finance_SG) AND MemberOf(AllowRestricted_SG)

…or…3 User Claims!

Selected AD user/computer attributes are included in the security token

Claims can be used directly in file server permissions

Claims are consistently issued to all users in a forest

Claims can be transformed across trust boundaries

Enables newer types of policies that weren’t possible before:

Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True

User and Device Claims

User claimsUser.Department = Finance

User.Clearance = High

ACCESS POLICY

Applies to: @Resource.Impact = HighAllow | Read, Write | if (@User.Department == @File.Department) AND

(@Device.Managed == True)

Device claimsDevice.Department = Finance

Device.Managed = True

Resource propertiesResource.Department =

FinanceResource.Impact = High

AD DS

11

Central access policies

File Server

Demo:Central Access Policy

Claim Support in Windows Server 2012

Claim Information within the PAC

Previously included information

User security identifiers

Group security identifiers

Windows Server 2012

User claims

Device security identifiers

Device group security identifiers

Device claims (optional)

KDC asks DSA to retrieve claim information from Active Directory

KDC inserts claims retrieved by DSA into PAC

Claim Support in Windows Server 2012

Microsoft Confidential - For Internal Use Only

Flexible Authentication Secure Tunnel (FAST)

Known as Kerberos Armoring in Windows 8 (RFC6113)

Benefits

Protects user pre-authentication data generated from passwords from offline dictionary attacks

Protects user Kerberos authentication from KDC error spoofing to downgrade to NTLM

Creates a tunnel between the client and the KDC during AS and TGS exchanges

Windows 8 armors the AS exchange by using the device’s TGT to protect the request

Windows 8 armors the TGS exchange by using the user’s TGT to protect the request

Claim Support in Windows Server 2012

Microsoft Confidential - For Internal Use Only

Compound Authentication

An extension of Kerberos armoring (FAST) that allows clients to provide the device’s TGT

Compound Authentication enables a Windows 8 KDC to issue service tickets that include device authorization data

Device authorization data includes:

Device groups

Device claims

Access tokens created from issued service tickets also include device authorization data

Claim Support in Windows Server 2012

Microsoft Confidential - For Internal Use Only

Compound Authentication - Requirements

Windows 8 Domain Controller

Support for Dynamic Access Control and Kerberos armoring

Device must support Compound Authentication (Windows 8)

Resource device must support Compound Authentication

Applications that support Compound Authentication should register their support for Compound Authentication, or

You can enable the Kerberos Group Policy setting Support compound authentication

Never: KDC will not provide compound authentication.

Automatic: Once a Dynamic Access Control aware application is installed, the KDC will always provide compound authentication and after the last Dynamic Access Control aware application is removed the KDC will not provide compound authentication.

Always: KDC will always provide compound authentication.

Claim Support in Windows Server 2012

17 Microsoft Confidential - For Internal Use Only

Dynamic Access Control leverages Kerberos

Windows 8 Kerberos extensions

Compound ID – binds a user to the device to be authorized as one principal

Domain Controller issues groups and claims

DC enumerates user claims

Claims delivered in Kerberos PAC

NT Token has sections

User & Device data

Claims and Groups!

Kerberos and The New Token

Pre-2012 Token

User Account

User Groups

[other stuff]

2012 Token

User Account

User Groups

Claims

Device Groups

Claims

[other stuff]

Incrementally add capabilities

Current infrastructure

Windows Server 2012 File Servers• Access and

Audit Policies based on security groups and file tagging

• Expression-Based ACEs

Windows Server 2012 DCs• Centrally

defined access and audit policies

• User claims can be used by access and audit policies

Windows 8 clients• Add device

claims to access and audit policies

• Better access denied experience

How Access Check Works

File/FolderSecurity Descriptor

Central Access Policy Reference

NTFS Permissions

Active Directory (cached in local Registry)

Cached Central Access Policy Definition

Access Control Decision:1)Access Check – Share permissions if

applicable2)Access Check – File permissions3)Access Check – Every matching Central

Access Rule in Central Access Policy

ShareSecurity Descriptor

Share Permissions

Cached Central Access Rule

Cached Central Access Rule

Cached Central Access Rule

Demo:Expression-Based ACL

AD Domain Controller Cloning

AD Domain Controller CloningBefore you clone

When it makes sense to use

Considerations before using

Preparation and Pre-Reqs

How it works

What is this VM Generation ID you speak of?

From then (prior to 2012) to now

Step – by – Step

Before you CloneWhen to use it

Primarily for rolling out a number of Virtual Domain Controllers

Initial rollout of 2012

Disaster Recovery Restore

Lab or Test environment

Increase capacity in large environments (Cloud)

Things to consider

History – Microsoft wanted to implement a safeguard for VMs

Volume Generation ID must be supported by Virtualization Technology

Name of DC will be that of original appended w/ -CLNnnnn

Prep includes a few commands

STILL not recommended to restore from snapshots (Safeguard)

Before you Clone (cont’d)Prep and Pre-Reqs

Hypervisor that supports VM-Generation ID (Server 2012)

Deployed 2012 DC in a domain containing 2012 PDCe

Add Source DC to “Cloneable Domain Controllers” group

Run PowerShell cmdlets

Get-ADDCCloningExcludedApplicationList

New-ADDCCloneConfigFile

Export then import VM

NOTE: The following server roles are not supported for cloning:

Dynamic Host Configuration Protocol (DHCP)

Active Directory Certificate Services (AD CS)

Active Directory Lightweight Directory Services (AD LDS)

How it worksWhat is VM Generation ID

AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controller’s computer object

From then…..

Problems occur when replication is attempted and we experience USN Rollback (Event ID 2095)

How it works (Cont’d)What is VM Generation ID

AD DS initially stores the VM GenerationID identifier as part of the msDS-GenerationID attribute on the domain controller’s computer object

To now (Server 2012)

When VM restored or rebooted, VMGID is compared to what’s in the DIT (AD Database)

If different, invocationID reset & RID pool discarded

How it worksStep-by-Step

(Assuming you’ve added the clone-able DC to the Security Group)

Create the configuration file

Shutdown the Source DC / VM

Export and Import VM

Power New VM on and verify

IF there is a failure – Reboot will result in DSRM

More on troubleshooting can be found HERE

Create Configuration File

1. Checks for PDCe unless offline switch used

2. Verify Source DC is member of “Cloneable Domain Controllers” group

3. Check against applications that may not support cloning

Allow List: C:\Windows\System32\DefaultDCCloneAllowList.xml

New-ADDCCloneConfigFile -IPv4Address 10.2.1.10 -IPv4DefaultGateway 10.2.1.1 -IPv4SubnetMask 255.255.255.0 -IPv4DNSResolver 10.1.1.10,10.1.1.11 -Static -SiteName CORPDR

Create Configuration File (Cont’d)

XML Files Used

DefaultDCCloneAllowList.xml- Default of allowed Services on a DC

CustomDCCloneAllowList.xml- Created if GenerateXML switch used

when using PS cmdlet above

DCCloneConfig.xml- This is what is ultimately used on

boot for cloning and renamed once used.

- Location can be one of the following- %windir%\NTDS- Location of DIT- Root of any recoverable media

Get-ADDCCloningExcludedApplicationList

Short Q & A

References

Introduction to AD DS Virtualizationhttp://technet.microsoft.com/en-us/library/hh831734.aspx

Detect and Recover from USN Rollbackhttp://support.microsoft.com/kb/875495

TechNet Blog – AskPFE : Virtual Domain Controller Cloning in Windows Server 2012http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx

DC Cloning Troubleshootinghttp://technet.microsoft.com/en-us/library/jj574207.aspx

20

14

DMVMUG Reston, VA http://dmvmug.com

Domain Controller Cloning

Speakers Blog:http://blogs.technet.com/b/askpfeplat/

Email: JCore@Microsoft.com

Keith.Brewer@Microsoft.com

Need more information on DMVMUGVisit www.dmvmug.com

Questions?