user and computer attributes can be used in aces aces with conditions, including logical and...
TRANSCRIPT
![Page 1: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/1.jpg)
Dynamic Access ControlDeep Dive & Extensibility
Dave McPhersonSr. Program Manager3-052
![Page 2: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/2.jpg)
Quick introduction of Dynamic Access Control
Understand how things work behind the scenesDynamic
AccessControl
Session objectives
• Classification
• Central access policies
• Staging
• Authentication and authorization flows
• Token bloat
Extensibility
![Page 3: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/3.jpg)
Dynamic Access Control: In a nutshell
Data Classification
Flexible access control lists based on document classification and multiple identities (security groups).
Centralized access control lists using Central Access Policies.
Targeted access auditing based on document classification and user identity.
Centralized deployment of audit polices using Global Audit Policies.
Automatic RMS encryption based on document classification.
Expression-based auditing
Expression-based access conditions
Encryption
Classify your documents using resource properties stored in Active Directory.
Automatically classify documents based on document content.
![Page 4: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/4.jpg)
Dynamic Access Control Building Blocks
• User and computer attributes can be used in ACEs
• ACEs with conditions, including logical and relational operatorsUser and Device Claims
Expression-Based ACEs
• File classifications can be used in authorization decisions• Continuous automatic classification• Automatic RMS encryption based on classification
Classification Enhancements
• Central authorization/audit rules defined in AD and applied across multiple file servers
Central Access and Audit Policies
• Allow users to self remedy or request access• Provide detailed troubleshooting info to adminsAccess Denied Assistance
![Page 5: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/5.jpg)
User claimsUser.Department = Finance
User.Clearance = High
Conditional Access Policy
Applies to: Resource.Impact = HighAllow | Read,Write | if (User.Department = Resource.Department) AND (Device.Managed
= True)
Device claimsDevice.Department = Finance
Device.Managed = True
Resource propertiesResource.Department =
FinanceResource.Impact = High
AD DS
5
Expression-based access policy
File Server
![Page 6: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/6.jpg)
User and Device Claims
• Restricted to making policy decisions based on the user’s group memberships• Shadow groups are often created to reflect existing attributes as groups• Groups have rules around who can be members of which types of groups• No way to transform groups across AD trust boundaries• No way to control access based on characteristics of user’s device
Pre-2012: Security Principals Only
• Selected AD user/computer attributes are included in the security token• Claims can be used directly in file server permissions• Claims are consistently issued to all users in a forest• Claims can be transformed across trust boundaries• Enables newer types of policies that weren’t possible before:
• Example: Allow Write if User.MemberOf(Finance) and User.EmployeeType=FullTime and Device.Managed=True
Windows Server 2012: Security Principals, User Claims, Device Claims
![Page 7: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/7.jpg)
Expression-Based ACEs
• Led to group bloat• Consider an org with 500 projects, 100 countries, 10 divisions• 500,000 total groups to represent every combination:
• ProjectZ UK Engineering Users• ProjectZ Canada Engineering Users [etc…]
Pre-2012: ’OR’ of groups only
• ACE conditions allow multiple groups with Boolean logic• Example: Allow modify IF MemberOf(ProjectZ) AND MemberOf(UK) AND
MemberOf(Engineering)• 610 groups instead of 500,000
Windows Server 2012: ‘AND’ in expressions
• 3 User Claims + 3 Resource properties
Windows Server 2012: with Central Access Policies & Classification
![Page 8: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/8.jpg)
Conditional Expression Operators
Logical AND OR NOT Exists (resource
properties)
See MS-DTYP for processing rules
Relational =, != , <, >, <=, >=, Member_of Device_Member_of Member_of_Any Device_Member_of_Any Any_of Contains NOT*
![Page 9: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/9.jpg)
Conditional Expressions in Windows
Extension of the CALLBACK_ACE_TYPE Allows custom ACE behavior Previously only available through AuthzAPI Expression goes into the ApplicationData section
(prefix 4 ‘xtra’ bytes)
SDDL A normal ACE: (A;CIOI;GA;;;AU) A conditional ACE: (XA;CIOI;GA;;;AU(@User.smartcard == 1 ||
@Device.managed == 1) && @Resource.dept Any_of {"Sales","HR"}))
![Page 10: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/10.jpg)
Access Control Policy Extensibility
• Security Descriptor Definition Language (SDDL) CBAC ACEs managed as SDDL strings Added / removed from SDDL strings via standard string manipulation
functions AddConditionalAce AddResourceAttributeAce
• Managing Claims in AD Powershell / LDAP
• Managing Central Access Policies PowerShell / LDAP
![Page 11: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/11.jpg)
File Classification Infrastructure
DynamicAccessControl
![Page 12: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/12.jpg)
File Classification Infrastructure• FCI Released in WS08R2• Classified based on rules run
at specified schedules• Not continuous• Not for access control• No UI for manual classification
![Page 13: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/13.jpg)
File Classification Infrastructure
![Page 14: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/14.jpg)
File Classification Infrastructure
Resource Property Definitions
![Page 15: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/15.jpg)
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
![Page 16: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/16.jpg)
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
See modified / created file
Save classification
For Security
![Page 17: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/17.jpg)
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classification plugin
File Managemen
t Task
See modified / created file
Match file to policy
Apply Policy
Save classification
For Security
![Page 18: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/18.jpg)
File Classification Infrastructure
Resource Property Definitions
FCI
In-box content classifier
3rd party classificati
on Extensibilit
y
File Managemen
t Task
See modified / created file
RMS Encrypt
Save classification
For Security
Match file to policy
![Page 19: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/19.jpg)
Central Access Policies
DynamicAccessControl
![Page 20: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/20.jpg)
Active Directory
Central Access Policy
Finance folders
User folders
Standard organization policyHigh Impact rulePersonal Information ruleFinance department policyHigh Impact Data rulePersonal Information ruleInformation wall rule
Corporate file serversHigh Impact Data rule
Applies To: Resource.Impact == HighAccess conditions: User.Clearance = High AND Device.IsManaged = True
Personal Information ruleApplies To: Resource.PII == TrueAccess conditions: Allow MemberOf( PIIAdministrators , Owner)
“Information wall” ruleApplies To: Exists Resource.DepartmentAccess conditions: User.Department any_of Resource.Department
2
Define Central Access Policies (CAPs)Define Central Access Rules (CARs)1
Apply CAPs on File Servers
3
![Page 21: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/21.jpg)
File AccessShare Permissions
File Access without Central Access Policy
Access Control
DecisionNTFS Permissions
![Page 22: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/22.jpg)
File Access
File Access with Central Access Policy
Access Control
Decision
Share Permissions
NTFS Permissions
Central Access Policy
![Page 23: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/23.jpg)
How Access Check Works
File/FolderSecurity Descriptor
Central Access Policy Reference
NTFS Permissions
Active Directory (cached in local Registry)
Cached Central Access Policy Definition
Access Control Decision:1)Access Check – Share permissions if
applicable2)Access Check – File permissions3)Access Check – Every matching Central
Access Rule in Central Access Policy
ShareSecurity Descriptor
Share Permissions
Cached Central Access RuleCached Central Access RuleCached Central Access Rule
![Page 24: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/24.jpg)
Staging PoliciesDynamicAccessControl
![Page 25: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/25.jpg)
What will happen when I deploy?
Changing Central Access Policies may have wide impact
Replicating production environment for test purposes is difficult and expensive
Staging Policies
![Page 26: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/26.jpg)
Staging policy
User claimsClearance = High | Med | LowCompany = Contoso | Fabrikam
Active Directory File serverResource properties
Department = Finance | HR | EnggImpact = High | Med | Low
Current Central Access policy for high impact dataApplies to: @File.Impact = High
Allow | Full Control | if @User.Company == ContosoStaging policy
Applies to: @File.Impact = HighAllow | Full Control | if (@User.Company == Contoso) AND
(@User.Clearance == High)
![Page 27: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/27.jpg)
Sample staging event (4818)Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy
Subject: Security ID: CONTOSODOM\alice Account Name: alice Account Domain: CONTOSODOMObject: Object Server: Security Object Type: File Object Name: C:\FileShare\Finance\FinanceReports\FinanceReport.xls Current Central Access Policy results: Access Reasons: READ_CONTROL: Granted by Ownership ReadAttributes: Granted by D:(A;ID;FA;;;BA) Proposed Central Access Policy results that differ from the current Central Access Policy results: Access Reasons: READ_CONTROL: NOT Granted by CAR “HBI Rule” ReadAttributes: NOT Granted by CAR “HBI Rule”
![Page 28: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/28.jpg)
Behind the ScenesDynamicAccessControl
![Page 29: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/29.jpg)
Kerberos and The New Token
Dynamic Access Control leverages Kerberos Windows 8 Kerberos extensions Compound ID – binds a user to the device to be authorized as one
principal
Domain Controller issues groups and claims DC enumerates user claims Claims delivered in Kerberos PAC
NT Token has sections User & Device data Claims and Groups!
Pre-2012 Token
User Account
User Groups
[other stuff]
2012 Token
User Account
User Groups
Claims
Device Groups
Claims
[other stuff]
![Page 30: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/30.jpg)
NT Access Token
Contoso\Alice
User
Groups:….
Claims: Title=SDE
Kerberos Ticket
Contoso\Alice
User
Groups:….
Claims: Title=SDE
File ServerUser
Contoso DC
Ad Admin Enable Domain to issue claims
Defines claim types
Claim type
Display Name
Source
Suggested values
Value type
User attempts to login
Receives a Kerberos ticket
Attempt to access resource
![Page 31: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/31.jpg)
Kerberos flow in Pre-Windows 2012
M-TGT
Contoso DCPre-Windows
2012
Pre-Windows 2012 File ServerUser
![Page 32: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/32.jpg)
Kerberos flow in Pre-Windows 2012
U-TGT
Contoso DCPre-Windows
2012
Pre-Windows 2012 File ServerUser
M-TGT
![Page 33: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/33.jpg)
Kerberos flow in Pre-Windows 2012
TGS (no claims)
Contoso DCPre-Windows
2012
Pre-Windows 2012 File ServerUser
M-TGT
U-TGT
![Page 34: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/34.jpg)
Kerberos flow in Pre-Windows 2012
User
M-TGT
U-TGTTGS (no claims)
?
Contoso DCPre-Windows
2012
Pre-Windows 2012 File Server
![Page 35: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/35.jpg)
Kerberos flow with User Claims
File Server
TGS (with User Claims)
Contoso DC
User
M-TGT
U-TGT
![Page 36: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/36.jpg)
Kerberos flow with User Claims
TGS (with User Claims)
?File Server
Contoso DC
User
M-TGT
U-TGT
![Page 37: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/37.jpg)
Kerberos flow with Pre-Windows 8 Clients
Set Policy to enable claims
Contoso DC
File Server
Pre-Windows 8 User
![Page 38: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/38.jpg)
Kerberos flow with Pre-Windows 8 Clients
TGS
(no
clai
ms)
File Server
Contoso DC
Pre-Windows 8 User
M-TGT
U-TGT
![Page 39: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/39.jpg)
Kerberos flow with Pre-Windows 8 Clients
TGS (no claims)
Contoso DC
File Server
Pre-Windows 8 User
M-TGT
U-TGT
![Page 40: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/40.jpg)
File Server
Kerberos flow with Pre-Windows 8 Clients
Pre-Windows 8 User
M-TGT
U-TGT
TGS (no claims)
TGS (with User
Claims)
?
Contoso DC
S4UToSelf(
)
![Page 41: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/41.jpg)
Kerberos flow with Compound Identity
TGS
(Use
r and
Dev
ice
Group
s/Cl
aim
s)
M-
TGT
U-TGT
Contoso DC
File Server
User
M-TGT
U-TGT
![Page 42: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/42.jpg)
File Server
Kerberos flow with Compound Identity
TGS (User and Device Groups/Claims)
?
Contoso DC
User
M-TGT
U-TGT
![Page 43: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/43.jpg)
Across Forest boundaries
Other Forest DC
Publish Cross-Forest transformation Policy
Contoso DC
File Server
User
M-TGT
U-TGT
![Page 44: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/44.jpg)
Across Forest boundaries
Referral TGT
Other Forest DC
File Server
Contoso DC
User
M-TGT
U-TGT
![Page 45: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/45.jpg)
Across Forest boundaries
TGS (with claims)
Referral TGT
Other Forest DCContoso
DC
File Server
User
M-TGT
U-TGT
![Page 46: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/46.jpg)
Across Forest boundaries
Other Forest DC
TGS (with claims)
?
File Server
Contoso DC
User
M-TGT
U-TGT
![Page 47: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/47.jpg)
To the Cloud!
TGS
ADFS
Cloud App
Contoso DC
User
M-TGT
U-TGT
![Page 48: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/48.jpg)
To the Cloud! Cloud App
Contoso DCADFS
User
M-TGT
U-TGT
![Page 49: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/49.jpg)
To the Cloud!
SAMLTGS
ADFSContoso
DC
Cloud App
User
M-TGT
U-TGT
![Page 50: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/50.jpg)
To the Cloud!
SAML
?Contoso DC
Cloud App
ADFS
User
M-TGT
U-TGT
![Page 51: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/51.jpg)
Token/Ticket Bloat
Understanding the problem Token Bloat: Amount of authorization data in the NT Token Ticket Bloat: Amount of authorization data sent over the wire
Token Bloat: How does it manifest? Too many SIDs in the token (Upper bound of 1024)
Ticket Bloat: How does it manifest? Authorization data is sent over the network.
Over time, old group memberships linger and authorization data adds up. Might see failures in one type of application
Usually indicates the limits for that wire transport have been reached.
![Page 52: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/52.jpg)
Impact of Claims
Ticket Bloat Claims is authorization data carried over the wire. Initially, some
increase in ticket sizes expected.
Windows 8 improvements DC compresses claims before sending them over the wire DC compresses certain types of SIDs that weren’t compressed before
(Resource Domain SIDs) MaxTokenSize default increased to 48k New audit events – DC starts logging events when ticket sizes exceed
specified value
![Page 53: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/53.jpg)
Impact of Claims – Real Numbers
First Claim
1 Boolean Claim
Adds 242 Bytes
User Claims Set
5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Adds 970 Bytes
Compound-ID Claims Sets
User - 5 Claims:• 1 Boolean• 1 Integer• 2 String – Single Valued
• Avg Len/value: 12 chars• 1 String – Multi Valued
• Avg Len/value: 12 chars• Avg #Values: 6 values
Device - 2 Claims:• 1 Boolean• 1 String – Single Valued
• Avg Len/value: 12 chars
Adds 1374 Bytes of Claims Data + Computer Group’s AuthZ Data
Worst-Case Analysis (assumes no compression):Gives us confidence that claims and compound-ID should not result in huge spikes of ticket sizes in most environments.
Bytes Before Compression120 user overhead120 device overhead114 per int/bool claim8 per int/bool value138 per string claim2 per string character
![Page 54: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/54.jpg)
Incrementally add capabilities
Current infrastructure
Windows Server 2012 File Servers• Access and Audit
Policies based on security groups and file tagging
Windows Server 2012 DCs• Centrally defined
access and audit policies
• User claims can be used by access and audit policies
Windows 8 clients• Add device
claims to access and audit policies
• Better access denied experience
Part
ner
solu
tion
s an
d lin
e o
f b
usi
ness
ap
plic
ati
on
s
![Page 55: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/55.jpg)
Many partner solutions!
![Page 56: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/56.jpg)
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Quick introduction of Dynamic Access Control
Understand how things work behind the scenesFile ClassificationCentral Access Policies & StagingAuthentication & Authorization flowsToken bloat
Extensibility
In Review: Session Objectives And Takeaways
![Page 57: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/57.jpg)
• Dynamic Access Control Dev Extensibility http://msdn.microsoft.com/en-us/library/windows/desktop/Hh802756(v=vs.85).aspx
• Follow us on Twitter @WindowsAzure
• Get Started: www.windowsazure.com/build
Resources
Please submit session evals on the Build Windows 8 App or at http://aka.ms/BuildSessions
![Page 58: User and computer attributes can be used in ACEs ACEs with conditions, including logical and relational operators User and Device Claims Expression-Based](https://reader035.vdocuments.us/reader035/viewer/2022062721/56649f1b5503460f94c30d5a/html5/thumbnails/58.jpg)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.