In-Depth

Dynamic Access Control: An Active Directory Game Changer

Dynamic Access Control in Windows Server 2012 can help IT improve file server authorization and authentication by reducing Active Directory groups.

• By Jeffrey Schwartz
• 01/07/2013

Managing groups in Microsoft Active Directory is the bane of many an IT pro's existence. Likewise for security administrators, auditors and managers who implement policies. The number of groups and attributes in AD is increasing at an alarming rate. And that number is increasing further now that IT must enact Bring Your Own Device (BYOD) policies and govern access to the growing use of cloud services.

The problem: How does IT meet the new business imperative of empowering workers to access information when and where they need it, while ensuring sensitive information doesn't leak out and wind up in the wrong hands? Also, how can audit groups know when an unauthorized user has accessed -- or attempted to read, retrieve or copy -- information?

File servers have long secured documents by providing folders or shares governed by Group Policy, by which an individual is granted access based on attributes such as his role, department or location. But the growing amount of data and security groups is making it increasingly difficult for IT organizations to meet the new demand for acess to data from different device types and locations, while ensuring that data is protected.

Microsoft's answer is a major new feature in the recently released Windows Server 2012 called Dynamic Access Control (DAC). DAC aims to make it easier to enhance authorization and authentication by applying better security, risk-management and auditing policies in AD. It promises to improve how files are classified, secured, accessed and governed based on various attributes and conditions applied within AD.

DAC is perhaps the most important addition to the new Microsoft server OS, says Mark Minasi, an independent instructor who gives classes on Windows Server 2012 and AD. While observers believe it will take some time before DAC takes hold, Minasi believes it'll be a key reason many organizations ultimately make the move to Windows Server 2012. "For 15 percent of the Fortune 500, they'll roll out Windows Server 2012 faster than they rolled out Windows Server 2008 R2 -- and it will be because of Dynamic Access Control," Minasi says.

An organization doesn't need to upgrade all of its file servers to Windows Server 2012 in order to implement DAC, Minasi points out. As long as there's one new file server running a Windows Server 2012 domain controller, the organization can implement DAC.

The key appeal of DAC is that it extends Group Policy and access-control functions applied to file shares managed by AD. It does so by integrating claims-based authentication using Kerberos tokens. Instead of describing users by which security groups they're assigned to, DAC also makes it possible to validate claims based on different attributes in AD, such as a user's department, location, role, title and security clearance, as well as how files are classified.

DAC also lets organizations apply more refined policies by which a user or device can access a file using claims-based authentication, says Patrick Gookin, product manager for AD products at NetIQ Corp. "The security system can have a rule that says: If the claim that someone is a VP is true, and the claim is that the department is finance, and the resource they're accessing it from is also within the finance department, then I'm going to give them access to this folder," Gookin explains. "Which is unbelievably more powerful than the group model, but it also has a lot of pieces and moving parts that need to be managed and understood."

New File Security Model
DAC also integrates Rights Management Services (RMS), where files defined as sensitive are automatically encrypted, ensuring information is protected when it's moved from the file server. A file may be deemed sensitive if it has a Social Security number. Microsoft and many of its third-party partners believe this new approach to file management in Windows Server 2012 is among the most important new features in the OS. As organizations begin deploying Windows Server 2012, DAC promises to also change the way IT secures and audits various document types that reside on file servers.

"It starts with the ability to tag data, classify data, apply access control to that data and then automatically encrypt sensitive information based on this specification," said Nir Ben-Zvi, program manager on the Microsoft File Server team during a demo of DAC. A key benefit of DAC is that it significantly reduces the constraints placed on IT versus the traditional implementation of Group Policy, explains Uday Hegde, principal group program manager for Active Directory at Microsoft.

Microsoft introduced claims-based authentication and authorization in SharePoint 2010. But despite the proliferation of SharePoint, experts say the vast majority of documents still reside in unstructured formats on file servers.

"The nice thing about claims is you can apply very dynamic policies at the resources," Hegde says. "You can make decisions that aren't already baked into the system in a static way. For example, let's say you have a line-of-business application and you're hosting it. You can say, 'only allow access to a user who has authenticated with a smart card certificate,' or, 'only allow access based on some other criteria.' So you can make those changes dynamically with security groups."

In older versions of Windows Server, making those changes is difficult to do, Hegde adds. "The reason we call it Dynamic Access Control is we're changing the game in how you can get static information versus dynamically getting this information on the fly, and a claims model allows us to do that," he says.

From 'Or' to 'And'
Minasi says DAC is so important because it allows IT to vastly reduce the number of AD groups, while providing more fine-grained file-access policies. Say you only want to allow managers in your Omaha, Neb., office access to a set of files or a folder. They might already be in a management group or an Omaha group. Without DAC, an administrator must create a third group -- adding to the proliferation of such groups, while making it harder to restrict access if one but not both of those attributes change.

"Previously all we had is groups and 'or,' where if you're in the management group 'or' the Omaha group, you get in," Minasi explains. "So now we can say, 'I'm in the management group 'and' the Omaha group. That's important. Placing the information we have about you in Active Directory and adjusting file permissions -- that changes the universe."

Eliminating Token Bloat
Why is eliminating the number of groups in AD so important? A common problem today is "token bloat," where an inordinate number of groups in AD result in too many tokens in the repository. This makes it difficult to manage access and apply policies when users' roles invariably change. As the number of groups increase in an enterprise, the more difficult it is to ensure all AD tokens are up-to-date. This makes it more difficult to ensure the proper access controls are in place.

"Groups can get very much out of control," says Tom Crane, a program manager at Quest Software, now a division of Dell Inc. "You don't have any idea who has access to all of the resources through all of these groups."

Besides reducing the number of groups, DAC makes it easier to assign policies to files and shares. For example, a user might have complete read-write access to certain files when at a specific location, but read-only access when accessing those same files from home. Another condition might include what kind of device is accessing the data, such as a user-owned computer, tablet or smartphone versus a company-administered system.

Implementing policies defining how data is accessed is becoming more difficult to control as more documents are floating across a larger number of file servers, experts say. And the problem is only exacerbated as employees generate more data and the number of security groups increase.

"There's no central place from which you can control access rights to file systems because the access rights and security are controlled at each of those objects at the folder level, the share level, and the user who owns a folder can change the permissions on it," says Matt Flynn, a product manager at Stealthbits Technologies Inc., a provider of AD administration, auditing and data loss prevention (DLP) tools. "They can open up a share and grant rights to everyone to change content that may be extremely sensitive."

Besides making it easier to change permissions, DAC lets IT and security administrators create rules and policies. At the same time, it allows IT to govern access rights based on those rules or policies as well as other user attributes, rather than somebody having to specify a particular group or user on every Group Policy Object (GPO), Flynn says.

File Classification Infrastructure
When Windows Server 2008 R2 shipped, Microsoft introduced File Classification Infrastructure (FCI) in the OS. Until now, FCI has offered limited benefit because it let users classify data in files but didn't offer access control. In essence, FCI lets business group managers and those who author documents classify files based on metadata tags. Those tags describe the nature of the file, such as if it has personally identifiable information. The author of documents can create those tags, or automated rules can generate them.

For example, if files have credit-card numbers, the security policies applied to those documents would be tighter than files that are less-sensitive. In the case of a hospital storing patients' MRI images on a file server, FCI ensures those files are only accessible to doctors or authorized people. "If it's tagged as an MRI we can say: 'You can't look at this MRI unless your Active Directory title says you're a doctor or you're the owner," Minasi says. "Notice you didn't hear me say 'group' -- you just heard Active Directory references."

This should appeal to enterprises with sensitive data such as government agencies, insurance companies and health-care providers. FCI will also have general appeal to any enterprise with more than 50 employees. One reason is, starting this year, as the Patient Protection and Affordable Care Act (aka Obamacare) kicks in, organizations must ensure personally identifiable information of their employees is protected or risk steep fines.

"Everyone, including small organizations, is going to say, 'let's identify the files that are going to get our [butts] thrown in jail or cost us a lot of money," Minasi says. "File Classification Infrastructure will let us do that, and that's what you get in Windows Server 2012."

Today users can right-click a file and classify a tab in the properties. The alternative is the built-in FCI capability that will scan files, which then looks for attributes such as credit-card and Social Security numbers, or even that a JPEG file was tagged by an MRI machine.

Data Classification Toolkit
Microsoft also recently released its Data Classification Toolkit, which identifies, classifies and secures data running on multiple file servers in Windows Server 2012, Windows Server 2008 and Windows Server 2008 R2. The tool lets admins manage Central Access Policy across file servers. It generates wizards that let admins configure, export, import, and compare file classifications and then centrally manage access policies on file servers, according to the Microsoft description of the toolkit.

Admins and developers can also use the tool to configure DAC to provision user and device claim values and central access policies across AD forests. A template can generate reports on central access policies residing on file shares.

"Let's be clear -- the File Classification Infrastructure Microsoft provides is really pretty basic," Minasi warns. There are basic tools in the box, but organizations wanting to reap the benefits of FCI and DAC will be best served by Microsoft third-party partners. And that doesn't only apply to file classification -- organizations will require help in reconciling existing groups and Group Policy attributes and other AD administration functions.

Indeed, there are quite a few third parties with software that can help IT add value to DAC and implement file classification. Among them are CA, GigaTrust, NetIQ, NextLabs Inc., Quest Software, RSA, Stealthbits, Varonis Systems and Websense Inc.

"Going forward, you really want to be able to provide the insight and management that isn't going to be available in the initial tools from Microsoft," says NetIQ's Gookin.

Paul Dean, a security product management advisor at CA, says his company's DataMinder Classification r14.1 tool will help IT make use of DAC. "What the combination of Dynamic Access Control within Active Directory and FCI provides is the ability to ensure that the right people as defined within Active Directory groupings have access to the right content based on the classifications that we provide," Dean says. "Our role in this is to understand the content and context of the information itself."

Will DAC Take Off?
There was a lot of interest in DAC at Quest's annual The Experts Conference this past October, where the company held several sessions on the topic. But Crane believes customers will move cautiously. "They definitely like what they see," he says. "Honestly, I think Dynamic Access Control in Windows Server 2012 is a good first step, and it's probably good for small deployments. But there are a lot of gaps to be filled by Microsoft -- and maybe some ISVs -- that will allow greater adoption."

In contrast to Minasi's belief that DAC will be a key reason organizations deploy Windows Server 2012, some third parties think shops will move slowly. "I don't think people are going to run out over the next three months and knock down the door to buy Windows Server 2012 so they can roll this out," says Stealthbits' Flynn. "But one of the things we're working with people on is, 'how do you identify your high-risk content so you can go stand up just a single Windows Server 2012 and put these advanced Dynamic Access Controls around content that's most sensitive to the organization?"

David Gibson, vice president of marketing at data governance software provider Varonis, is also seeing tepid demand. "It's mostly the vendors that seem to be talking about it," Gibson says. "I had one of my customers say: 'It looks really too early for it, but I just want to make sure you guys are thinking about it.' And we are. This customer in particular is fairly forward-thinking. I think we're on the cusp of this, but I haven't heard from a lot of people who say, 'we need this functionality now,' so far."

However, Gibson says he's not betting against DAC. "Generally, I don't ever want to underestimate Microsoft," he says. "They have a pretty good track record and they have the ability to redefine industry standards in a lot of ways."

In particular, Gibson welcomes Microsoft's use of metadata and notes the implementation of expression-based claims for access control is a positive move away from the typical hierarchical access-control model. "If you've ever searched for something, you know how important metadata is," he says. "And good metadata can be the difference between good decisions and not-so-good decisions. The fact that they're embracing some of the metadata in these expression-based access-control lists, I think is a step in the right direction."

Others, such as CA's Dean, believes DAC will catch on quickly. "More CSOs I meet these days say, 'I need to enable the business to get access to information so they can do their jobs.' This is particularly relevant when you get into a hybrid environment where content can be in many places such as the cloud, mobile devices and the like," he says. "DAC enables access to information while maintaining the controls around who can access it, particularly from a risk perspective.