Windows 8/2012, DAC, and you
TechEd has come and gone, but it seems we can’t quite shake off all the buzz. Some of the things that we saw at TechEd are still making us go “hmmmmmmm”.
One of those things is Dy
namic Access Control. At TechEd, Microsoft unveiled a new system of controlling access, and it’s both more powerful, and potentially more complicated than anything we’ve seen before. You can find a good primer here: https://technet.microsoft.com/en-us/video/dynamic-access-control-demo-walkthrough.aspx
The part of Dynamic Access that has the gears turning for me right now is that it has extended the definition of “Access” to include not just “who” but also “what”.
In short, acccess to an object is not just granted according to who you are and what groups you’re in, but now it can also be controlled by the AD properties that your AD User Object have. Here’s an example:
Traditional File ACL:
New Dynamic Access ACL:
Dynamic Access Claim: All Development Managers
The Dynamic Access Claims are stored in AD. These claims are essentially regular expressions that include the properties of the AD User objects themselves, so they can look like this:
Title = ‘Manager’ and Department = ‘Development’
Now, this is some cool stuff. And there are some very powerful things you can do with it. It ties in with data classification and it gives very dynamic control of who has access to what. However, it’s also about to greatly increase the complexity of your security admin’s lives.
Think about it – the old way, if I have to control who has access to a file, I have to control three things – the ACLs on the file, the inherited ACLs from its parents, and group memberships (assuming I’m being a good admin and using groups to control resource access). If I look at the object itself, I have a good idea of who has access to it – bob, the admins, and tony. The new way, using DAC, I have all that and more – in addition to bob and tony, I need to know every user that has those two properties set to those values. The ubiquitous AD property just got a make-over, and it’s demanding the same treatment as users and groups themselves.
You’re already controlling users and most likely controlling group access. Are you controlling properties? How good is your delegation model? What is your response going to be when your security folks want delegated access to specific properties? Who has access to those properties now? Who’s going to have access in the future? And how can you tell your auditors who really has access to these files, and how you’re controlling who will have access in the future? You’re going to have a lot more people making changes to the properties, and the properties themselves have become a lot more critical.
In short: you need control of your AD user properties. And you need to know every time they change, who changed them, and why. Plus you need to be able to control critical properties on critical objects so only key admins can change them.
Enter StealthINTERCEPT for Directory Authority. It gives you complete control over all properties of all objects in AD – who can change them, who *is* changing them, what they changed the properties to, and what the properties changed from. Plus a bunch more useful information about the changes. It sends real-time notifications, it gives you the audit trail you need, and it protects critical objects and properties from getting changed in the first place. One stop shopping for keeping your admins sane and your auditors happy.