Dynamic Access Control in Windows Server 2012

Windows Server 2012 extends the capabilities of prior versions of the operating system to allow organizations that use Active Directory (AD) to centrally manage access to files and other resources through a new feature called Dynamic Access Control (DACL). This novel capability allows organizations to centrally define authorization policies based on attributes of users, resources, and devices.

While previous versions of Windows have allowed administrators to define Access Control Lists (ACLs) that included conditions under which access is allowed, it is only with Windows Server 2012 that user-defined attributes, or claims, can be included in these conditions. The operating system represents these claims-based rules as Conditional Access Control Entries (ACEs) and copies them into the Security Descriptor (SD) of local files and folders. The resulting Conditional ACEs are evaluated by the operating system when access to a resource is requested.

It now becomes possible to define fine-grained conditions based on the user, the resource (the file or folder) and the device. Examples of such conditions include:

• Only let managers of the HR department view documents of the HR department
• Only let the owners edit their documents
• Only let users view document with a high risk from a corporate laptop

eXtensible Authorization for the enterprise using XACML

With the Axiomatics Policy Server, it is possible to author  fine-grained policies using the XACML standard which are then enforced on a wide array of applications such as web applications, enterprise service buses, and REST APIs.

The typical approach used in Axiomatics' Policy Server is to implement an enforcement point (filter, interceptor, proxy) that protects the targeted resource. Access attempts are evaluated in the architecture model put forward by the XACML standard. While this model is particularly suited to client-server architectures as aforementioned, it falls short of protecting file servers adequately as well as off-the-shelf business applications such as SharePoint 2010.

This is why Axiomatics has designed a new way to extend XACML-based, fine-grained authorization to Windows Server 2012. In this new approach, called authorization provisioning, the source XACML policies are translated into the format expected by the target environment. The native authorization mechanisms are the ones that enforce the policies, rather than calling out to an external authorization service. The format used in the integration with Windows Server 2012 is that of SDDL inside conditional access control lists.

A consistent & coherent approach

With authorization provisioning, Axiomatics can achieve consistent and coherent fine-grained authorization for an enterprise's entire set of applications and servers. This reduces the management overhead and security risks that arise from the fact a company runs multiple security silos.

Product Overview

The Axiomatics Policy Server comes with a policy administration point, an authoring tool for XACML policies. This tool has the ability to export policies to SDDL.

Definitions

• SDDL: Security Descriptor Definition Language.
• XACML: eXtensible Access Control Markup Language.

External Resources

• Microsoft blog article on dynamic access control