I'll admit it. I'm a sci-fi geek. If a story or movie has flying saucers,
aliens, or space battles-I've probably read it or seen it. I remember being particularly spooked by the
classic 1951 film The Thing from
Another World based on a 1938 short story "Who Goes There?" What I didn't guess was that a classic sci-fi story
nearly eighty years old could apply to Microsoft access control today.
For those of you who
don't know the tale - it's about an alien spaceship discovered in the Antarctic
with an occupant that has the ability to imitate anything it comes in contact
with. This alien, by assuming the
attributes of others, passes itself off as members of the scientific research
team. It's creepy and scary because
you're never sure who or what might be a friend or The Thing. And with the new
Dynamic Access Control (DAC) options with Microsoft
Windows Server 2012, anyone in your organization may now have the same
mimic ability, especially if you haven't been diligent with controlling what
attributes you allow users to modify without approval.
Without a doubt, Microsoft has gone through great lengths to
offer more flexible and secure ways to offer access to Active Directory
resources. Dynamic Access Control is a great step forward in my opinion. However, DAC comes with security risks if
you've allowed any unmonitored control of user attributes. Just like The Thing, it may be possible for
users to accidentally or intentionally falsely claim who they are by gaining
attributes you haven't traditionally monitored.
For example, in one company I know about, users can assign themselves
their own job titles. Employees can call
themselves Manager, Vice President, King, or whatever. However, a poorly
implemented DAC policy that relies on the user claim of manager could now allow
unintended access. While this may strike
you as a far-fetched scenario, like most good science-fiction stories, it is
designed to get you thinking about what attributes you should use to establish
user claims and also who can control those attributes.
As Microsoft points out, attributes establishing user claims
need to be monitored and controlled.
They give three important guidelines when using user claims in DAC. They are:
user attribute in Active Directory that you are sourcing the user claim from
has the appropriate security setting on who or what can set that attribute.
integrity of the attribute value in Active Directory and the system that sets
this value has operational procedures that take into consideration the use of
that value for authorization decisions.
foreseeable changes to the values in the attribute. For example if the
attribute is a department name and these often change due to re-organization,
then it is not fit to be used as a user claim.
I personally think most failures
of DAC user claim policies will stem from improper controls of who can set or
modify the access attribute used in the claim. DAC should get everyone moving to Windows Server 2012 thinking about how
they are controlling who can modify what attributes. Starting now, you should think
about putting in review processes for any attribute changes if you are going to
be using DAC. Additionally, you should
also become very aware of who has and needs authority to change these
Luckily, there are solutions
that make such fine-grained delegation of authority and implementing of
automated review processes easy. If
you're going to be using DAC (and I really think the flexibility and power it
offers makes it a no-brainer for IT departments to use), you should be making
plans now for easily assigning fine-grained rights on who can create, modify,
and delete any policies or attributes in your AD environment.
So while finding out the person you just let in
the front door really isn't your friend is great for a sci-fi
movie scare, it's a horror story you don't want to live in real-life. As the
1951 movie admonishes "Watch the skies," when using DAC, you should watch your
Dec 11 2012, 11:26 AM
Filed under: Access Control, Active Directory, Microsoft, IT Security, Identity and Access Management, Microsoft Active Directory, Directory Administration, Wes Heaps, Directory, Windows Server 2012, Dynamic Access Control, DAC, Security Risk, The Thing from Another World, Security Web