Dynamic Access Control: Is It “The Thing” or Your Friend?

I'll admit it. I'm a sci-fi geek. If a story or movie has flying saucers, aliens, or space battles-I've probably read it or seen it. I remember being particularly spooked by the classic 1951 film The Thing from Another World based on a 1938 short story "Who Goes There?" What I didn't guess was that a classic sci-fi story nearly eighty years old could apply to Microsoft access control today.

For those of you who don't know the tale - it's about an alien spaceship discovered in the Antarctic with an occupant that has the ability to imitate anything it comes in contact with. This alien, by assuming the attributes of others, passes itself off as members of the scientific research team. It's creepy and scary because you're never sure who or what might be a friend or The Thing. And with the new Dynamic Access Control (DAC) options with Microsoft Windows Server 2012, anyone in your organization may now have the same mimic ability, especially if you haven't been diligent with controlling what attributes you allow users to modify without approval.

Without a doubt, Microsoft has gone through great lengths to offer more flexible and secure ways to offer access to Active Directory resources. Dynamic Access Control is a great step forward in my opinion. However, DAC comes with security risks if you've allowed any unmonitored control of user attributes. Just like The Thing, it may be possible for users to accidentally or intentionally falsely claim who they are by gaining attributes you haven't traditionally monitored.

For example, in one company I know about, users can assign themselves their own job titles. Employees can call themselves Manager, Vice President, King, or whatever. However, a poorly implemented DAC policy that relies on the user claim of manager could now allow unintended access. While this may strike you as a far-fetched scenario, like most good science-fiction stories, it is designed to get you thinking about what attributes you should use to establish user claims and also who can control those attributes.

As Microsoft points out, attributes establishing user claims need to be monitored and controlled. They give three important guidelines when using user claims in DAC. They are:

• The user attribute in Active Directory that you are sourcing the user claim from has the appropriate security setting on who or what can set that attribute.
• High integrity of the attribute value in Active Directory and the system that sets this value has operational procedures that take into consideration the use of that value for authorization decisions.
• No foreseeable changes to the values in the attribute. For example if the attribute is a department name and these often change due to re-organization, then it is not fit to be used as a user claim.

I personally think most failures of DAC user claim policies will stem from improper controls of who can set or modify the access attribute used in the claim. DAC should get everyone moving to Windows Server 2012 thinking about how they are controlling who can modify what attributes. Starting now, you should think about putting in review processes for any attribute changes if you are going to be using DAC. Additionally, you should also become very aware of who has and needs authority to change these attributes.

Luckily, there are solutions that make such fine-grained delegation of authority and implementing of automated review processes easy. If you're going to be using DAC (and I really think the flexibility and power it offers makes it a no-brainer for IT departments to use), you should be making plans now for easily assigning fine-grained rights on who can create, modify, and delete any policies or attributes in your AD environment.

So while finding out the person you just let in the front door really isn't your friend is great for a sci-fi movie scare, it's a horror story you don't want to live in real-life. As the 1951 movie admonishes "Watch the skies," when using DAC, you should watch your attributes!

| Follow us on Twitter | Follow us on Facebook