Access Control and Authorization Overview

Applies To: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2

This document provides an overview of the advanced authorization and access control technologies in Windows Server 2012 and Windows 8 and how these features can be used to enhance network security.

Did you mean…

Feature description

In Windows Server 2012 and Windows 8, helps control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, Windows Server 2012 and Windows 8 use Windows authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.

Shared resources are available to users and groups other than the resource’s owner, and they need to be protected from unauthorized use. In the access control model in Windows Server 2012 and Windows 8, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs), and they are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.

Security principals perform actions (which can include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions, which enable resource managers to enforce access control in the following two ways:

  • Deny access to unauthorized users and groups

  • Set well-defined limits on the access that is provided to authorized users and groups

Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent and to an object in the container as the child that inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.

For information about the technologies that enable access control, see Access Control Overview in the Windows Server TechNet Library.

Practical applications

Administrators who use Windows Server 2012 and Windows 8 can refine the application and management of access control to objects and subjects to provide the following security:

  • Protect a greater number and variety of network resources from misuse.

  • Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs

  • Enable users to access resources from a variety of devices in numerous locations.

  • Update users’ ability to access resources on a regular basis as an organization’s policies change or as users’ jobs change, and to account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).

  • Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.

New and changed functionality

The following table highlights the access control and authorization features in Windows Server 2012 and Windows 8.

Feature/functionality Windows Server 2012 Windows 8

Dynamic Access Control (including)

  • Central access rules

  • Central access policies

  • Claims

  • Expressions

  • Proposed permissions

X

 

Enhanced ACL Editor

X

X

Dynamic Access Control

Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.

For example, a user might have different permissions when they access the resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if the device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used and the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS), the user’s permissions change dynamically without additional administrator intervention.

New features and concepts associated with Dynamic Access Control include:

Central access rules

A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy.

What value does this change add?

If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.

What works differently?

Central access rules were not available in earlier versions of Windows.

Central access policies

Central access policies are authorization policies that include conditional expressions. For example, if an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department that are allowed to view PII information, this is an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:

  • Identify and mark the files that contain PII.

  • Identify the group of HR members who are allowed to view PII information.

  • Add the central access policy to a central access rule, and then apply the central access rule to all files that contain PII wherever they are located amongst the file servers across the organization.

What value does this change add?

Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACL) that are applied to files and folders.

What works differently?

Central access policies were not available in earlier versions of Windows.

Claims

A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in Windows Server 2012 and Windows 8:

  • User claims   Active Directory attributes that are associated with a specific user.

  • Device claims   Active Directory attributes that are associated with a specific computer object.

  • Resource attributes  Global resource properties that are marked for use in authorization decisions and published in Active Directory.

What value does this change add?

Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.

What works differently?

Claims were not available in earlier versions of Windows.

Expressions

Conditional expressions are an enhancement to access control management in Windows Server 2012 and Windows 8 that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).

What value does this change add?

Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.

What works differently?

The ability to implement conditional expressions through claims was not available in earlier versions of Windows.

Proposed permissions

Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.

What value does this change add?

Predicting the effective access to a resource helps you plan and configure permissions for those resources before actually implementing those changes.

What works differently?

Proposed permissions were not available in earlier versions of Windows.

Additional changes

Additional enhancements in Windows Server 2012 and Windows 8 that support Dynamic Access Control include:

  • Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.

    Devices running Windows 8 and Windows Server 2012 by default are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers running Windows Server 2012 are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices running Windows 8 receive claims from domain controllers running Windows Server 2012 during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on resources that recognize Dynamic Access Control.

  • Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.

    Every domain controller running Windows Server 2012 needs to have the same Administrative Template policy setting, which is located at Computer Configuration\Policies\Administrative Templates\System\KDC\Support Dynamic Access Control and Kerberos armoring.

  • Support in Active Directory to store user and device claims, resource properties, and central access policy objects.

  • Support for using Group Policy to deploy central access policy objects.

    A new Group Policy setting, Computer Configuration\Policies\ Windows Settings\Security Settings\File System\Central Access Policy enables you to deploy central access policy objects to file servers in your organization.

  • Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing.

    You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under Advanced Audit Policy Configuration in the Security Settings of a Group Policy object. After you configure the security policy setting in the Group Policy object, you can deploy the Group Policy object to computers in your network.

  • Transform or filter claim policy objects that traverse Active Directory forest trusts. Windows Server 2012 enables you to filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims:

    • Value-based filtering  Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against elevation-of-privilege by filtering the incoming claims with specific values from the trusted forest.

    • Claim type-based filtering  Filters based on the type of claim, rather than the value of the claim. In Windows Server 2012 you identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest. Claim type-based filtering prevents Windows from sending claims that disclose information to the trusting forest.

    • Claim type-based transformation  Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both.

Software requirements

Because claims and compound authentication for Dynamic Access Control require new Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running Windows Server 2012 to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices running Windows 8 or Windows Server 2012 must use domain controllers running Windows Server 2012 in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions:

  • Every domain that supports Dynamic Access Control must have enough domain controllers running Windows Server 2012 to support authentication from all devices running Windows 8 or Windows Server 2012.

  • Devices running Windows 8 or Windows Server 2012 that do not protect resources by using claims or compound identity should disable Kerberos protocol support for Dynamic Access Control.

For domains that support user claims, every domain controller running Windows Server 2012 must be configured with the appropriate setting to support claims, compound authentication, and provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:

  • Always provide claims   Use this setting if all domain controllers are running Windows Server 2012. In addition, set the domain functional level to Windows Server 2012

  • Supported   When you use this setting, monitor domain controllers to ensure that the number of domain controllers running Windows Server 2012 is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.

If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 functional level.

If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.

If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 functional level.

A file server running Windows Server 2012 have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to Automatic, which results in this Group Policy setting to be turned On if there is a central policy that contains user and/or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to On so that the server knows to request claims on behalf of users that do not provide claims when they access the server.

Enhanced ACL Editor

The ACL Editor has been redesigned to more clearly present key information needed to assess and manage access control. For example, the Effective Access tab also provides more precise information about effective access for setting permissions and help for troubleshooting access control issues. In Windows Server 2012 and Windows 8, administrators can view a summary of effective access particular to a specific principal, including an access report card that indicates effective access that is based on permissions and policies. This enables users to simulate real-life scenarios by specifying values for user and device attributes.

Note

The new device claim and user claim options only appear if a central access policy applies to the resource.

What value does this change add?

Managing access control is one of the most important and potentially complex security-related tasks that an administrator can perform, and the ACL Editor is one of the most important security-related tools available to a Windows administrator. Changes to the ACL Editor are designed to simplify the critical tasks of setting, managing, and troubleshooting access control.

What works differently?

The ACL Editor has been streamlined with fewer tabs and dialog boxes, and the UI is easier to use. The following section describes these changes.

Advanced Security Permissions options

The Advanced Security Permissions property page in Windows 8 and Windows Server 2012 contains tabs for Permissions, Share, Auditing, Effective Access, and Central Policy. In addition, to add new security principals, you can use the Select Users, Computers, Service Accounts, or Groups dialog box.

Security permissions property page

To secure a computer and its resources, you must consider the permissions that users will have. You can secure a computer or multiple computers by granting users or groups specific permissions. You can help secure an object, such as a file or folder, by assigning permissions that allow users or groups to perform specific actions on that object. The following table describes the core security information that is available on the Security permissions property page.

Note

The type of permissions listed will vary depending on the type of object that is selected.

Item Description

Name

Names the currently selected object and its location.

Owner

Names the owner of the object and allows an administrator or a user with appropriate permissions to change owners.

Resource properties

Show additional security details about the resource (if available), such as Business Impact and Retention settings.

Note
If there are no resource attributes, the Resource properties link will not be visible.

Permission entries

Displays the following:

  • Names of the principals who have been granted access to this object.

  • Type of access (Allow or Deny) that the principals are granted. If the Allow or Deny access is based on a custom condition, the condition is also listed.

  • Whether permissions have been inherited. If permissions are inherited, the path and name of the object from which the permissions are inherited is listed.

  • Whether permissions from this resource are inherited by any child objects.

Add

Allows you to add one or more security settings for an object.

Note

If this button is unavailable, you might not have permissions to modify security settings.

Remove

Allows you to delete security settings for an object.

Note

In domain environments where Dynamic Access Control is being used and you have the appropriate permissions, you can click Remove to remove the access control entry (ACE).

Note

If this button is unavailable, you might not have permission to modify security settings, or these permissions have been inherited. You cannot remove or modify inherited permissions.

Edit

Allows you to modify security settings for an object.

Note

In domain environments where Dynamic Access Control is used and you have the appropriate permissions, you can use the Edit button to modify conditions.

Note

If this button is disabled, you might not have permissions to modify security settings.

Disable inheritance/Enable inheritance

Opens a dialog box that allows you to:

  • Convert inherited permissions to explicit permissions on the object, which would make them editable.

  • Remove all inherited parent permissions from the object.

Restore inherited permissions removes blocks on inherited permissions.

Replace all child object permissions with inheritable permissions from this object

Replaces permissions on a folder’s child objects. This option is not displayed for files.

When this check box is cleared, permissions on each object, whether the object is a parent or its child, can be unique.

Security Share properties page

The Share tab displays a read-only list of permissions for a shared folder or object. This tab only appears if the folder or object has already been shared. You can modify the Share permissions for an object by clicking the Share with button on the File Explorer ribbon and selecting Advanced sharing, or by right-clicking the object, selecting Properties, and then clicking the Share tab.

Item Description

Network location for this share

Lists the path to the shared resource.

Permission entries

Lists the type of permissions (Allow or Deny), the domain and user name of the security principal, and the permissions that apply to the object.

View

Provides additional permission information about a selected shared folder or object entry.

Security Auditing property page

Establishing audit policies is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security issues, helps ensure user accountability, and provides evidence in the event of a security breach.

The most common types of events to audit are:

  • Access to objects, such as files and folders.

  • Users logging on and logging off the system.

  • Changes made to user and group accounts.

You can have one or more auditing entries for the same user or group depending on the type of auditing, where it was inherited from, the type of access, and what it will be applied to. For more information about planning and configuring security auditing, see Security Auditing Overview.

Note

You must be a member of the domain and connected to the resource from a domain-authenticated session to view domain-based audit permission settings. Non-domain-joined users and domain users who are connecting to the resource through other means (such as the net use command), will not be able to view audit permissions that require domain access.

Item Description

Name

Names the currently selected object.

Auditing entries: Type

Lists the result on which to apply the audit policy. This can be Success, Fail, or All.

Auditing entries: Principal

Lists the name of the object on which to apply the audit policies.

Auditing entries: Access

Lists permission types, such as Full Control, Traverse Folder/Execute File, Read Attributes, and Delete. Includes file and folder permissions, Active Directory object permissions, and file server permissions.

Auditing entries: Inherited from

Names the object from which permissions are inherited. You can include inheritable auditing entries from the object's parent (if one exists).

Auditing entries: Applies to

Lists the child objects to which the auditing entry is applied.

Disable inheritance

Opens a dialog box that enables you to:

  • Convert inherited auditing ACEs to explicit ACEs on the object, which makes them editable.

  • Remove all inherited parent auditing ACES from the object.

Note
Restoring inherited permissions removes blocks on inherited auditing ACEs.

Replace all child object auditing entries with inheritable auditing entries from this object

Replace existing inheritable auditing entries on all descendants with inheritable auditing entries from the object.

When this check box is cleared, auditing settings on each object can be unique, whether it is a parent or child.

Note

This option is only available for folders and containers.

Security Effective Access property page

The Effective Access tab provides administrators with information about effective permissions to help them troubleshoot access control issues. The Effective Access tab enables them to view a summary of effective access permissions for a specific object and user, computer, or group; the type of permissions that limit access (such as share, file, or policy); and any optional expressions that pertain to this user, computer, or group’s access to the resource.

Note

You must be a member of the domain and connected to the resource from a domain-authenticated session to view domain-based effective access permissions, claims, and attributes. Users who are not connected to a domain and users who are connecting to the resource by other means (such as the net use command), may be able to view local effective access information, but they cannot view permissions, claims, and attributes that require domain access.

Item Description

Select a user

Opens the Select User, Computer, Service Account, or Group dialog box to specify the security principals for which you want to view effective access permissions.

Include group membership

Enables you to add one or more group memberships to the token for a user so that you can view the potential impact of this change on the permissions for this security principal and object.

Select a device

Opens the Select Computer or Group dialog box to specify the security principals for which you want to view effective access permissions.

Include group membership

Enables you to add one or more group memberships to the token for the device to view the potential impact of this change on the security principal’s permissions for this object.

Add a new user claim

Enables a person with appropriate permissions to view what would happen if a new user claim is applied to the resource.

Note
This option only appears if a central access policy applies to the resource.

Add a new device claim

Allows a person with appropriate permissions to view what would happen if a new device claim is applied to the resource.

Note

This option only appears if a central access policy applies to the resource.

View effective access

Generates the effective access permissions for the security principals that you select.

Effective access

Displays a check mark for Allow permissions and an X for Deny permissions.

Permission

Identifies the specific permission that is being evaluated for the security principal.

Access limited by

Identifies whether the access control setting is limited by permissions for the file or shared folder, and whether any optional central access rules pertain to this user, computer, or group’s access to this resource.

Security Central Policy property page

The Central Policy tab is an optional property page that appears when central access policies are available or if a central access policy has been applied to the resource.

Note

You must be a member of the domain and connected to the resource from a domain-authenticated session to view the central access policy information.

For more information about central access policies, see Dynamic Access Control.

Item Description

Central Access Policy

Lists the name of the central access policy that is applied to the object.

Description

Shows the description of the central access policy that is provided by the administrator when the policy was created.

The following Central Access Rules apply

Lists one or more central access rules.

Select and expand a central access policy entry to show the central access rule description, the object that the policy applies to, and the access permissions that are applied.

Change

Allows a user with appropriate permissions to view and select available central access policies.

Select Users, Computers, Service Accounts, or Groups dialog box

The Select Users, Computers, Service Accounts, or Groups dialog box enables you to add new security principals to access control lists.

Item Details

Object Types

Enables you to choose the types of objects that you want to select. Types can include computers, users, groups, contacts, or built-in security principals.

Locations

Defines the root location from which to begin your search.

Check Names

Locates all matching or similar object names that are listed in the Enter the object names to select box by using the selected object types and directory location.

Enter the object names to select (examples)

Provides a space for you to type the object names that you want to find. You can search for multiple objects by separating each name with a semicolon. Use one of the following syntax examples:

  • DisplayName (example: FirstName LastName)

  • ObjectName (example: Computer1)

  • UserName (example: User1)

  • ObjectName@DomainName (example: User1@Domain1)

  • DomainName\ObjectName (example: Domain1\User1)

Advanced

Enables you to select advanced search options. Advanced search options can include accounts that have been disabled, accounts with non-expiring passwords, or the number of days since the last logon. In addition, you can customize the types of information that are included with your search results.

Software requirements

The enhanced ACL Editor is available on any computer with Windows Server 2012 or Windows 8 installed.

See also

The following resources provide additional information regarding access control and authorization changes in Windows Server 2012 and Windows 8.

Content type References

Product evaluation

Dynamic Access Control: Scenario Overview

Dynamic Access Control Developer Extensibility

Related technologies

What’s New in Security Auditing

What’s New in Active Directory Domain Services

What's New in Kerberos Authentication

File and Storage Services Overview