Computing is personal again with Windows 8 Dynamic Access Controls

I was eleven years old when I had my first personal computer. It was a thing of wonder, and introduced me to the world of computing. By the time I was 13 I was attending summer schools at community colleges and learning to program in Cobol on mini-computers. My earliest memory of these times was being assigned a username and password for access to the system. It seemed cold and impersonal. I had used my own computer with no need for a password, it was my computer. This mini-computer was used by many, and as such the need to secure access to only your files and processes was necessary. As I grew in my knowledge of computing and in particular network computing, I became aware that username and passwords did more than grant me access to the system, but was used to provide permissions to the file system through Access Control Lists (ACLs). These fascinating bits associated with a file controlled who could read/write or execute the file. When I wanted to share a story I had written or a programming assignment for school, I needed to know the username of the persons that I wanted to share my story with and I would set the ACLs for them to read my work or execute my assignment.

This worked well in a relatively small group of networked computers with a similarly small group of users. As I attended University and started working for the Canadian Federal Government I was exposed to computer networks running Windows for Workgroups. I was less than impressed with the security of the file system in this network. I had at the same time system administration responsibilities for a Wang VS and Dec VAX network. It seemed if Microsoft was to be taken seriously in this secure world of mini computing, they needed better networking and more importantly better file protection. With the release of Windows Server NT 3.1, Microsoft had a credible network server with fundamental improvements in file server with NTFS and the introduction of ACLs. While this was a significant improvement, ACL’s where managed on each individual server per individual user on that server, and could prove problematic to keep in synch across a large installation. Through the introduction of Active Directory in Windows Server 2000 the management of these ACL’s became easier with a single user account or better a Security Group to be assigned to the ACL. This was the state of network computing file security from then until recently.

Enter Windows 8 and Dynamic Access Control (DAC). Microsoft has once again made computing feel personal to me. Seems strange to say about a new way of granting access to files, but that is how I feel. It is personal! Now I access files based on who I am and what work or role I do for my company. DAC makes it personal through the creation of Central Access Rules. These rules define the properties the user must have (These are my personal attributes in Active Directory) and what matching properties the resource requires for my access to it. These personal properties I have are attested to by Active Directory. Since they are now attested, and thus trusted, I can make claims about myself when I want to access those files. See personal again!

The DAC is managed centrally and takes into its fold all the servers, shares and resources on the network that I want to use. This is great! Now when I get a new title, move organizations, or change locations, my file access changes! It gets more personal still! The personal computer I use can have claims about it. Thus in accessing a file, an access decision can be made about me and my personal computer. If my computer is not trusted or not up to date, access could be denied.

This new personal way of managing access is a great step forward by Microsoft. It has reducded the complexity of managing arcane ACLs for files access control to a modern personal way of looking at file access. It makes better sense to use personal properties about me like my department to say that “All employees who work in Finance should access these files” Rather than adding a Security Group to the files or directory with a long list of ACLs that hopefully give the right access.

So what can you do to prepare for Windows 8 and Dynamic Access Control? Get to know your users again! They are not some faceless SID! They are flesh and blood and work in your company. So dust off their Active Directory Attributes, do some spring cleaning, and makes sure the important personal properties for them are meaningful! Empower other departments to help populate some of these properties. After all, they may have a more personal relationship with your users then you do. I am looking at you HR guy!

Where do we go from here? As we have seen, now it is about the user, their device and the files they access. This is a great start, but like all consumers of new technology, we want more! As a network administrator, I want to control access now in scenarios like:

“Can Paul a Canadian citizen access the Intellectual Property Files on a server in Canada from his tablet computer in an internet café in Germanythrough their Wi-Fi?”

That is a mouth full, but this is the new nature of mobile and cloud computing. Each underlined word provides a claim, a property or a context about Paul’s attempted access. Why do these type of access questions need to be answered? We live in a world of increasing risk and threat of cyber-attack. We can no longer trust that our networks are not compromised. We have made a great leap forward in using DAC for access control, but additional work is needed. It is clear to start tackling this problem, how we decide on authorization and authentication will need even a richer way to describe the properties of the users and the systems. It will need to take into account context and content. It will need to be well defined and extensible to meet all possible property descriptions. Stay tuned for a future blog post where I layout the solution to this!

For my children just embarking on the same exciting journey I started over 25 years ago, computing will be mobile and the cloud computers will always have been there. Their experience with computing will indeed be much more personal than mine.

Paul Reid
TITUS Technology Strategist

Leave a Reply