SIA207: Windows Server 2012 Dynamic Access Controls

This session was a very high level overview of the new Server 2012 feature, Dynamic access controls. Dynamic access controls significantly extends the file classification framework that exists in Server 2008 R2. This is a way cool feature, and already has nearly a dozen partner solutions lined up to even further extend the capabilities.

This is a great feature for Government customers in particular, which deal with classified information. You can then properly tag documents with various classifications or code words, then dynamically limit who or how you access them, have then automatically encrypted, or do super granular and dynamic auditing. Very cool possibilities. For those responsible for securing data in the enterprise, this feature is a must-look-at.

Dynamic Access Control Concepts

  • Data Classification – Classify your documents using resource properties stored in AD. Automatically classify documents based on content.
  • Expression based access control – Flexible access control based on document classification and multiple identities
  • Expression based auditing – Targeted access auditing based on document classification and user identity
  • Encryption – Automatic RMS encryption based on document classification

Access Control Challenge

  • Control who can access my data
  • Manage fewer security groups
  • Protect compliance information

Dynamic Access Controls

  • Centrally configure metatags in AD, then the user can access the metatags in the properties of a file or folder
  • As soon as the file is dropped into a folder, it gets classified and marked
  • Data classification toolkit free and downloadable now
  • Integrated with multiple partners, like those that provide DLP solutions (Websense, etc.)
  • Expression based access control
    • Manage fewer security groups by using conditional expressions
    • “And” policies allows you to say limit access to US finance people who need sensitive data access by “and”ing conditions in the access list
    • Limit access to data with central access policies
    • Allows you to apply policies across servers
  • StealthBits Technologies – Third-party tool to review impacts of migrating to dynamic control, and manage the migration process
  • Reduce group membership by 75%
  • Dynamic access control can be extended to SharePoint with Nextlabs control center
  • Can control access via security groups, but that’s 20 years old. Access policy can also support:
    • User claims, device claims, and file properties
    • Allows you only permit access from specific devices (e.g. a finance managed computer)
    • Or you can combine all three (user, device, file) and only allow Finance persons in US, using a finance computer that’s managed, to open a US finance document.
  • Customize the access denied message and it can send email to data folder owner to request access
  • Effective access tab in advanced security to troubleshoot why a user can’t access a resource
  • You can simulate access by adding a claim and re-running the effective permissions analysis to see if that would fix the access problem
  • Even if a file is dropped into a public file share, it’s hidden from users that don’t have access. Access controls are maintained. Access based enumeration at the file level.
  • Automatic RMS encryption based on document classification
  • Gigatrust enhances RMS protection for other file types and is claims-aware dynamic access control policies
  • Expression based auditing and audit policies (e.g. configure audit policy on all finance data)
  • RSA NetWitness – Security Analytics
  • Does not require changes to the client. Will be supported with legacy operating systems like Windows 7.
  • These features are optional, and you can use file shares like you did 20 years ago if you so wish.
Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments