Exploring Windows Server 2012: Dynamic Access Control

One of the big security challenges in a Windows domain environment is ensuring that files—all files, not just the ones you know about—have the correct security applied to them. According to Microsoft, despite the popularity of SharePoint, file servers remain the largest (80 percent) repository of enterprise data. Periodic audits for regulatory compliance are expensive and difficult to accomplish. Adding to this challenge is the fact that in the current Windows Server file environment, there's a gap between the overall information security policy and the actual boots-on-the-ground implementation of these policies on file servers throughout the domain. Anyone who has had to administer a server knows there are many opportunities for exceptions to slip through in an environment where tens, hundreds, or even thousands of file servers must be individually configured to meet corporate policy.

Windows Server 2012 Dynamic Access Control is a new file-system authorization mechanism that gives IT the ability to define central file-access policies at the domain level that apply to every file server in the domain. Dynamic Access Control provides a "safety net," in addition to any existing share and NTFS permissions, which ensures that regardless of how the share and NTFS permissions might be changing on a day-to-day basis, this central overriding policy will still be enforced.

Deploying centralized file-access policies through Dynamic Access Control is a four-part process. The first—and arguably the hardest—step is to identify and classify file server data. These classifications are set by NTFS tags and require the file server be running Windows Server 2012. This tagging can be done by several methods. Data can be tagged/classified based on application; by a sophisticated automatic mechanism that can, for example, search for Social Security formats or the words " Confidential"; by folder; or it can be tagged manually by the file server content owner.

While this classification process is going on, Information Security can build Central Access Policies that will apply to the different file classifications. These policies are far more flexible and specific than anything previously available in Windows access control; you can use expression-based access conditions with support for user claims, device claims, and file tags. When the policies are applied, there's a highly customizable Access Denied remediation mechanism that guides the user to a specific URL or generates an email message, to get the situation corrected if necessary.

Once the policies are applied, you can also define centralized audit policies that can be applied across multiple files servers as well. Similarly to the access policies, these audit policies are defined with expression-based auditing conditions with support for user claims, device claims, and file tags. And since there's a big gap between a policy as it's initially thought up and how it looks when it hits the real world, there's a built-in mechanism that works like Group Policy's Resultant Set of Policy (RSoP) to test against the target file servers in what-if simulations before the policies are ever activated.

Finally, you can choose to automatically protect certain types of Office data classification with Rights Management Service (RMS) based on file tagging. Part of Dynamic Access Control, this capability doesn't require a separate AD RMS installation. RMS provides near real-time protection within a few seconds of when the document is tagged. Dynamic Access Control also has extensibility to protect non-Office RMS protectors.

Dynamic Access Control in Windows Server 2012 is limited to the NTFS file system. Why? As it was described to me by Senior Program Manager Robert Deluca, Windows Server 8 was designed by scenario-based engineering, and the most compelling initial scenario to solve was that of centralized access control and compliance. They're starting with this scenario, and as they gain experience with this release, it might expand to encompass other areas (such as claims-based authentication and authorization).

This new Windows Server 2012 capability isn't just a very powerful security and compliance feature. It's also a basis for more authorization flexibility in future versions of Windows. And probably to the relief of IT pros concerned about job security, implementing it will be a good-sized project to keep them busy for quite a while.