Your Guide to the Latest Windows Server Product Information
We constantly strive to reduce the steps required for you to get your job done. One of the reasons Windows Server 2012 is a such great release is that we spent so much time listening to our customers and understanding their scenarios and concerns. When development teams start from a technology/feature mindset, it can be hard to work across groups because helping another team usually means that you have to give up something you wanted to do. We were able to achieve a very high level of technology integration and cross-group cooperation because we all shared a common understanding of our customers and their scenarios. Teams were eager to help each other succeed in delivering those scenarios. When you have lots of teams working together towards a common goal, you can really change the game and tackle some really hard problems. Today’s blog is a good illustration of that.Anyone that has been involved in securing data or accessing data security knows that the traditional security models and mechanisms are not always flexible enough to address today’s concerns and scenarios. Whether it's compliance requirements, increased business impact of disclosed data, or management of the sheer scale of data – it is clear that the capabilities provided by the current access control mechanism can be improved so that it is easier for administrators and users to address these challenges. A number of teams worked together to deliver Windows Server 2012’s Dynamic Access Control. I think you’ll find that it, like so many other things in Windows Server 2012, is just what you were asking for.If you haven’t downloaded the beta yet, take some time to read this blog and watch some of the videos it points to and then schedule some time on your calendar to download the beta and try it out.Nir Ben-Zvi, a Program Manager on the File Server team, wrote this blog.
Hello, my name is Nir Ben-Zvi and I work in the Windows Server team. I’m very excited to introduce to you the new Dynamic Access Control feature set. I’ll start with a brief introduction and insight into the planning process, discuss the new Central Access Policy model and describe the end-to-end File Server solution that we built into Windows Server 2012. I will also touch on how we enable an incremental deployment model so that you do not need to move your entire environment to Windows Server 2012 in order to use the feature set. I will touch on work with partners in this area, too.You can find a Dynamic Access Control overview demo here.
IntroductionIn today’s complex IT environments data is being created on distributed systems at a staggering rate and accessed through a plethora of devices. Compliance with regulatory standards and the need to secure leakage of business critical and personal data present major challenges for businesses and corporate IT. The key pillars for data compliance and leakage prevention are controlling who has access to information and having the ability to report who actually accessed specific information.Not surprisingly, this was the exact situation that we observed when we started planning for Windows Server 2012 a few years ago. A few of the points that we repeatedly heard from customers during the planning period included:
We then looked at the different personas within an organization and how they participate in meeting the regulatory and business requirements for data compliance, in order to provide the right set of technologies and solutions that help address the data compliance challenge. The range of personas involved starts with the CSO/CIO office that identifies the business and regulatory compliance needs. It continues with the IT administrators that manage the systems and the business owners that control the actual information. Last, the organization would like to keep the impact on the information worker to a minimum (ideally with no impact at all).
To help organizations reach their data compliance, we eventually focused on the following areas:
These focus areas were then translated to a set of Windows capabilities that enable data compliance in partner and Windows-based solutions.
Central Access PoliciesOne can look at Central Access Policies as a safety net that an organization applies across its servers. These safety net policies enhance (but do not replace) the local access policy (e.g. Discretionary ACL) that is applied to the information. For example, if a local DACL on a file allows access to a specific user but a Central Policy restricts access to the same user, the user will not be able to get access to the file (and vice versa.)The initiative to deploy and enforce a Central Access Policy may come for different reasons and from multiple levels of the organization:
Central Audit PoliciesCentral Audit Policy is a powerful tool to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance. Industry standards such as SOX, HIPPA, PCI, etc. require organizations to follow a strict set of rules related to information security and privacy. Security audits help establish the presence (or absence) of such policies and thereby prove compliance (or non-compliance) with these standards. Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy and deter irresponsible behavior by creating a trail of user activity that you can use for forensic analysis.Windows Server 2012 enables administrators to author audit policies using expressions that take into account what information users are accessing and who the user is so that an organization can target audit to specific information wherever it resides. This opens the doors to richer, more targeted and easy-to-manage audit policies. It enables scenarios that until now were either impossible or too difficult to enable. For example you can now easily author audit policies such as the ones listed below:
This helps regulate the volume of audit events and limit them to only the most relevant information/users so that you can monitor access to information across multiple servers without generating an unmanageable volume of audit events. In addition, the information tagging is recorded in the audit events so that event collection mechanism can provide contextual reports such as: Who accessed all the “high impact” information in the last three months.
The File Server solutionBased on this infrastructure we built a full end-to-end Windows-based solution for Windows Server 2012 Active Directory, Windows Server 2012 File Server and Windows 8 client. This solution allows you to:
In order to support deployment across multiple file servers in the organization, we are also providing the Data Classification Toolkit that enables configuration and reporting across multiple servers. The current Beta for the Data Classification Toolkit is available for download here.
The concept of incremental deploymentOne of the core design principles of Dynamic Access Control is incremental deployments. You can start using the feature set as soon as possible to solve targeted business problems for information access and audit. You can use most of the Dynamic Access Control capabilities with the Windows Server 2012 File Server and an upgraded Active Directory domain schema. Adding a minimal number of Windows Server 2012 domain controllers will enable user claims and so on. Each part of the system that you upgrade provides you with more capabilities but it is up to you to set the pace.
Partner solutionsPartner solutions and line of business applications can further use the Windows infrastructure investments for Dynamic Access Control, providing great value for organizations that use Active Directory. A few examples of partner solutions that we have already demoed at the //build/ conference last year include:
We plan to show many additional partner integrated solutions in the upcoming TechEd US conference (Jun. 11-14, 2012) Twitter hashtag #MSTechEd
A few additional resources that you might find useful:TechNet manual (Beta): http://technet.microsoft.com/en-us/library/hh831717.aspxData Classification Toolkit (Beta): https://connect.microsoft.com/site715Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data) Dynamic Access Control at MMS 2012: http://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview
This is an amazing feature and I definitely look forward to working on an implementation.
Access control: One of my greatest IT admin challenges. I can do much through DACLs, but not restrict access to data the DACL permits. Putting that responsibility on the creator-owner sounds great. Looking forward to it, though it'll be 3-4 years before my organization begins to stand up 2012 servers.
I'm really looking forward to DAC and Manual Classification. Do you know if this will be available to Windows 7 clients? Group Policy in Server 2012 to enable the Classification tab is restricted to Windows 8 clients right now.
To us DAC is the biggest innovation in managing access rights since the good old days of MS-Dos :-) Moving away from share and folder based rights management towards a classification based approach is really a great advantage. If you like to see more information on DAC how about checking the new DAC knowledge centre at www.dynamicaccesscontrol.com .
Keep on the good work!