Dynamic Access Control: Scenario Overview

Creating Central access policies for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using user claims, device claims, and resource properties. These polices are based on compliance and business regulatory requirements. These policies are created and hosted in Active Directory, therefore making it easier to manage and deploy.

Deploying Claims Across Forests

In Windows Server 2012 , the AD DS maintains a 'claims dictionary' in each forest and all claim types in use within the forest are defined at the Active Directory forest level. There are many scenarios where a principal may need to traverse a trust boundary. This scenario describes how a claim traverses a trust boundary.

Deploy Claims Across Forests

- Process to map a business request to a central access policy
- Delegating of administration for Dynamic Access Control
- Exception Mechanisms for Planning Central Access Policies

Best Practices for Using User Claims

- Choosing the right configuration to enable claims in your user domain
- Operations to enable user claims
- Considerations for using user claims in the file server discretionary ACLs without using Central Access Policies

Using Device Claims and Device Security Groups

- Considerations for using static device claims
- Operations to enable device claims

Tools for Deployment

-

Deploy Claims Across Forests (Demonstration Steps)

Security auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance. For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. Security audits help establish the presence or absence of such policies; thereby, they prove compliance or noncompliance with these standards. Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior by creating a record of user activity that can be used for forensic analysis.

Today, when users try to access a remote file on the file server, the only indication that they would get is that access is denied. This generates requests to helpdesk or IT administrators that need to figure out what the issue is and often the administrators have a hard time getting the appropriate context from users which makes it harder to resolve the issue.
In Windows Server 2012 , the goal is to try and help the information worker and business owner of the data to deal with the access denied issue before IT gets involved and when IT gets involved, provide all the right information for a quick resolution. One of the challenges in achieving this goal is that there is no central way to deal with access denied and every application deals with it differently and thus in Windows Server 2012 , one of the goals is to improve the access-denied experience for Windows Explorer.

- Determine the access-denied assistance model
- Determine who should handle access requests
- Customize the access-denied assistance message
- Plan for exceptions
- Determine how access-denied assistance is deployed

Protection of sensitive information is mainly about mitigating risk for the organization. Various compliance regulations, such as HIPAA or Payment Card Industry Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons to encrypt sensitive business information. However, encrypting information is expensive, and it might impair business productivity. Thus, organizations tend to have different approaches and priorities for encrypting their information.
To support this scenario, Windows Server 2012 provides the ability to automatically encrypt sensitive Windows Office files based on their classification. This is done through file management tasks that invoke Active Directory Rights Management Server (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server.

Reliance on data and storage resources has continued to grow in importance for most organizations. IT administrators face the growing challenge of overseeing larger and more complex storage infrastructures while simultaneously being tasked with the responsibility to ensure total cost of ownership is maintained at reasonable levels. Managing storage resources is not just about the volume or availability of data anymore, but also about the enforcement of company policies and knowing how storage is consumed to enable efficient utilization and compliance to mitigate risk. File Classification Infrastructure provides insight into your data by automating classification processes so that you can manage your data more effectively. The following classification methods are available with File Classification Infrastructure: manual, programmatically, and automatic. This scenario focuses on the automatic file classification method.

A retention period is the amount of time that a document should be kept before it is expired. Depending on the organization, the retention period can be different. You can classify files in a folder as having a short, medium, or long-term retention period and then assign the timeframe for each period. You may want to keep a file indefinitely by putting it on legal hold.
File Classification Infrastructure and File Server Resource Manager uses file management tasks and file classification to apply retention periods for a set of files. You can assign a retention period on a folder and then use a file management task to configure how long an assigned retention period is to last. When the files in the folder are about to expire, the owner of the file gets a notification email. You can also classify a file as being on legal hold so that the file management task will not expire the file.