Canyou makesure thatonlyauthorized individualscanaccess confidentialdata?Do you have granularcontrol over auditing access?Howtoreduce thenumberofsecuritygroups your organization has?Dealwithregulatorystandard?….Thereare manyquestions comeup whenit comestodataaccesscontrol
A contentclassificationrulethat searches a setoffiles for thestring“SBC12Confidential”.Ifthestringisfoundinafile,theImpact resource propertyis set to Highonthe file.A contentclassificationrulethat searches a setoffiles for a regular expressionthatmatchesasocialsecuritynumber at least10times inone file.If thepatternis found,thefile is classifiedashaving personally identifiableinformationandthePersonallyIdentifiable Informationresource propertyis settoHigh.
Info Security: Microsoft Dynamic Access Control
Dynamic Access Control
Jason Kittrell, Regional Instructor
New Horizons CLC
January 30, 2014
• Intended Audience
• Understanding of what D.A.C. offers
• Next steps
• Who is New Horizons?
• Presentation: Dynamic Access
Microsoft Case Study
45%: File based
MSIT cost $1.6
>70%: of stored data
Cloud cost would be
Offices, Data Centers,
MSIT 1500 file servers
with 110 different
groups managing them
Very hard to
New and changing
number of records
involved in security
breaches in the US
since January 2005
$90 to $305 per record
“Calculating the Cost of
a Security Breach”)
for investment bank
with SEC over
Dynamic Access Control in a Nutshell
stored in Active
auditing based on
classification and user
based on document
deployment of audit
policies using Global
Flexible access control
lists based on
control lists using
Central Access Policies.
encryption based on
Pre-2012: NTFS Permissions
• Decisions made only by user security principles or group
• Users had to log out before changes to security group
membership were gained to their security token
• “Shadow Groups” were often made to mimic attributes
• Security Groups have rules on who can be members of
which types of groups
• No way to cross AD trust boundaries
• No way to make access decisions off user’s device
Windows Server 2012: Expression Based Access
Selected AD attributes are included in Security Tokens
Claims can be included directly in files server permissions
Claims can be consistently issued to all users in the forest
Claims can be “transformed” across trust boundaries
Enabled new policy types NTFS alone cannot grant:
– Example: Allow WRITE if User.MemberOf(Finance) and
User.EmployeeType=FTE and Device.Managed=TRUE
File Classification Infrastructure provides insight into your
data by automating classification processes.
File Classification Infrastructure uses classification rules to
automatically scan files and classify them according to the
contents of the file.
Some examples of classification rules include:
Classify any file that contains the string “SBC12
Confidential” as having high business impact.
Classify any file that contains at least 10 social
security numbers as having personally
Data Encryption Challenges
How do I protect sensitive information after it leaves
my protected environment?
I cannot get the users to encrypt their sensitive data.
process to encrypt a file based on
Claim definitions, file property definitions, and
access policies are established in Active Directory
A user creates a file with the word “confidential” in
the text and saves it. The classification engine
classifies the file as high-impact according to rules
On the file server, a rule automatically applies
RMS protection to any file classified as highimpact.
The RMS template and encryption are applied to
the file on the file server and the file is encrypted.
Want to know more?
• Microsoft Class 20412 Configuring Advanced Windows
Server 2012 Services
• Contact your New Horizons Education Consultant