Using Resource Properties and Classification in Windows Server 2012 Dynamic Access Control

Windows Server 2012 introduces a new way to secure files, folders, and shared resources called Dynamic Access Control (DAC).  This new functionality helps protect sensitive data, and can ensure that those who are accessing the data and the systems they are using are trusted.  Unlike the way files and shares were protected in Windows 7 and previous Windows operating systems, DAC allow administrators to manage security policies for the whole enterprise.  These policies can be defined centrally and enforced on servers, shares and folders located throughout the organization.

In Windows Server 2012 you can define Dynamic Access Control Policies.  Policies can be made up of one or more Access Control Rules.  A rule defines the 1) claims needed to access a resource and the 2) properties of the resource.

DAC uses claim-based access control.  For an explanation of claims see our What are Claims-Using Claims in SharePoint blog. Using claim-based access control, sensitive data is only available to those who should have access to that data. Claim-based access control is based on configurable criteria, such as user title, departments, country, the sensitivity of the data being accessed, and the health of the device that is used to access that data.

DAC can also make use of resource properties to enhance security. Resource property objects define additional properties that appear on file and folders.  Windows Server 8 can use these properties for authorization.  For example these properties can represent the classification of a file or folder (such as Confidential or Internal Use), or other properties of a file such as what department owns the information, or what project the file is associated with.  The screenshot below provides an example of a “Department” resource definition in Windows 8.

Example of Resource Property definition in Windows Server 8


Adding values to resource properties on a file or folder is known as classification.  You can classify files and folders in several ways using Windows Server 8 Beta.  The main way to do this in Windows Server 2012 is to use the continuous classification available via the File Classification Infrastructure (FCI), which can be found in the File System Resource Manager. For more information on FCI see our blog called Leveraging FCI in Windows Server 2008. This method works well if you already know the classification of the information in a folder and now want to assign the classification properties.  An alternate way to assign classifications is to have the end-users apply classification to emails and documents as they are being created.  At Titus we offer solutions to do this called Message Classification for Outlook and Classification for Office. These solutions interoperate with FCI and assist users in classifying information.

Once the claims and claims values have been created, along with the Resource Properties we can go ahead and define a DAC rule.   In simple terms we might want to create a DAC rule such that “only users in the Finance department can access files owned by Finance”. This rule can then be applied to all file servers in the organization.

In Part 2, of his blog series on DAC, we will discuss how to define Resource properties and how to use them in Windows Server 2012 Central Access Rules.

Tags: , , , ,

Leave a Reply