One of the big security challenges in a Windows domain environment is ensuring that files—all files, not just the ones you know about—have the correct security applied to them. According to Microsoft, despite the popularity of SharePoint, file servers remain the largest (80 percent) repository of enterprise data. Periodic audits for regulatory compliance are expensive and difficult to accomplish. Adding to this challenge is the fact that in the current Windows Server file environment, there’s a gap between the overall information security policy and the actual boots-on-the-ground implementation of these policies on file servers throughout the domain. Anyone who has had to administer a server knows there are many opportunities for exceptions to slip through in an environment where tens, hundreds, or even thousands of file servers must be individually configured to meet corporate policy.
Windows Server 8 Dynamic Access Control is a new file-system authorization mechanism that gives IT the ability to define central file-access policies at the domain level that apply to every file server in the domain. Dynamic Access Control provides a “safety net,” in addition to any existing share and NTFS permissions, which ensures that regardless of how the share and NTFS permissions might be changing on a day-to-day basis, this central overriding policy will still be enforced.
Dynamic Access Control marks the first incorporation of claims into the core Windows authorization (access control) model. A claim is an assertion about an object, issued by a trusted identity provider. Claims have existed for a while in the internet security world, where they’re at the core of federated identity technology. Claims are manipulated in this area by a security token service (STS) such as Active Directory Federation Services (AD FS), which transforms data in Kerberos tokens into claims that can be consumed by web services.
In the Windows Server 8 access control model, claims are Active Directory (AD) attributes that have been defined for use with Central Access Policies. You can set claims for both users (“User.company==FTE”) and devices (“Device.managed==true”). This is easily done in using the Active Directory Administrative Center (ADAC), where there’s a new Claim Based Access container at the same hierarchy level as the domain. This kind of claim-based access gives you a degree of granularity and flexibility not available before. In fact, the product was originally named “claim-based access control,” but was renamed to Dynamic Access Control because the new access control system has more to it than just claims.
Deploying centralized file-access policies through Dynamic Access Control is a four-part process. The first—and arguably the hardest—step is to identify and classify file server data. These classifications are set by NTFS tags and require the file server be running Windows Server 8. This tagging can be done by several methods. Data can be tagged/classified based on application; by a sophisticated automatic mechanism that can, for example, search for Social Security formats or the words “<your company> Confidential”; by folder; or it can be tagged manually by the file server content owner.