Document Quarantine - Identify, protect, and take further action
In this blog Robert De Luca a Senior Program Manager focused on Identity, highlights some of the early work on Dynamic Access Control during the Windows Server 2012 validation program. Long before Microsoft released DAC to the market, dedicated customers deployed, tested and identified issues during the development phase. Robert will take you through the details of document quarantine using Dynamic Access Control.
Document Quarantine with Windows Server 2012 Dynamic Access ControlHi there, my name is Robert De Luca and I'm part of the Windows Server Partner and Customer Ecosystem team. One PaCE responsibility is running the Technology Adoption Program for Windows, so I've been working with customers on Windows Server 2012 testing for well over a year now. One of our TAP customers was very interested in implementing "document quarantine" with Windows Server 2012, and in this post I'll show you how we did it using the new Dynamic Access Control capabilities in Windows Server 2012.
What is document quarantine?Document quarantine refers to a scenario where you want to identify, protect, and take further action on data that matches certain conditions. In my case, this meant preventing certain types of sensitive files from being stored on files shares where they would be accessible to large numbers of employees.
For the sake of this example, let's assume the sensitive files are those that contain personally identifiable information (PII). After discussing the pros and cons of various approaches and the expected outcome of each, we came up with the following desired behaviors for the customer's quarantine solution:
- PII is automatically identified and classified.
- PII is protected regardless of the file share or folder it is stored in.
- If PII is stored on certain file shares – those with relatively open permissions – the file owner is notified of the policy violation so they can take action.
- If no action is taken, files in violation of corporate policy are moved to a secure location accessible only to administrators.
Part 1: Classifying Files
Part 2: Protecting Files
Part 3: Notifying Users
Part 4: Moving Files