Document Quarantine with Windows Server 2012 Dynamic Access Control

on Wednesday, 26 September 2012. Posted in Basics

Document Quarantine - Identify, protect, and take further action

Document Quarantine with Windows Server 2012 Dynamic Access Control
In this blog Robert De Luca a Senior Program Manager focused on Identity, highlights some of the early work on Dynamic Access Control during the Windows Server 2012 validation program. Long before Microsoft released DAC to the market, dedicated customers deployed, tested and identified issues during the development phase. Robert will take you through the details of document quarantine using Dynamic Access Control.

Document Quarantine with Windows Server 2012 Dynamic Access Control

Hi there, my name is Robert De Luca and I'm part of the Windows Server Partner and Customer Ecosystem team. One PaCE responsibility is running the Technology Adoption Program for Windows, so I've been working with customers on Windows Server 2012 testing for well over a year now. One of our TAP customers was very interested in implementing "document quarantine" with Windows Server 2012, and in this post I'll show you how we did it using the new Dynamic Access Control capabilities in Windows Server 2012.

What is document quarantine?

Document quarantine refers to a scenario where you want to identify, protect, and take further action on data that matches certain conditions. In my case, this meant preventing certain types of sensitive files from being stored on files shares where they would be accessible to large numbers of employees.

For the sake of this example, let's assume the sensitive files are those that contain personally identifiable information (PII). After discussing the pros and cons of various approaches and the expected outcome of each, we came up with the following desired behaviors for the customer's quarantine solution:
  • PII is automatically identified and classified.
  • PII is protected regardless of the file share or folder it is stored in.
  • If PII is stored on certain file shares – those with relatively open permissions – the file owner is notified of the policy violation so they can take action.
  • If no action is taken, files in violation of corporate policy are moved to a secure location accessible only to administrators.
This can be easily implemented using some of the new Dynamic Access Control capabilities in Windows Server 2012. I'll be posting a full walkthrough on how to configure the quarantine solution end-to-end, but today I'm just going to go into detail on the less-common things we did. The rest of this post covers the following areas, roughly corresponding to the desired behaviors above:

Part 1: Classifying Files
Part 2: Protecting Files
Part 3: Notifying Users
Part 4: Moving Files

Leave a comment

You are commenting as guest.