Powerful, flexible, and centralized file security across your domain
Deploying centralized file-access policies through Dynamic Access Control is a four-part process. The first—and arguably the hardest—step is to identify and classify file server data. These classifications are set by NTFS tags and require the file server be running Windows Server 2012. This tagging can be done by several methods. Data can be tagged/classified based on application; by a sophisticated automatic mechanism that can, for example, search for Social Security formats or the words " Confidential"; by folder; or it can be tagged manually by the file server content owner.
While this classification process is going on, Information Security can build Central Access Policies that will apply to the different file classifications. These policies are far more flexible and specific than anything previously available in Windows access control; you can use expression-based access conditions with support for user claims, device claims, and file tags. When the policies are applied, there's a highly customizable Access Denied remediation mechanism that guides the user to a specific URL or generates an email message, to get the situation corrected if necessary.
Once the policies are applied, you can also define centralized audit policies that can be applied across multiple files servers as well. Similarly to the access policies, these audit policies are defined with expression-based auditing conditions with support for user claims, device claims, and file tags. And since there's a big gap between a policy as it's initially thought up and how it looks when it hits the real world, there's a built-in mechanism that works like Group Policy's Resultant Set of Policy (RSoP) to test against the target file servers in what-if simulations before the policies are ever activated.
Finally, you can choose to automatically protect certain types of Office data classification with Rights Management Service (RMS) based on file tagging. Part of Dynamic Access Control, this capability doesn't require a separate AD RMS installation. RMS provides near real-time protection within a few seconds of when the document is tagged. Dynamic Access Control also has extensibility to protect non-Office RMS protectors.
Dynamic Access Control in Windows Server 2012 is limited to the NTFS file system. Why? As it was described to me by Senior Program Manager Robert Deluca, Windows Server 8 was designed by scenario-based engineering, and the most compelling initial scenario to solve was that of centralized access control and compliance. They're starting with this scenario, and as they gain experience with this release, it might expand to encompass other areas (such as claims-based authentication and authorization).
This new Windows Server 2012 capability isn't just a very powerful security and compliance feature. It's also a basis for more authorization flexibility in future versions of Windows. And probably to the relief of IT pros concerned about job security, implementing it will be a good-sized project to keep them busy for quite a while.