Diving deeper into Windows Server 2012 Dynamic Access Control

In this blog post, we would like to highlight the work we have done with Independent Software Vendor partners who are adopting key new features we’re delivering in Windows Server 2012. Robert Paige is a program manager in the Windows Server Partner and Customer Ecosystem Team who worked extensively with Independent Software Vendor Partners during the development of Windows Server 2012. The PaCE team helped to facilitate engagements with many software vendors throughout our development cycle; companies delivering on security, anti-malware, management, virtualization, backup and storage solutions, and everything in between. Their solutions showcased our new technologies and the flexibility to extend and enhance complete end-to-end solutions for our mutual customers. This blog follows one we published last month – in it we dive deeper into Dynamic Access Control and the partners who are playing an active role in delivering a rich ecosystem using this technology.

--Natalia Mackevicius,

Principal Group Program Manager, STB Partner and Customer Ecosystem Team

Hello again - as our Worldwide Partner Conference 2012 has just wrapped up in Toronto, we still have many Dynamic Access Control partners we’d like to highlight from TechEd 2012. We worked closely with these partners who demonstrated the power and flexibility of this new feature, taking advantage of Windows Server 2012’s unmatched ability to classify your data, enforce centrally based policy, audit user access, and simplify deployment and management of data compliance across your organization.

Dynamic Access Control Session Highlights (SIA341)



On Day Two of TechEd North America 2012, Siddharth Bhai and Matthias Wollnik provided a technical deep-dive session on Dynamic Access Control specifically targeted to the AD Administrator. They discussed the mechanics of Active Directory claims, central access policies, new authentication and authorization capabilities, the latest guidance on AD token bloat, and more. Here are some key points from the presentation:

· Data Classification – This is not new to Windows Server 2012, but we made changes to make it significantly easier to discover and classify your documents with the proper information

· Expression based auditing – We’ve made it easier to audit access to the data that you’ve deemed important because it either contains sensitive information or because the access records are required in order to comply with a specific compliance act.

· Expression based access conditions – We’ve enabled the ability to combine multiple identities into a single access control entry; this is a very powerful tool that can be used to reduce the number of security groups needed to secure your resources, and you can store the access control lists in Active Directory to enable easy Central Access Policy management.

· Encryption – You can now build automatic RMS encryption rules out of the box that will detect and protect sensitive documents based on the classification rules you’ve set.

TechEd DAC Demonstration Partners

CA DataMinder – Continues Execution of Content-Aware Identity & Access Management (IAM) Strategy. When Microsoft talked about the built in capabilities of Windows Server 2012 Data Classification, we showcased a demonstration from CA Technologies, who are integrating our platform into their DLP solution which supports Dynamic Access Control. CA DataMinder Classification can actively detect when files are created or changed that contain sensitive information using content-aware IAM. In conjunction with Windows Server 2012 enhanced FCI, the solution helps discover, classify, and deliver precise and fine-grained access control based on the content of documents. This solution gives your organization another option to use a solution integrated with Windows Server 2012 enhanced File Classification Infrastructure to control access to information throughout the life of the document, at creation, during access, and when used. In addition, CA DataMinder released integration with CA SiteMinder earlier this year, extending its content-aware capabilities to SharePoint 2010. You can read more about DataMinder here.

dataglobal dg classification 2.0 – As part of the deep dive presentation involving data classification, dataglobal showed how enterprises could use their solution to help manage the burden of getting existing documents classified correctly and throughout their lifetime. dg classification 2.0 expands on the built-in automatic classification in Windows Server 2012 further by including attribute-based as well as content-based classification. This classifier is a ‘self-learning’ classifier trained using over 100 sample sets of documents to determine how to classify the information across a very large variety of file types common in today’s enterprise environments, including mails, SharePoint objects, PDF files, and Microsoft file formats. This reduces the need to rely on external metadata and simplifies creating the classification rules. The classification analyzer will show the administrator why the document was classified in a particular way, highlighting the words that the classifier has used to determine this, along with a probability indicator of accuracy. This capability enables users to quickly build classification rules to tag the documents based on the analysis, attaching the classification to the file itself so that any other application can make use of the metadata, and Windows Server 2012 will handle the access enforcement based on the policies defined through traditional manually set rules, as well as dg classification rule building assistance.

Jiji AuditReporter – Who Has Access to What. Jiji Technologies demonstrated how enterprises could quickly determine effective permissions for a set of users for a set of shares to determine exactly who has access to what on those shares governed by Central Access Policy. As you may know, auditing effective permissions can be a complex maze, even with the simplicity that Dynamic Access Control provides. Policies using conditional expressions and policies based on previously ‘OR’ based security groups and file share control may exist throughout a company, and user permissions can be extremely complex, with the complexity growing depending on how many shares, documents, and user groups are dispersed throughout the organization. Reports can be filtered in a number of useful ways to determine effective permissions, and which rule in a Central Access Policy was used to govern those permissions. This is a very powerful addition to the ecosystem of products that can ease full scale transition to and continued management of Dynamic Access Control policy.

TITUS Metadata Security for SharePoint – Using Central Access Policies beyond File Server: SharePoint (TITUS blog). In Windows Server 2012, Dynamic Access Control policy is limited to security for file servers. What happens when you want to extend central access policy decisions to SharePoint lists and document libraries? Titus demonstrated that the same Dynamic Access Control central access policies can be extended beyond Active Directory to also include Microsoft SharePoint. Using Group Policy, the central access policies are installed on the SharePoint document library and the Titus product will then interpret and enforce the central access rules as if the documents were stored on a Windows 2012 file server. When a user is denied access, Titus Metadata Security provides a meaningful message to the user about why they cannot access the document.

Axiomatics Policy Server – Implementing XACML-based Access Policies in Windows and Beyond: (Axiomatics blog). Organizations are striving to consistently enforce access rules across a broad spectrum of application and platform environments. Windows Server 2012, with its introduction of SDDL (Security Descriptor Definition Language) conditional access control lists, provides a new opportunity to include Windows Server into the central authorization domain. With the Axiomatics Policy Server, it is possible to author fine-grained policies using the XACML standard (eXtensible Access Control Markup Language) that are consistent with Windows Server 2012 conditional SDDL language. These access policies can then be enforced by Windows Server 2012 as well as on a wider range of applications such as web applications, enterprise service buses, and REST APIs. With Dynamic Access Control centralized management, in combination with the ability of Axiomatics Policy Server’s ability to extend distributed enforcement capabilities beyond SDDL, Windows Server 2012 can greatly reduce the complexity of management of security policy in your organization.

Quest Security Explorer – While we didn’t have time in our overview or deep-dive sessions to include every partner we’ve worked with to integrate and extend Dynamic Access Control into their products, it doesn’t mean that the ecosystem doesn’t have other companies taking advantage of our new features and enhancing them to meet the needs of our mutual customers. Quest Software had a booth in the STB Partner Pavilion, and they previewed how they can ease the management of Dynamic Access Control policies in a Windows domain environment. A couple of key features of Security Explorer that expand the capabilities of DAC are the ability to also manage Windows 7 clients that are members of the Windows Server 2012 domain; the ability to back up and restore Dynamic Access Control permissions; copy, paste, load and save conditional expressions; add, remove, and modify NTFS permissions created within Dynamic Access Control; and simplifying the creation of conditional expressions through a unique interface.

You asked for it, we listened!

If you have security and compliance as your top concern, we think you’ll be very pleased with the in-box capabilities of Windows Server 2012. Not only did we focus on the top issues our customers have asked for, but we also recognized the need to work with a very broad set of partners to complement our new features to give you the broadest range of options to embrace Dynamic Access Control in your enterprise. After reading this, you might consider poking around in your companies file shares to see just what sensitive information you have access to – you might be surprised at what you find – the possibility to prevent sensitive data leakage, end the IT Admin nightmare of classifying and auditing, end the worry of how to extend DAC to non-Windows file-servers all just became easier!

Learn more about Dynamic Access Control….

The TechEd Sessions

· An Overview of Dynamic Access Control

· Dynamic Access Control Deep Dive

· Dynamic Access control Best Practices and Microsoft IT Case Studies

· Keeping your Data Safe, and Introduction to Information Protection Technology

· Using classification for access control and compliance

Additional Resources

· TechNet manual (Beta): http://technet.microsoft.com/en-us/library/hh831717.aspx

· Data Classification Toolkit (Beta): https://connect.microsoft.com/site715

· Hands on lab: http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx (Using Dynamic Access Control to automatically and centrally secure data)

· Dynamic Access Control at MMS 2012: https://channel9.msdn.com/posts/Dynamic-Access-Control-Demo-and-Interview

· Nir Ben-Zvi’s Introduction to Windows Server 2012 Dynamic Access Control blog

· Joe Isenhour demonstrations: http://technet.microsoft.com/en-US/video/ff832960.aspx?category=Joe%20Isenhour


Robert Paige
Senior Program Manager, Partner and Customer Ecosystem Team
Windows Server and Cloud Division