动态访问控制:方案概述Dynamic Access Control: Scenario Overview

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Windows Server 2012 中,可以在文件服务器之间应用数据监管,以控制谁可以访问信息并审核谁已访问信息。In Windows Server 2012 , you can apply data governance across your file servers to control who can access information and to audit who has accessed information. 动态访问控制可用于:Dynamic Access Control lets you:

  • 通过使用自动和手动文件分类来识别数据。Identify data by using automatic and manual classification of files. 例如,你可以在整个组织内的文件服务器中标记数据。For example, you could tag data in file servers across the organization.

  • 通过应用采用中央访问策略的网络安全策略来控制对文件的访问。Control access to files by applying safety-net policies that use central access policies. 例如,你可以定义有权访问组织内健康信息的用户。For example, you could define who can access health information within the organization.

  • 通过对合规性报告和取证分析使用中央审核策略,审核对文件的访问。Audit access to files by using central audit policies for compliance reporting and forensic analysis. 例如,你可以确定曾访问高度敏感信息的用户。For example, you could identify who accessed highly sensitive information.

  • 通过对敏感的 Microsoft Office 文档使用自动 RMS 加密,来应用 Rights Management Services (RMS) 保护。Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. 例如,你可以配置 RMS 对包含“健康保险流通与责任法案 (HIPAA)”信息的所有文档进行加密。For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

动态访问控制功能基于合作伙伴和行业应用程序可进一步利用的基础结构投资,因而它可以为使用 Active Directory 的组织提供巨大的价值。The Dynamic Access Control feature set is based on infrastructure investments that can be used further by partners and line-of-business applications, and the features can provide great value for organizations that use Active Directory. 该基础结构包括:This infrastructure includes:

  • 一种适用于 Windows 的全新授权和审核引擎,它可以处理条件表达式和中央策略。A new authorization and audit engine for Windows that can process conditional expressions and central policies.

  • 用户声明和设备声明支持的 Kerberos 身份验证。Kerberos authentication support for user claims and device claims.

  • 对文件分类基础结构 (FCI) 的改进。Improvements to the File Classification Infrastructure (FCI).

  • RMS 扩展性支持,合作伙伴可以提供加密非 Microsoft 文件的解决方案。RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.

本方案内容In this scenario

以下方案和指南包含在内,作为此内容集的一部分:The following scenarios and guidance are included as part of this content set:

动态访问控制内容指南Dynamic Access Control Content Roadmap

方案Scenario 评估Evaluate 计划Plan 部署Deploy 操作Operate
方案:中心访问策略Scenario: Central Access Policy

创建文件的中央访问策略允许组织集中部署和管理授权策略,包括使用用户声明、设备声明和资源属性的条件表达式。Creating Central access policies for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using user claims, device claims, and resource properties. 这些策略建立在合规性与业务监管要求之上。These polices are based on compliance and business regulatory requirements. 这些策略在 Active Directory 中创建与托管,因此使得管理和部署更为容易。These policies are created and hosted in Active Directory, therefore making it easier to manage and deploy.

跨林部署声明Deploying Claims Across Forests

在 Windows Server 2012 中,AD DS 维护每个林中的 "声明字典",并且在林中使用的所有声明类型都在 Active Directory 林级别定义。In Windows Server 2012 , the AD DS maintains a 'claims dictionary' in each forest and all claim types in use within the forest are defined at the Active Directory forest level. 有许多方案,其中主体可能要遍历信任边界。There are many scenarios where a principal may need to traverse a trust boundary. 此方案描述了声明如何遍历信任边界。This scenario describes how a claim traverses a trust boundary.

动态访问控制:方案概述Dynamic Access Control: Scenario Overview

跨林部署声明Deploy Claims Across Forests

计划:中央访问策略部署Plan: A Central Access Policy Deployment

- 将业务请求映射到中心访问策略的过程- Process to map a business request to a central access policy
- 动态访问控制的管理委派- Delegating of administration for Dynamic Access Control
- 规划中心访问策略的异常机制- Exception Mechanisms for Planning Central Access Policies

使用用户声明的最佳实践Best Practices for Using User Claims

- 选择正确的配置以启用用户域中的声明- Choosing the right configuration to enable claims in your user domain
- 用于启用用户声明的操作- Operations to enable user claims
- 在不使用中心访问策略的情况下,在文件服务器中使用用户声明的注意事项- Considerations for using user claims in the file server discretionary ACLs without using Central Access Policies

使用设备声明和设备安全组Using Device Claims and Device Security Groups

- 使用静态设备声明的注意事项- Considerations for using static device claims
- 启用设备声明的操作- Operations to enable device claims

部署工具Tools for Deployment

- 数据分类工具包- Data Classification Toolkit

(演示步骤部署中心访问策略)Deploy a Central Access Policy (Demonstration Steps)

在演示步骤)跨林部署声明 (Deploy Claims Across Forests (Demonstration Steps)

-对中心访问策略建模- Modeling a central access policy
方案:文件访问审核Scenario: File Access Auditing

安全审核是用来帮助维护企业安全的功能最强大的工具之一。Security auditing is one of the most powerful tools to help maintain the security of an enterprise. 安全审核的主要目标之一就是监管合规。One of the key goals of security audits is regulatory compliance. 例如,像 Sarbanes Oxley、HIPAA 和 Payment Card Industry (PCI) 这类的行业标准要求企业遵守与数据安全和隐私权有关的一套严格的规则。For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. 安全审核可以帮助确定此类策略是否存在;由此它们证明是否与这些标准相符。Security audits help establish the presence or absence of such policies; thereby, they prove compliance or noncompliance with these standards. 此外,通过创建可用于取证分析的用户活动记录,安全审核可帮助发现异常的行为、识别并缓和在安全策略方面的差距并阻止不负责任的行为。Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior by creating a record of user activity that can be used for forensic analysis.

方案:文件访问审核Scenario: File Access Auditing 文件访问审核计划Plan for File Access Auditing 利用中心审核策略部署安全审核 (演示步骤)Deploy Security Auditing with Central Audit Policies (Demonstration Steps) - 监视在文件服务器上应用的中心访问策略- Monitor the Central Access Policies that Apply on a File Server
- 监视与文件和文件夹相关的中央访问策略- Monitor the Central Access Policies Associated with Files and Folders
- 监视文件和文件夹上的资源属性- Monitor the Resource Attributes on Files and Folders
- 监视声明类型- Monitor Claim Types
- 在登录过程中监视用户和设备声明- Monitor User and Device Claims During Sign-in
- 监视中心访问策略和规则定义- Monitor Central Access Policy and Rule Definitions
- 监视资源属性定义- Monitor Resource Attribute Definitions
- 监视可移动存储设备的使用情况- Monitor the Use of Removable Storage Devices.
方案:“拒绝访问”协助Scenario: Access-Denied Assistance

现在,当用户尝试访问文件服务器上的远程文件时,能得到的仅有指示是访问被拒绝。Today, when users try to access a remote file on the file server, the only indication that they would get is that access is denied. 这将生成支持人员或 IT 管理员请求,它们需要弄清问题是什么,而管理员通常很难从用户那里得到合适的上下文,这使得解决问题更困难了。This generates requests to helpdesk or IT administrators that need to figure out what the issue is and often the administrators have a hard time getting the appropriate context from users which makes it harder to resolve the issue.
在 Windows Server 2012 中,我们的目标是尝试帮助信息工作者和业务所有者来处理访问被拒问题,并在涉及到该问题时,提供所有正确的信息以快速解决问题。In Windows Server 2012 , the goal is to try and help the information worker and business owner of the data to deal with the access denied issue before IT gets involved and when IT gets involved, provide all the right information for a quick resolution. 实现这一目标的挑战之一是,无法集中处理访问被拒,每个应用程序以不同的方式处理它,因此在 Windows Server 2012 中,其中一项目标是改进 Windows 资源管理器的访问被拒体验。One of the challenges in achieving this goal is that there is no central way to deal with access denied and every application deals with it differently and thus in Windows Server 2012 , one of the goals is to improve the access-denied experience for Windows Explorer.

方案:“拒绝访问”协助Scenario: Access-Denied Assistance “拒绝访问”协助方案Plan for Access-Denied Assistance

- 确定 "拒绝访问" 协助模型- Determine the access-denied assistance model
- 确定谁应处理访问请求- Determine who should handle access requests
- 自定义拒绝访问协助消息- Customize the access-denied assistance message
- 规划异常- Plan for exceptions
- 确定如何部署 "拒绝访问" 协助- Determine how access-denied assistance is deployed

(演示步骤部署 "拒绝访问" 协助)Deploy Access-Denied Assistance (Demonstration Steps)
方案:基于分类的 Office 文档加密Scenario: Classification-Based Encryption for Office Documents

敏感信息的保护主要与为组织降低风险有关。Protection of sensitive information is mainly about mitigating risk for the organization. 诸如 HIPAA 或支付卡行业数据安全标准 (PCI-DSS) 等各种合规性规章制度,都规定了信息加密,而且出于商业考虑也需要加密敏感的业务信息。Various compliance regulations, such as HIPAA or Payment Card Industry Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons to encrypt sensitive business information. 但是,加密信息的成本比较高,这可能会损害企业的生产力。However, encrypting information is expensive, and it might impair business productivity. 因此,对于信息加密,组织往往采用不同的方法和优先级。Thus, organizations tend to have different approaches and priorities for encrypting their information.
为了支持此方案,Windows Server 2012 提供了基于其分类自动加密敏感 Windows Office 文件的功能。To support this scenario, Windows Server 2012 provides the ability to automatically encrypt sensitive Windows Office files based on their classification. 这通过文件管理任务来完成,文件管理任务在文件被识别为文件服务器上的敏感文件后几秒钟,为敏感文档调用 Acitve Directory 权限管理服务器 (AD RMS) 保护。This is done through file management tasks that invoke Active Directory Rights Management Server (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server.

方案:基于分类的 Office 文档加密Scenario: Classification-Based Encryption for Office Documents 计划部署基于分类的文档加密Plan to deploy for classification-based encryption of documents (演示步骤部署 Office 文件的加密)Deploy Encryption of Office Files (Demonstration Steps)
方案:使用分类深入了解数据Scenario: Get Insight into Your Data by Using Classification

对数据和存储资源的依赖在大多数组织的重要性方面持续增长。Reliance on data and storage resources has continued to grow in importance for most organizations. IT 管理员面对着监督更大、更复杂存储基础结构的日渐增长的挑战,而同时又担负着确保所有者总开支维持在合理水平的责任。IT administrators face the growing challenge of overseeing larger and more complex storage infrastructures while simultaneously being tasked with the responsibility to ensure total cost of ownership is maintained at reasonable levels. 管理存储资源不再仅仅是涉及数据的量和可用性,还和公司政策的执行有关,和了解如何消耗存储来启用高效利用与合规减轻风险有关。Managing storage resources is not just about the volume or availability of data anymore, but also about the enforcement of company policies and knowing how storage is consumed to enable efficient utilization and compliance to mitigate risk. 文件分类基础结构通过自动化分类流程来让你深入了解数据,以便你可以更有效地管理数据。File Classification Infrastructure provides insight into your data by automating classification processes so that you can manage your data more effectively. 下列分类方法可用于文件分类基础结构:手动、编程、自动。The following classification methods are available with File Classification Infrastructure: manual, programmatically, and automatic. 此方案重点介绍自动文件分类方法。This scenario focuses on the automatic file classification method.

方案:使用分类深入了解数据Scenario: Get Insight into Your Data by Using Classification 自动文件分类方案Plan for Automatic File Classification (演示步骤部署自动文件分类)Deploy Automatic File Classification (Demonstration Steps)
方案:实现文件服务器上信息的保留Scenario: Implement Retention of Information on File Servers

保留期是文档过期前应保存的时间量。A retention period is the amount of time that a document should be kept before it is expired. 组织不同,保留期可能也不相同。Depending on the organization, the retention period can be different. 可以将文件夹中的文件分类为具有短、中或长保留期,然后为每个保留期分配时间范围。You can classify files in a folder as having a short, medium, or long-term retention period and then assign the timeframe for each period. 你可能想要通过将文件合法保留来无限期保留。You may want to keep a file indefinitely by putting it on legal hold.
文件分类基础结构和文件服务器资源管理器使用文件管理任务和文件分类,将保留期应用到一系列文件上。File Classification Infrastructure and File Server Resource Manager uses file management tasks and file classification to apply retention periods for a set of files. 可给文件夹分配一个保留期,然后使用文件管理任务配置分配的保留期的持续时间。You can assign a retention period on a folder and then use a file management task to configure how long an assigned retention period is to last. 当文件夹中的文件将要过期时,文件所有者会收到一封通知邮件。When the files in the folder are about to expire, the owner of the file gets a notification email. 也可将文件分类为合法保留,这样文件管理任务就不会使文件过期。You can also classify a file as being on legal hold so that the file management task will not expire the file.

方案:实现文件服务器上信息的保留Scenario: Implement Retention of Information on File Servers 文件服务器信息保留方案Plan for Retention of Information on File Servers 部署实现文件服务器上信息的保留 (演示步骤)Deploy Implementing Retention of Information on File Servers (Demonstration Steps)


ReFS(弹性文件系统)不支持动态访问控制。Dynamic Access Control is not supported on ReFS (Resilient File System).

请参阅See also

内容类型Content type 参考References
产品评估Product evaluation - 动态访问控制审阅者指南- Dynamic Access Control Reviewers Guide
- 动态访问控制开发人员指南- Dynamic Access Control Developer Guidance
规划Planning - 规划中心访问策略部署- Planning a Central Access Policy Deployment
- 规划文件访问审核- Plan for File Access Auditing
部署Deployment - Active Directory 部署- Active Directory Deployment
- 文件和存储服务部署- File and Storage Services Deployment
操作Operations 动态访问控制 PowerShell 参考Dynamic Access Control PowerShell Reference
工具和设置Tools and settings 数据分类工具包Data Classification Toolkit
社区资源Community resources 目录服务论坛Directory Services Forum