動態存取控制:案例概觀Dynamic Access Control: Scenario Overview

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在 Windows Server 2012,您可以將資料控管套用所有檔案伺服器控制人可以存取的資訊和稽核:已存取的資訊。In Windows Server 2012 , you can apply data governance across your file servers to control who can access information and to audit who has accessed information. 動態存取控制可讓您:Dynamic Access Control lets you:

  • 使用自動和手動分類檔案找出資料。Identify data by using automatic and manual classification of files. 例如,您可能會檔案伺服器標記資料跨組織。For example, you could tag data in file servers across the organization.

  • 控制檔案套用安全網路的原則,使用中央存取原則。Control access to files by applying safety-net policies that use central access policies. 例如,您可能會定義人可以存取健康在組織中的資訊。For example, you could define who can access health information within the organization.

  • 稽核檔案的存取權的相容性報告和法庭分析使用中央稽核原則。Audit access to files by using central audit policies for compliance reporting and forensic analysis. 例如,您可能會找出使用者存取高機密資訊。For example, you could identify who accessed highly sensitive information.

  • 套用 Rights Management Services (RMS) 保護的機密 Microsoft Office 文件使用自動 RMS 加密設定。Apply Rights Management Services (RMS) protection by using automatic RMS encryption for sensitive Microsoft Office documents. 例如,您可能會設定 RMS 加密所有文件包含健康保證移植性與責任動作 (HIPAA) 資訊。For example, you could configure RMS to encrypt all documents that contain Health Insurance Portability and Accountability Act (HIPAA) information.

動態存取控制功能設定為基礎的基礎結構投資可使用進一步的合作夥伴和業務的應用程式,並針對功能可以提供的組織使用 Active Directory 變得更好的值。The Dynamic Access Control feature set is based on infrastructure investments that can be used further by partners and line-of-business applications, and the features can provide great value for organizations that use Active Directory. 這個基礎結構包含:This infrastructure includes:

  • 適用於 Windows 的可以處理條件運算式和中央原則新授權與稽核引擎。A new authorization and audit engine for Windows that can process conditional expressions and central policies.

  • 使用者宣告和裝置宣告 Kerberos 驗證支援。Kerberos authentication support for user claims and device claims.

  • 改進檔案分類基礎結構 (FCI)。Improvements to the File Classification Infrastructure (FCI).

  • RMS 擴充性支援讓合作夥伴可以提供方案的非 Microsoft 檔案加密。RMS extensibility support so partners can provide solutions that encrypt non-Microsoft files.

本案例中In this scenario

下列案例和指導方針是此內容集的一部分:The following scenarios and guidance are included as part of this content set:

動態存取控制內容藍圖Dynamic Access Control Content Roadmap

案例Scenario 評估Evaluate 計劃Plan 部署Deploy 運作Operate
案例:中央存取原則Scenario: Central Access Policy

建立檔案允許組織集中部署與管理授權原則,包括條件運算式使用使用者宣告、裝置宣告和資源屬性的中央存取原則。Creating Central access policies for files allow organizations to centrally deploy and manage authorization policies that include conditional expressions using user claims, device claims, and resource properties. 這些原則 compliance 和商務法規為基礎。These polices are based on compliance and business regulatory requirements. 這些原則建立和裝載在 Active Directory,因此讓它更容易管理和部署。These policies are created and hosted in Active Directory, therefore making it easier to manage and deploy.

跨樹系部署宣告Deploying Claims Across Forests

在 Windows Server 2012,AD DS 每個森林中的 '宣告字典' 和所有取得定義類型使用樹系的 Active Directory 森林層級。In Windows Server 2012 , the AD DS maintains a 'claims dictionary' in each forest and all claim types in use within the forest are defined at the Active Directory forest level. 有許多主體可能需要往返信任邊界的案例。There are many scenarios where a principal may need to traverse a trust boundary. 本案例告訴您如何理賠要求穿過信任邊界。This scenario describes how a claim traverses a trust boundary.
動態存取控制:案例概觀Dynamic Access Control: Scenario Overview

跨樹系部署宣告Deploy Claims Across Forests
規劃:中央存取原則部署Plan: A Central Access Policy Deployment

- 商務用要求對應至的中央存取原則程序- Process to map a business request to a central access policy
- 動態存取控制的管理委派- Delegating of administration for Dynamic Access Control
- 規劃中央存取原則例外機制- Exception Mechanisms for Planning Central Access Policies

使用使用者宣告最佳做法Best Practices for Using User Claims

- 選擇的正確設定,可讓您的使用者網域中的宣告- Choosing the right configuration to enable claims in your user domain
- 若要讓使用者宣告作業- Operations to enable user claims
- 使用該檔案伺服器使用者宣告考量任意 Acl 不使用的中央存取原則- Considerations for using user claims in the file server discretionary ACLs without using Central Access Policies

使用裝置宣告和裝置安全性群組Using Device Claims and Device Security Groups

- 使用靜態裝置宣告注意事項- Considerations for using static device claims
- 若要讓裝置宣告作業- Operations to enable device claims

部署工具Tools for Deployment

- 資料分類工具組- Data Classification Toolkit
部署的中央存取原則與 #40; 示範步驟和 #41;Deploy a Central Access Policy (Demonstration Steps)

跨樹系與 #40; 示範步驟和 #41; 部署宣告Deploy Claims Across Forests (Demonstration Steps)
-建模的中央存取原則- Modeling a central access policy
案例:檔案存取稽核Scenario: File Access Auditing

安全性稽核是以企業的安全性維持最有力的工具之一。Security auditing is one of the most powerful tools to help maintain the security of an enterprise. 安全性稽核的主要目標是法規。One of the key goals of security audits is regulatory compliance. 例如,業界標準沙法案、HIPAA,和付款卡片 Industry (PCI) 需要遵循嚴格組規則的相關資料的安全性和隱私權的企業。For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. 安全性稽核協助建立是否存在的此類原則。因此,它們證明符合或使用這些標準不符合。Security audits help establish the presence or absence of such policies; thereby, they prove compliance or noncompliance with these standards. 此外,安全性稽核協助偵測異常行為,找出並減少縫隙中的安全性原則,並建立的使用者活動,可用於法庭分析記錄阻止 irresponsible 行為。Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior by creating a record of user activity that can be used for forensic analysis.
案例:檔案存取稽核Scenario: File Access Auditing 檔案計劃存取稽核Plan for File Access Auditing 部署安全性稽核中央稽核原則和 #40; 示範步驟和 #41;Deploy Security Auditing with Central Audit Policies (Demonstration Steps) - 監視器套用檔案伺服器的中央存取原則- Monitor the Central Access Policies that Apply on a File Server
- 監視器的檔案和資料夾相關聯的中央存取原則- Monitor the Central Access Policies Associated with Files and Folders
- 監視器上的檔案和資料夾的資源屬性- Monitor the Resource Attributes on Files and Folders
- 監視器宣告類型- Monitor Claim Types
- 在登入時監視使用者和裝置宣告- Monitor User and Device Claims During Sign-in
- 監視器中央存取原則和定義規則- Monitor Central Access Policy and Rule Definitions
- 監視器的資源屬性定義- Monitor Resource Attribute Definitions
- 監視抽取式存放裝置使用- Monitor the Use of Removable Storage Devices.
案例:存取的協助Scenario: Access-Denied Assistance

今天使用者嘗試存取遠端伺服器上的檔案檔案,將會被的唯一指示時,存取。Today, when users try to access a remote file on the file server, the only indication that they would get is that access is denied. 這會產生支援請求或 IT 系統管理員必須找出問題,且經常系統管理員很難使用者取得適當的操作讓它更難征服的山峰修正問題的相關。This generates requests to helpdesk or IT administrators that need to figure out what the issue is and often the administrators have a hard time getting the appropriate context from users which makes it harder to resolve the issue.
Windows Server 2012,目標是試用,並協助處理拒絕之前 IT 取得問題存取的資訊背景工作和企業資料擁有者相關及何時 IT 取得參與,提供快速解析度所有正確的資訊。In Windows Server 2012 , the goal is to try and help the information worker and business owner of the data to deal with the access denied issue before IT gets involved and when IT gets involved, provide all the right information for a quick resolution. 在達成這個目標挑戰之一是處理拒絕中央無法與每個應用程式獨享優惠它以不同的方式與因此在 Windows Server 2012 的目標是改進 Windows 檔案總管] 存取的體驗。One of the challenges in achieving this goal is that there is no central way to deal with access denied and every application deals with it differently and thus in Windows Server 2012 , one of the goals is to improve the access-denied experience for Windows Explorer.
案例:存取的協助Scenario: Access-Denied Assistance 規劃存取的協助Plan for Access-Denied Assistance

- 判斷型號存取的協助- Determine the access-denied assistance model
- 判斷使用者應該處理存取要求- Determine who should handle access requests
- 自訂訊息存取的協助- Customize the access-denied assistance message
- 例外計劃- Plan for exceptions
- 判斷如何存取的協助部署- Determine how access-denied assistance is deployed
部署存取的協助與 #40; 示範步驟和 #41;Deploy Access-Denied Assistance (Demonstration Steps)
Office 文件案例:分類型加密Scenario: Classification-Based Encryption for Office Documents

保護的機密資訊是主要緩和組織的風險。Protection of sensitive information is mainly about mitigating risk for the organization. 各種 compliance 規範,例如 HIPAA 或付款卡業界資料安全標準 (PCI-DSS) 聽寫加密的詳細資訊,並有許多企業原因加密機密資訊。Various compliance regulations, such as HIPAA or Payment Card Industry Data Security Standard (PCI-DSS), dictate encryption of information, and there are numerous business reasons to encrypt sensitive business information. 不過,資訊加密很高,或其可能會影響生產力。However, encrypting information is expensive, and it might impair business productivity. 因此,組織通常會有不同的方式與加密其資訊的優先順序。Thus, organizations tend to have different approaches and priorities for encrypting their information.
若要支援此案例,Windows Server 2012 提供敏感根據其分類的 Windows Office 檔案加密的能力。To support this scenario, Windows Server 2012 provides the ability to automatically encrypt sensitive Windows Office files based on their classification. 這是透過叫用 Active Directory 授權管理伺服器 (AD RMS) 保護的機密文件幾秒後檔案被視為敏感的檔案,檔案伺服器上的檔案管理工作。This is done through file management tasks that invoke Active Directory Rights Management Server (AD RMS) protection for sensitive documents a few seconds after the file is identified as being a sensitive file on the file server.
Office 文件案例:分類型加密Scenario: Classification-Based Encryption for Office Documents 想要部署的分類加密的文件Plan to deploy for classification-based encryption of documents 部署加密的 Office 檔案和 #40; 示範步驟和 #41;Deploy Encryption of Office Files (Demonstration Steps)
案例︰ 使用分類取得深入了解您的資料Scenario: Get Insight into Your Data by Using Classification

傳送的資料與儲存空間資源仍持續增加中重要性大部分的組織。Reliance on data and storage resources has continued to grow in importance for most organizations. IT 系統管理員必須面對越來越要求的作業時同時負責確保擁有成本總責任與維護合理的層級的更大、更複雜的儲存空間基礎結構。IT administrators face the growing challenge of overseeing larger and more complex storage infrastructures while simultaneously being tasked with the responsibility to ensure total cost of ownership is maintained at reasonable levels. 管理儲存空間資源不幾乎可用性的資料,但有關執法公司原則和了解如何為了讓有效率使用量和降低風險 compliance 耗用儲存空間的磁碟區。Managing storage resources is not just about the volume or availability of data anymore, but also about the enforcement of company policies and knowing how storage is consumed to enable efficient utilization and compliance to mitigate risk. 檔案分類基礎結構提供深入了解您的資料,自動執行分類程序,以便您可以更有效率地管理您的資料。File Classification Infrastructure provides insight into your data by automating classification processes so that you can manage your data more effectively. 使用檔案分類基礎結構分類下列方法可:手動,以程式設計方式,並自動。The following classification methods are available with File Classification Infrastructure: manual, programmatically, and automatic. 本案例焦某自動檔案分類方法。This scenario focuses on the automatic file classification method.
案例︰ 使用分類取得深入了解您的資料Scenario: Get Insight into Your Data by Using Classification 自動檔案分類計劃Plan for Automatic File Classification 部署自動檔案分類與 #40; 示範步驟和 #41;Deploy Automatic File Classification (Demonstration Steps)
案例︰ 檔案伺服器實作保留的資訊Scenario: Implement Retention of Information on File Servers

保留期間是應該文件的時間量保持之前已經過期。A retention period is the amount of time that a document should be kept before it is expired. 根據組織,可以不同的保留時間。Depending on the organization, the retention period can be different. 您可以分類有簡短、中或長期保留期間的資料夾中的檔案,並再每段指定時間範圍。You can classify files in a folder as having a short, medium, or long-term retention period and then assign the timeframe for each period. 若要將它放法律保留無限期保留檔案。You may want to keep a file indefinitely by putting it on legal hold.
檔案分類基礎結構和檔案伺服器資源管理員使用檔案管理工作和檔案分類套用保留期間的準則一組的檔案。File Classification Infrastructure and File Server Resource Manager uses file management tasks and file classification to apply retention periods for a set of files. 您可以保留期間指定資料夾,並設定指派的保留期間的到最後一個使用的檔案管理工作。You can assign a retention period on a folder and then use a file management task to configure how long an assigned retention period is to last. 即將到期的資料夾中的檔案時,該檔案的擁有者取得通知的電子郵件。When the files in the folder are about to expire, the owner of the file gets a notification email. 您也可以將分類成法律保留檔案管理工作不會到期檔案,檔案。You can also classify a file as being on legal hold so that the file management task will not expire the file.
案例︰ 檔案伺服器實作保留的資訊Scenario: Implement Retention of Information on File Servers 保持檔案伺服器的詳細資訊的計劃Plan for Retention of Information on File Servers 部署上檔案伺服器與 #40; 示範步驟和 #41; 實作保留的資訊Deploy Implementing Retention of Information on File Servers (Demonstration Steps)

注意

不支援動態存取控制 ReFS(復原檔案系統)。Dynamic Access Control is not supported on ReFS (Resilient File System).

也了See also

內容類型Content type 資訊尋找參考資料References
Product 評估Product evaluation - 動態存取控制檢閱指南- Dynamic Access Control Reviewers Guide
- 動態存取控制開發人員指南- Dynamic Access Control Developer Guidance
規劃Planning - 規劃中央存取原則部署- Planning a Central Access Policy Deployment
- 檔案計劃存取稽核- Plan for File Access Auditing
部署Deployment - Active Directory 部署- Active Directory Deployment
- 檔案與儲存空間服務部署- File and Storage Services Deployment
作業Operations 動態存取控制 PowerShell 參考資料Dynamic Access Control PowerShell Reference
工具和設定Tools and settings 資料分類工具組Data Classification Toolkit
社群資源Community resources Directory 服務論壇Directory Services Forum