案例:中央存取原則Scenario: Central Access Policy

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

檔案的中央存取原則讓組織集中部署與管理授權原則,包括條件運算式使用使用者群組,使用者宣告、裝置宣告,以及資源屬性。Central access policies for files enable organizations to centrally deploy and manage authorization policies that include conditional expressions that use user groups, user claims, device claims, and resource properties. (宣告是包括與其相關的物件的屬性判斷提示。)(Claims are assertions about the attributes of the object with which they are associated). 例如存取高商務影響 (HBI) 的資料,使用者必須任職員工,存取受管理的裝置,而使用智慧卡登入。For example, to access high-business-impact (HBI) data, a user must be a full-time employee, obtain access from a managed device, and log on with a smart card. 這些原則定義和裝載在 Active Directory Domain Services (AD DS)。These policies are defined and hosted in Active Directory Domain Services (AD DS).

組織存取原則皆是以遵循與商務用法規需求。Organizational access policies are driven by compliance and business regulatory requirements. 例如,如果組織只檔案擁有者和獲准檢視 PII 資訊部門人們資源(小時又)的成員檔案中的個人資訊 (PII) 上限制存取商務用需求,這項原則適用於 PII 檔案地方它們位於檔案伺服器跨組織。For example, if an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information, this policy applies to PII files wherever they are located on file servers across the organization. 在此範例中,您需要可以:In this example, you need to be able to:

  • 找出並標記包含 PII 的檔案。Identify and mark the files that contain PII.

  • 找出小時又成員獲准檢視 PII 資訊的群組。Identify the group of HR members who are allowed to view PII information.

  • 建立套用到所有檔案,包含 PII 地方它們位於檔案伺服器跨組織的中央存取原則。Create a central access policy that applies to all files that contain PII wherever they are located on file servers across the organization.

部署,及執行授權原則促進會可以的原因很多,適用於組織的多個層級。The initiative to deploy and enforce an authorization policy can come for many reasons and apply to multiple levels of the organization. 以下是一些範例原則類型:The following are some example policy types:

  • 授權全組織的原則。Organization-wide authorization policy. 最常見的資訊安全 office 車載機起始,這項原則授權受到 compliance 或高階組織需求,且相關跨組織。Most commonly initiated from the information security office, this authorization policy is driven by compliance or a high-level organization requirements, and it is relevant across the organization. 例如,都可存取只全職員工 HBI 檔案。For example, HBI files are accessible to only full-time employees.

  • 部門授權的原則。Departmental authorization policy. 是在組織中的每個部門有一些想要執行的特殊資料處理需求。Each department in an organization has some special data-handling requirements that they want to enforce. 例如,財務部門可能要限制財經員工財經伺服器的存取權。For example, the finance department might want to limit access to finance servers to the finance employees.

  • 特定資料管理原則。Specific data-management policy. 這項原則通常與相容性和企業需求,以及它針對保護正確存取受管理的資訊。This policy usually relates to compliance and business requirements, and it is targeted at protecting the correct access to the information that is being managed. 例如金融機構可能實作資訊牆,使分析人員不會存取投資資訊和仲介不會存取分析資訊。For example, financial institutions might implement information walls so that analysts do not access brokerage information and brokers do not access analysis information.

  • 需要知道原則。Need-to-know policy. 此驗證原則類型通常是一起使用與先前原則類型。This authorization policy type is typically used in conjunction with the previous policy types. 例如,廠商應該可以存取和編輯與的專案正在處理相關的檔案。For example, vendors should be able to access and edit only files that pertain to a project they are working on.

真實環境也告訴我們,需要有例外組織可以快速反應很重要的企業需要發生時,每個授權原則。Real-life environments also teach us that every authorization policy needs to have exceptions so that organizations can quickly react when important business needs arise. 高階主管無法尋找其智慧卡,需要快速存取 HBI 資訊,例如可以撥打電話工程師取得暫時例外來存取該資訊。For example, executives who cannot find their smart cards and need quick access to HBI information can call the Help Desk to get a temporary exception to access that information.

中央存取原則做為安全性 umbrellas 組織套用其伺服器上。Central access policies act as security umbrellas that an organization applies across its servers. 這些原則美化(但不是會取代)任意存取控制清單 (DACL),適用於的檔案和資料夾的存取本機原則。These policies enhance (but do not replace) the local access policies or discretionary access control lists (DACL) that are applied to files and folders. 例如,如果在檔案上的 DACL 可讓存取特定使用者,但會套用至該檔案的中央原則會限制的相同使用者存取,使用者無法取得檔案的存取權。For example, if a DACL on a file allows access to a specific user, but a central policy that is applied to the file restricts access to the same user, the user cannot obtain access to the file. 如果的中央存取原則可讓存取權限,但 DACL 不允許的存取,使用者無法取得檔案的存取權。If the central access policy allows access, but the DACL does not allow access, the user cannot obtain access to the file.

中央存取原則規則有下列邏輯一部分:A central access policy rule has the following logical parts:

  • 適。Applicability. 定義資料條件原則套用到,例如 Resource.BusinessImpact=High。A condition that defines which data the policy applies to, such as Resource.BusinessImpact=High.

  • 存取條件。Access conditions. 一或多個存取控制定義的項目 (a) 可存取的資料,例如允許清單 |完全控制 |User.EmployeeType=FTE。A list of one or more access control entries (ACEs) that define who can access the data, such as Allow | Full Control | User.EmployeeType=FTE.

  • 例外。Exceptions. 定義的原則,例如 MemberOf(HBIExceptionGroup) 例外一或多個 a 的詳細清單。An additional list of one or more ACEs that define an exception for the policy, such as MemberOf(HBIExceptionGroup).

以下兩個工作流程顯示中央存取和稽核原則。The following two figures show the workflow in central access and audit policies.

方案指南

圖 1中央存取和稽核原則的概念Figure 1 Central access and audit policy concepts

方案指南

圖 2 所示的中央存取原則工作流程Figure 2 Central access policy workflow

中央授權原則結合了特定地區下列元件:The central authorization policy combines the following components:

  • 針對特定類型的資訊,例如 HBI 或 PII 集中定義的存取規則的清單。A list of centrally defined access rules that target specific types of information, such as HBI or PII.

  • 包含的規則清單集中定義的原則。A centrally defined policy that contains a list of rules.

  • 原則識別碼指派給期間的存取權的授權應該會套用指定的中央存取原則指向每個檔案伺服器上的檔案。A policy identifier that is assigned to each file on the file servers to point to a specific central access policy that should be applied during the access authorization.

下圖示範如何將原則結合成原則清單來集中控制存取檔案。The following figure demonstrates how you can combine policies into policy lists to centrally control access to files.

方案指南

圖 3 所示結合原則Figure 3 Combining policies

本案例中In this scenario

下列指導方針可供您中央存取原則:The following guidance is available to you for central access policies:

角色與包含在本案例中的功能Roles and features included in this scenario

下表列出的角色與本案例的功能,並告訴他們支援的方式。The following table lists the roles and features that are part of this scenario and describes how they support it.

角色/功能Role/feature 它如何支援此案例How it supports this scenario
Active Directory Domain Services 角色Active Directory Domain Services role Windows Server 2012 中的 AD DS 導入宣告為基礎的授權平台,可讓使用者宣告和裝置宣告、複合的身分、(使用者加上裝置宣告),建立新的中央存取原則(端點)型號,並授權決策檔案分類資訊的使用。AD DS in Windows Server 2012 introduces a claims-based authorization platform that enables the creation of user claims and device claims, compound identity, (user plus device claims), new central access policy (CAP) models, and the use of file-classification information in authorization decisions.
檔案和存放區服務伺服器角色File and Storage Services Server role 檔案與儲存空間服務提供技術可協助您設定及管理您的網路位置您可以將檔案儲存並分享的使用者提供中央位置的一或多個檔案伺服器。File and Storage Services provides technologies that help you set up and manage one or more file servers that provide central locations on your network where you can store files and share them with users. 若您的網路使用者的存取權的相同的檔案和應用程式,或如果備份與檔案的集中的管理您的組織重要,您應該設定一或多部電腦做為檔案伺服器來將檔案與儲存空間服務角色與適當的角色服務新增到電腦。If your network users need access to the same files and applications, or if centralized backup and file management are important to your organization, you should set up one or more computers as a file server by adding the File and Storage Services role and the appropriate role services to the computers.
Windows client 電腦Windows client computer 透過 client 電腦的使用者可以存取檔案及網路上的資料夾。Users can access files and folders on the network through the client computer.