Home > Active Directory, Microsoft, Windows Server 2012 > The new File Server–Part3-Using File Classification & ADRMS #Microsoft #winserv 2012 #mvpbuzz

The new File Server–Part3-Using File Classification & ADRMS #Microsoft #winserv 2012 #mvpbuzz


Part1: The Windows Server 2012 new File Server–part 1- Access Conditions #Microsoft #winserv 2012 #mvpbuzz
http://goo.gl/FtWbi
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS #Microsoft #winserv 2012 #mvpbuzz
http://goo.gl/dRHro

In part1 we took a look to the new conditions that can be applied to the new security permissions GUI in Windows Server 2012, in Part 2 we continued in our lab and setup AD RMS in order to setup the stage for Part3.

In Part3, we will delve into the file classification infrastructure in Windows Server 2012, and we will see how to utilize file classification infrastructure and integrate it with the Active Directory RMS.

But first, what is file classification in Windows Server?, FCI (File Classification Infrastructure) is not new in Windows Server 2012, it has been there since Windows Server 2008 but it was a separate set of tools and commands that classifies the files at the file server level.

The FCI scans the folders/file shares and reads the files inside them and stamp or classify the files inside those shares or folders based on specific attributes, once the classification is done it could be read by Windows Server File Server or 3rd party products and take actions according to each file’s classification, below is a screenshot for how the file is classified, the below screen shows that the file is classified with country “Egypt” and Department “Finance”, you can add and classify documents in endless attributes to include priority, sensitivity, location, security clearance…etc

image

How the files and folders are classified?

You can classify the folders/files manually by right clicking on the folder/file and view its properties, going the classification tab you can specify the file classification manually, in the below screen I can select from the county classification either “Egypt or Qatar”, and I can specify the department between a wide range of departments that are provided by default and of course the list is customizable:

image

image

How to classify the files automatically?

In order to classify the files and folders automatically in Windows Server 2012, install the File Server resources manager, you can do that by adding the role from the “Server Manager”.

After installing the File Server Resource Manager, you can open the MMC console and you will be able to manager Quotas, Shares and file screening, and you will find the new section for file classification:

image

The File Classification Management has 2 section:

  • Classification Properties: this is used to define the classification attributes Like country/department in our example

image

In the above screen you will find 2 attributes (Country and Department) and their scope are global and this is because they are defined in AD (configuring these will be explained in details in part 4 when we talk about the dynamic access control), you can define your own local attributes like file sensitivity…etc.

Now if you want to classify the documents automatically, you will need to create a classification rule, the classification rule will classify the documents automatically based on the file attributes, scope of content, let us see how:

Customizing Folder Usage:

Folder usage is an automatic way to identify the data that is contained in folders, this is not classification it defines what data is contained in the folder, and this could be used in the classification later.

to customize the folder usage, open the Classification Properties  and double click on Folder Usage.

By Default, there are 4 types of data:

  • Application data.
  • Backup Data.
  • Group Data.
  • User Files

in this page you can create your own data types

image

I will create Engineering and financial Data types:

image

Now to define which files are used by the Engineering team and which files are used by the financial team, click on the empty space in the Classification Properties and Select Set Folder Management Properties:

image

In the property, select Folder Usage and define the folders that is used by each team or contains each data type, you can have infinite number of folders and definition but again this is not classification it defines folder usage which will be used in our classification rule later, so select the file path and define the data usage:

image

The final settings will be as following:

image

 

Create Classification Rules:

Now let us create some classification rules, From the File Classification Rules, create a new Rule:

image

In the Rule Name, Specify a rule name, In this rule I will classify a folder as financial data:

image

In the Scope you can specify you can specify the data usage to be classified automatically, we will use the financial data as well specifying a manual folder (share 1) also to be classified as financial data, now when you select the financial data the folder selection will include all the paths you defined in the previous step, you can also specify paths manually, the final settings will be as following:

image

In the classification tab we have 2 ways to set classification:

  • Folder Classification: this classifies all the in the folder with the specified classification rules
  • Content classification: this searches the files for specific patterns, keywords and using regular expressions you can go epic searching your data for specific contents and when the content match found, the files are classified accordingly, an example could be Credit card Numbers, Projects codes..etc This rule will classify the folders, we will create another rule that classifies the content, so the rule will be as following:

image

Note: The Department/Country Classifications are organization wide and created based on dynamic access rules, you will learn how to create these in details in next blog post (Part4), if you would like to go along with the lab and don’t want to jump to the DAC part yet, create local properties and use them.

In the evaluation cycle, you can specify either to continuously evaluate the data and either to overwrite or aggregate the data, in my example I will overwrite the data and this will make sure that any user level settings are overridden by the company rules defined here:

image

Now the rule is ready, let us create another rule that does content classification:

image

This rules classifies the data country, so I will include all the engineering and financial data usage:

image

In the classification, I will choose content, and classify data that matches the rule as country Egypt:

image

In the Parameters section, click on Configure, you will find a regular expression and data finding fields with strings and case sensitive strings:

image

In my case I will search the document for word Egypt and then classify it, you can use regular expression and complex statements in your rules and even multiple rules, also you can define the minimum occurrence and maximum occurrence to fine tune your rule:

image

The Final Rules will be as following:

image

Now let us see, in each folder, I have 2 files one contains the word Egypt and other is not, I have placed the file group in the financial and R&D folders, right now nothing is classified:

image

image

Now if we go and run the classification rules:

image

and let us see how it will work, and let us examine the classification report:

image

it worked as expected Open-mouthed smile, sweeeeeeeeeeet.

until now we have done nothing with the data classification, we just tagged the data as in Egypt or financial or not, but what is the point, there are 2 things we can using data classification for:

  • Encrypt the files using AD RMS.
  • Control file access using Windows Server 2012 Dynamic Access Control (DAC).

In this post we will see how to use the AD RMS, in part4 we will use the Dynamic Access Control.

Encrypt Files Dynamically based on Data Classification:

So far we are doing great, we classified and identified the folder usage and tagged the files with the proper classification, now we will take actions based on those classifications, in the below steps we will encrypt the document using AD RMS:

Configuring RMS to Allow File Server to request Certificate:

In order to allow the file server to automatically request certificate & encrypt the documents, you must configure some permissions on the ServerCertification.asmx on the RMS Server:

  • Read and Execute permissions for the File Server machine account.
  • Read and Execute permissions for the AD RMS Service Group

Create File Server Management Task:

      From the

File Management Tasks,

    Create a new task:

image

In the General Tap, give the rule meaningful name:

image

In the scope we can select Financial or Engineering scopes or select custom folder, I will select Financial scope and “Share 1” which is a custom path:

image

In the Action you have 3 options:

  • Custom: you can create your own command that does the action, you can use powershell scripts…etc
  • Expire: you can expire the files or in other words moving them to another folder “the expiry folder” for review and deletion.
  • RMS Encryption: You can specify a template or custom permissions to apply to files matching the criteria.

In this article we will apply RMS encryption, you can choose between a predefined RMS template or creating custom permissions, I will set it to custom permissions where everyone will get read only access and only “Finance User” will have full control:

image

In the notification, you can send notification to email address, maybe the folder manager, department head or administrator:

image

In the Conditions, I will specify the rule to encrypt all the documents that belong to finance, you can also choose to apply time conditions like last day since accessed, modified or created or file names patterns:

image

In the Schedule, you can specify the schedule to run the rule, you can also choose to run it continuously and monitor for new files:

image

Now the rule is ready and configured, let us run it and see the report:

image

So, As Expected the files were encrypted and now based on their tagging everyone has ready only access and only the finance user will have full control, Super!!!

This was a long article, we have talked about data classification, Usage and RMS encryption integration using File Management Tasks, using the above knowledge; you can enforce and control data within your organization and massively improve Data Leak Control within your organization.

In Part4, we will speak about Dynamic Access Control and how to control access on the fly using Windows Server 2012 DAC.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: