Security and compliance are two areas that have been significantly extended in Windows Server 2012. Dynamic Access Control now allows centralized control of access and auditing functions. BitLocker Drive Encryption has been enhanced to make it easier to deploy, manage, and use. And implementing Domain Name System Security Extensions (DNSSEC) to safeguard name resolution traffic can now be performed using either user interface (UI) wizards or PowerShell. This concluding section covers these new features and enhancements.
Controlling
access and ensuring compliance are essential components of IT systems
in today’s business environment. Windows Server 2012 includes
enhancements that provide improved authorization for file servers to
control and audit who is able to access data on them. These
enhancements are described under the umbrella name of Dynamic Access
Control and enable automatic and manual classification of files,
central access policies for controlling access to files, central audit
policies for identifying who accessed files, and the application of
Rights Management Services (RMS) protection to safeguard sensitive
information.
Dynamic Access Control is enabled in Windows Server 2012 through the following new features:
-
A new authorization and audit engine that supports central policies and can process conditional expressions
-
A redesigned Advanced Security Settings Editor that simplifies configuration of auditing and determination of effective access.
-
Kerberos authentication support for user and device claims
-
Enhancements to the File Classification Infrastructure (FCI) introduced previously in Windows Server 2008 R2
-
RMS extensibility to allow partners to provide solutions for applying Windows Server–based RMS to non-Microsoft file types
Implementing Dynamic Access Control in your environment requires
careful planning and the performing of a number of steps that include
configuring Active Directory, setting up a file classification scheme,
and more.
Just to give you a taste, however, let’s look briefly at the
redesigned Advanced Security Settings Editor that simplifies the
configuration of auditing and determination of effective access.
As in previous versions of Windows, the advanced permissions for a file
or folder can be opened from the Security tab of the Properties dialog
box for the file or folder. As you can see here, the Permissions tab of
the Advanced Security Settings Editor in Windows Server 2012 and
Windows 8 looks fairly similar to the one in previous versions of
Windows:
However, the Effective Permissions tab of the Advanced Security
Settings Editor in earlier versions of Windows has been replaced with a
tab named Effective Access, which lets you choose not only the user or group being used for accessing the file or folder, but also the device:
The Auditing tab of the Advanced Security Settings Editor in earlier
versions of Windows has been completely redesigned and now allows you
to add auditing entries that can include conditions to limit their
scope:
For more information on these user interface improvements, see the following sidebar.
New Effective Access user interface
Windows Server 2012 provides an improved way for administrators to help resolve authorization problems. The new Advanced Security Settings Editor provides a new Effective Access
tab that shows simulated access results of a user, computer, or group
against targeted resources like a files or folder. The newly designed
Effective Access tab provides substantial improvements over its
predecessor, the Effective Permissions tab, in the following ways:
-
Simulates access accurately, both locally and remotely
-
Evaluates conditional permission entries, Share permissions, and Central Access Policies
-
Enables administrators to insert user and device claims before evaluating access
-
Enables administrators to delegate troubleshooting access issues
The Advanced Security Settings editor remotely tells a file server
to simulate a logon of the user and device selected, inserts additional
user and device claims in the evaluation, and gathers permissions from
the file system, share, and Central Access Policies.
The Effective Access
tab represents the easiest way to diagnose problems with users
accessing files and folders on Windows Server 2012 file servers. Use
the results from the Effective Access tab to determine which aspect of
access control to troubleshoot next.
Typically, the Effective Access tab identifies possible problems with red X’s in the Access Limited By column.
The Effective Access dialog box’s Access Limited By column for file
system resources can show Share, File Permissions, and the names of any
Central Access Policy that applies to the file folder on the file
server. The Access Limited By column indicates the point of access
control that Windows perceives is responsible for limiting access to
files or folders.
The Effective Access tab lists all points of access control that
limits the specified permission for the designated security principal
(and device, optionally). Therefore, each entry in the Access limited
by column can show one or more limitations. Each limitation listed
either specifically limits the security principal’s access or does not
provide access to the security principal.
For example, a security principal that is implicitly denied
access occurs when none of the points of access control provides
access. In this scenario, the Effective Access tab shows limitations
for all points of access control (Share, File Permissions, and Central
Access Policies applied to the folder). Each point of access control
requires investigation to ensure that it allows the security principal
the designated access.
