Identifying File and Folder Owners for Dynamic Access Control

Microsoft is preparing to release Windows Server 2012 and among the hundreds of updates and new features in this release – one feature stands out as a potential game changing technology; Dynamic Access Control (DAC).

DAC centralizes File System access decisions by introducing the ability to use claims based security to the specified file or folders when they are accessed.  In other words, when a user attempts to access protected resources the Operating System evaluates some expression based policies before granting or denying access to the resource. The access expressions are written using claims that can include properties of the user such as Department or Clearance Level, the type of device the user is using and meta tags that will be present on the files & folders. For example, allow anyone from the Finance department to read FinancialProjections.xls.

For the IT Admin, the Windows Server DAC setup is fairly straightforward and so beginning the process of centralizing file & folder access management doesn’t take much effort. Unfortunately, configuring the Windows Server is only the begining and this step only engages the security controls on server. Protecting file and folder data does not actually begin to work until you identify and tag the data that needs to be protected. (Data tags were introduced in Windows Server 2008 and are now exposed in the user interface in Windows 2012).

To identify data that needs to be protected the IT Administrator will need to work with data owners to define the business context that will be used to create access DAC rules; this will certainly take some time. Finding the data owners can be trickly because in the past security on File and Folder shares was not granular enough to identify specific data owners. So before you can begin to implement a centralized policy you will also need to identify the data owner.

File Access Report, NetWrix File Server Change Reporter
NetWrix File Server Change Reporter – File Access Report

As a first step to identify data owners you can start to look at data access patterns using either Windows File Auditing or a third party solution like NetWrix File Server Change Reporter.  File access data will give you a sense of what data is actively being accessed and more importantly by whom. The users accessing the data will be able to lead you to the data owner through review of their buisness information like department or manager. Another option would be to contact those individuals and ask them who is responsbile for the data.