Hello all, we just published a new post for Dynamic Access Control on the Windows Server Blog:
Here’s an excerpt:
These focus areas were then translated to a set of Windows capabilities that enable data compliance in partner and Windows-based solutions.
- Add the ability to configure Central Access and Audit Policies in Active Directory. These policies are based on conditional expressions that take into account the following so that organizations can translate business requirements to efficient policy enforcement and considerably reduce the number of security groups needed for access control:
- Who the user is
- What device they are using, and
- What data is being accessed
- Integrate claims into Windows authentication (Kerberos) so that users and devices can be described not only by the security groups they belong to, but also by claims such as: “User is from the Finance department” and “User’s security clearance is High”
- Enhance the File Classification Infrastructure to allow business owners and users to identify (tag) their data so that IT administrators are able to target policies based on this tagging. This ability works in parallel with the ability of the File Classification Infrastructure to automatically classify files based on content or any other characteristics
- Integrate Rights Management Services to automatically protect (encrypt) sensitive information on servers so that even when the information leaves the server, it is still protected.
If you are looking for more depth and “how it works”, check out the whitepaper published by Mike Stephens’ :Understand and Troubleshoot Dynamic Access Control in Windows Server “8” Beta