File Classification Infrastructure, or FCI, is a new tool included with Windows Server 2008 R2 to help better manage all of the data stored on file servers throughout the enterprise. Using a system that tags files, keeps those tags attached to files as they are used, and then uses those tags to manage the files, FCI creates a powerful infrastructure for fine-grained file management and security. Best of all, it comes free with all editions of Windows Sever 2008 R2.
Installing FCI on Server 2008
Although FCI comes with all versions of Server 2008 R2, it is not installed by default in line with Microsoft’s strategy of installing only the necessary services and roles on each server based upon its functionality within the network. FCI is installed as a component of the File Services role, and implemented via the File Server Resource Manager console. Once installed, FCI is at once deceptively easy to use, and at the same time, infinitely complex in its possibilities.
The first step in using File Classification Infrastructure is to define what the tags are. There are no default tags or tagging systems, because FCI is designed to be custom tailored to a particular business environment. One need only think about the difference between what confidential or secret mean to a chain of dry cleaners, versus what they mean to a defense contractor to see why defaults would not be particularly useful in this case.
Tagging files is done by “classifying” them. FCI classification is a two-step process. The first step is to define the classifications. The second step is to apply the classifications to files.
Defining classifications is done within FSRM under Classification Management. Under Classification Management, is Classification Properties, where one creates the classification structure. Here the rules are defined that determine whether or not a file is classified as a particular kind of data. For example, a file might be classified as “confidential” if is stored in the “Confidential” directory of the Legal Department’s file server area. Obviously, more complex criteria are possible. A file might be classified as internal financial data if it is created by a member of the Accounting group, during the first week of the month, and the file name contains the words “monthly report.”
FCI supports classifications based upon date and time, numbers, multiple choice lists, ordered lists, strings, multiple strings, or Boolean criteria. There is no need to stick with generalized classifications like Confidential, Secret, or Internal Use Only, although these can be set as high-level classifications. The real power of FCI comes from more granular classifications, such as classifying all Excel spreadsheets, stored in the project folder “New Products”, created between January and March of 2009, that contain the words “projected internal costs”, as Internal Prototyping Projections.
Using FCI To Improve Security and Better Manage Data
Defining the classifications doesn’t actually do anything. No files are tagged just by defining the components of a classification. In order to do anything with these classifications, the real files must be tagged. Doing so requires creating Classification Rules.
To create a classification rule, one first defines a name and a scope for the rule in the Rule Settings tab. The name is what the tag attached to the file will be called. The scope defines which files to evaluate to determine if they are assigned that classification. The actual rules for classifying files are done in the Classification Tab. Classifying can be done by simply evaluating whether or not a file is within a certain folder (Remember the tag follows the file as it is moved and copied.). It can also be done by checking for certain words or phrases within the documents themselves. Powerful classification can be done using the PowerShell classifier. This limits your ability to evaluate files only by your ability to write a PowerShell script to do what you want.
An analogy can help make the process a little clearer.
Classifications Properties are the things that matter for determining speed limits. For example, how close is the road to a school, is the road an Interstate, is the road two-lanes, three-lanes, four-lanes, etc. Notice that these are just the properties that CAN be evaluated; there is no structure here for how a road is assigned a particular speed limit, only what properties will need to be examined in order to assign a speed.
Classification Rules are like the actual criteria that determines which speed limit a road gets. For example, roads within 100 feet of a school should be classified as 20 MPH roads. At this point, all you have is rules in the city planner’s office. In order to actually implement the speed limits, the possible criteria need to be evaluated against the rules.
At this point, you can actually apply the rules to the roads. Doing so requires choosing which roads to evaluate against which criteria (scope). Based on that evaluation, you can actually “tag” the roads by putting up speed limit signs that say 20 MPH (name).
Finally, the files are classified. However, nothing has actually been done based on those classifications.
To actually DO SOMETHING with all these tagged files, the administrator has several choices. First, both file management and reporting based on the classification tabs are available in FSRM. These tools can be used to move, copy, rename, or delete files, as well as setting more traditional file properties. Just as important, reports can be generated to alert administrators or managers that files tagged as Sensitive or Confidential are residing in insecure locations. Using just these two tools can resolve a lot of headaches, as well as create better processes. No doubt the first time that guy in accounting gets asked why he is saving proprietary budget documents to a public share, he won’t even know he was doing that. (“We’ve always saved them to the G Drive.”)
However, even more powerful management can be achieved using PowerShell. Once classified, the FCI system can be used inside PowerShell scripts in order to perform complex tasks or create additional reporting or alert levels.
Creating an entire file classification system from scratch is a daunting prospect. However, building some basic rules to generate reports is a good starting place. From there, needs and concerns will arise that can be easily solved by using the FCI system. Eventually, a file classification as robust and as well-defined as your Active Directory structure will emerge. After all, you didn’t start out the first day of the Active Directory implementation by creating all the objects you have today.
No comments:
Post a Comment