Enterprise Software

Automate data classification with new features in Windows Server 2008 R2

In Windows Server 2008 R2 Microsoft has added some new automating features to file classification. The File Classification Infrastructure makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information.

Microsoft has added many features to Windows Server 2008 R2, and once you install the roles and features to add these modular goodies to your implementation, there are many impressive new things you can do. In this post, I am going to look at a new feature that works for Windows Server 2008 R2 File Servers called File Classification Infrastructure.

To use the classification features, you will need to install the File Server Role and the File Server Resource Manager feature(s) associated with it. To install the File Server Role, complete the following steps:

  1. Open the Server Manager.
  2. Scroll down to section 3, Customize This Server.
  3. Click Add Roles to add server roles.
  4. Select the File Services Role and complete the roles wizard.

Once the needed roles are installed, the File Server Resource Manager (FSRM) console can be launched by selecting it from the Administrative Tools group or by entering fsrm.msc in the search box on the Start menu.

Why classify data?

Classifying data can help make data more accessible (or less accessible) to the users in your environment who need it. For example, suppose the Human Resources department created a folder on the file server within their department called Litigation. In this folder they place files that are needed for any litigation the company is associated with. The permissions on the folder are configured so that HR employees can edit the contents of the folder and add documents. Senior management can read the documents in the litigation folder, and the HR manager can remove documents that are no longer needed.

The question is, how is it determined that a document is no longer needed and how do we apply these criteria to existing files in such a way that minimizes user interaction with them? The new classification feature in Windows Server 2008 R2 makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information.

Classification in Windows Server 2008 R2 consists of several elements: properties, rules, and a policy segment including reporting and file management. Properties are the fields that you wish to assign a value for, and the rules are the criteria that set these values. There are other methods of classification available as well, including applications and scripts. More detailed examination of the methods of configuring the File Classification Infrastructure will follow in a future post.

For the above example, a rule would be used to label a set of files in the Litigation folder. Adding a label such as Litigation-Case Number X (where X is the number of the case) can allow easy organization of files for each litigation case. When the classification rule is run against the specified folder, all files meeting the rule conditions would be classified with an appropriate label. You could use an expiration date here, but doing that might require reclassification of files if the expiration of a set of files is changed, which can take unnecessary time; using a label as a classification property is the recommended practice.

To expire files, consider moving the files that meet a set of conditions, perhaps the last modified date greater than 30 days, to a different folder that an administrator can manually clean up at his or her leisure. Or you can create another rule, using a script, that can purge on a schedule, configured by the choice of the administrator or IT staff.

In a future post, I will dig into the creation of these properties and policies further to provide a hands-on look at how granular the settings can be. This post is intended to be a high-level overview of the new feature.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

7 comments
data classification
data classification

This blog has given lot of information on data classification which is needed by all.

sawaddell
sawaddell

Still not sure what the full benefit of this over the standard file/directory permissions that exist today. Aside from being able to expire documents what other tangible benefits are there to justify moving towards 2008 (at least as far as file classification is concerned)?

Derek Schauland
Derek Schauland

With the vast amounts of data available in today's organizations classification of data could prove to be very useful. Is this a feature you would consider taking advantage of in your organization?

Derek Schauland
Derek Schauland

This feature has quite a few benefits, the biggest is to more appropriately organize data. For office files, the meta data applied by this technology is recorded right in the file and will stay with the file whenever it is moved. This can help keep documents of the same type together. Also, being able to classify a set of files based on assigned meta data automatically can be useful for litigation procedures or auditing. There are many possibilities with File Classification Infrastructure and surely new features or API/Ifilter add ins will be created by third parties and Microsoft. The power comes from classifying existing documents and files which can help you better organize and protect your information.

don.schettler
don.schettler

Fiel classification seems like an natural extension of current folder security. In your article it has reference to one person being able to read, another being able to change and another with full access. Where and how are those permissions set so the documents in that folder knows who is who? Is that something that is added to the users profile in Active Directory? And how does is change if there are different permissions for different folders?

Jesus Bolivar
Jesus Bolivar

This feature sounds great, it would be really helpful on our organization. I will read more to see if it's good enough to upgrade our file server to 2008

Derek Schauland
Derek Schauland

The ability to add/modify FCI classification properties comes from NTFS. The read/edit/remove portion of the article relates to the files/folders themselves not the classification properties. Rules can be created to assign properties to files, then actions can be taken on files with specific properties assigned. In the example, the litigation folder could be populated with all documents tagged with the legal property. Then another rule could be used to expire documents within the litigation folder after 30 years or some other time period. The FCI properties and rules would be configured by IT Admins based on business need. Does that clear up the read/edit issue?

Editor's Picks