Although many of us will undoubtedly roll our eyes when we hear that the might MS is thinking about security (don't laugh. DON'T LAUGH!!) the whole idea of DAC certainly seems to be an interesting step in the right direction.
Although we haven't played with it much on our win 2008 servers yet the 2012 iteration of DAC does concern me on a number of levels. A few questions drifting through my mind are:
1) Will this work without the ReFs?
2) What's the overhead on performance for running such a service over a WAN, MPLS, VPN or other site-to-site link where limited bandwidth to the server may already slow the retrieval/opening operations on a file? (yes, yes. I know VDI would help solve that but our business isn't ready to deploy that tech yet. We have enough trouble with Citrix Metaframe and ESx 2.5!)
3) Will tagged files need to exist on the Win 2012 server? (cutting tech like NetApp filers and other NAS technologies out of the loop)
4) How tied to Ad8 is the new DAC? Will you need 2012 Native mode, for instance, or can the new DAC attributes be added to earlier AD implementations.
5) How will DAC affect the world of permissions elevation attacks? Could certain 'tag manipulation' attacks grant unauthorised users access to sensitive files with less of a fingerprint to detect than more normal elevation of privilege attacks?
There are more, small, questions but the biggest one is:
6) How much of an admin overhead is administering this system be?
It seems to me that administering the tags could be fairly simple once you have our tagging rules set up as long as you don't have too many complexities in departmental data sharing to deal with but given that most businesses at the moment have an element on mix-'n'-match about departmental responsibilities required access to data may not be straight-forward and require a lot of tag planning. For dynamic companies who reconfigure often to meet short/medium term goals such a system may be unworkable. And how do you troubleshoot access rights quickly when DAC or file system permissions could be the issue? Will we now need to know powershell really well to work this thing correctly?
I could go on, but I won't, as many of my questions are founded in a lack of knowledge about DAC. What I will say is that many companies (particularly the smaller ones) don't effectively deploy security because of the complexities and overheads involved in such an endeavour. Any security features MS bring out must always keep in mind that simplicity can increase take-up and besides, these days we all have 1001 responsibilities as IT techs already. Time for design and admin is short.
here's hoping DAC has already kept that in mind because I think it could be very useful indeed (ironically in keeping file permission administration to a minimum, once it's set up correctly that is).
Keep Up with TechRepublic