As with auditing, file classification isn’t new to Windows Server
but has been enhanced in Server 2012. File classification adds to a server
administrator’s arsenal of management tools with powerful content classification rules.
With a classification rule, you can, for instance, automatically
search against a specified set of files to look for the string “Company
Confidential.” If the string is found in a file, you can set that file’s
classification to High.
You can also use classification rules to detect sensitive data, such
as documents containing Social Security numbers or patient healthcare
information.
To deploy automatic file classification, first you need to create
resource property definitions. From a domain controller, launch the ADAC.
Click Dynamic Access Control, and then Resource Properties. Right-click a
property (for instance, Impact), select Enable, and then enable the
Personally Identifiable Information resource property.
Next, you create a Content Classification Rule. You do so on the
file server with data you want to classify. From the server, as an
administrator, run the following command in PowerShell:
Update-FSRMClassificationpropertyDefinition
This command syncs the property definitions enabled in the DC to
file servers. Next, follow these steps:
-
Launch File Server Resource Manager and expand Classification
Management, right-click Classification Rules, and click Configure
Classification Schedule. Check “Enable fixed schedule” and “Allow
continuous classification for new files.” Select the day you want to
run the rule and click OK.
-
Right-click Classification Rules and select Create
Classification Rule. Name your rule Company Confidential.
-
In the Scope tab, click Add and select the folders to be
included in the rule. In the Classification tab, configure the
following:
-
“Choose a method to assign a property to files” equals
Content Classifier.
-
“Choose a property to assign to files” equals Impact.
-
“Specify a value” equals High.
-
Next, click the Configure button under Parameters. In Expression
Type, select String. Under Expression, type in Company Confidential. You can opt to make
the string case-sensitive from the Expression Type drop-down list.
Click OK.
-
In the Evaluation Type tab, check “Re-evaluate existing property
values” and select “Overwrite the existing values” when a conflict
occurs between new and existing values. Click OK.
We now have a new classification rule set against a selected folder
that looks for the string “Company Confidential” within documents in that
folder. (See Figure 1.)
To verify that files are classified correctly, click Classification
Management from the File Server Resource Manager. Right-click Classification
Rules and then click “Run Classification with All Rules Now.”
This runs the Automatic Classification Report to check for
classification rules you’ve established.
