File Classification Infrastructure

Overview

Windows file servers contain a varied mass of unstructured data, some of which might be business critical, and some old, duplicated, stale and unwanted. The problem is that the data is often mixed up and stored in unwieldy folder hierarchies that evolved over time, so file management becomes an almost impossible task. We traditionally tried to group data into folders according to its purpose and level of sensitivity, but you can't rely on users to store documents in the right places so that security can be set appropriately.

The File Classification Infrastructure (FCI) is intended to help you manage data better. It binds the classification metadata directly to a file, so the classification remains in place if the file is moved around. Microsoft provides a Data Classification Toolkit to help you develop a file classification policy, and report on how the policy is working.

Setting up File Classification Infrastructure

Setting up FCI is explained as a 4 step process, first using the File Server Resource Manager (FSRM) GUI, then with PowerShell cmdlets. You can use either option, depending on your preference.

This topic explains how to enable resource properties in Active Directory, create classification rules on the file server, and then assign values to the resource properties for files on the file server. For this example, the following classification rules are created: A content classification rule that searches a set of files for the string 'Company Confidential.' If the string is found in a file, the Impact resource property is set to High on the file. A content classification rule that searches a set of files for a regular expression that matches a social security number at least 10 times in one file. If the pattern is found, the file is classified as having personally identifiable information and the Personally Identifiable Information resource property is set to High.

USING THE GUI

FCI uses some of the Dynamic Access Control properties in Active Directory, so these need to be enabled first.

  1. To enable resource property definitions;
    Sign in to the domain controller server as a member of the Domain Admins security group.
    Open the Active Directory Administrative Center.
    In Server Manager, select 'Tools', then 'Active Directory Administrative Center'
    Expand Dynamic Access Control, then select 'Resource Properties'
    Right-click 'Impact', and then click 'Enable'
    Right-click 'Personally Identifiable Information' then click 'Enable'

  2. Go to 'Administrative Tools' on the Start menu then open the 'File Server Resource Manager' console and expand 'Classification Management'
    From Classification Management you can set things like 'Classification Properties', 'Classification Rules' and a 'Classification Schedule'. Here, we are going to set a 'String Content Classification Rule'. This will scan files for a string 'Company Confidential', and if the string is found, then the value of a resource property will be configured so that the file is classified as having high business impact. To do this:

    Right-click 'Classification Rules' on the 'Classification Management' page, and then click 'Create Classification Rule'.
    Now give the rule a name by typing it into the 'Rule Name' box on the 'General' tab. Let's call the rule 'Company Confidential'.
    Now click 'Add' on the 'Scope' tab, and pick out which folders you want for these confidential documents.
    Now go to the 'Classification' tab and ...
      In the 'Choose a Method to Assign a Property to Files' box, select 'Content Classifier'.
      In the 'Choose a Property to Assign to Files' box, click 'Impact'.
      In the 'Specify a Value' box, pick 'High'.
    Under the 'Parameters' heading, click 'Configure'.
    In the 'Expression Type' column, select 'String'.
    In the 'Expression' column, type 'Company Confidential', and then click OK.
    On the 'Evaluation Type' tab, select the 'Re-evaluate Existing Property Values' check box, click 'Overwrite the Existing Value', and then click OK.

  3. Create a regular expression content classification rule
    A regular expression classification rule scans a file for a pattern that matches the regular expression. If a string that matches the regular expression is found, the value of a resource property can be configured. In this example, we will scan each file on a network shared folder and look for a string that matches the pattern of a UK National Insurance number. If the pattern is found 5 times or more in a file then the associated file is classified as having personally identifiable information.
    Open 'File Server Resource Manager'.
    Right-click 'Classification Rules', and then click Create 'Classification Rule'.
    On the 'General' tab, in the 'Rule name' box, type a name for the classification rule, such as 'NI Rule'.
    On the 'Scope' tab, click 'Add', and then pick out which folders you want for these confidential documents.
    Now go to the 'Classification' tab and ...
      In the 'Choose a Method to Assign a Property to Files' box, ensure that 'Content Classifier' is selected..
      In the 'Choose a Property to Assign to Files' box, click 'Personally Identifiable Information'.
      In the 'Specify a Value' box, click 'High'.
    Under the 'Parameters' heading, click 'Configur'e.
    In the 'Expression Type' column, select 'Regular Expression'.
    In the 'Expression column', type '^(G[ACEGHJ-NPR-TW-Z]|B[A-CEHJ-NPR-TW-Z]|N[A-CEGHJL-NPR-SW-Z]|K[A-CEGHJ-MPR-TW-Z]|T[A-CEGHJ-MPR-TW-Z]|Z[A-CEGHJ-NPR-TW-Y])[0-9]{6}[A-DFM]{0,1}$' (you should check this REGEX is still valid, as HMRC tend to change the NI format from time to time. If you are not in the UK, then pick something that is relevant to your country)
    In the 'Minimum Occurrences' column, type 5, and then click OK.
    On the 'Evaluation Type' tab, select the 'Re-evaluate Existing Property Values' check box, click 'Overwrite the Existing Value', and then click OK.

  4. Now, run the Classification rule, then check to make sure that the process worked
    Click 'Classification Management', right-click 'Classification Rules', and then click 'Run Classification With All Rules Now'.
    Click the' Wait for Classification to Complete' option, and then click 'OK'.
    Navigate one of the folders that you picked out in the classification rules, right-click a file in that folder, and then click Properties.
    Check out the 'Classification' tab, and you should see that the file is classified correctly.

USING POWERSHELL

The commands below will produce the same result as running through the GUI, so see the GUI expanations above to see what the commands are doing. The paragraph numbers match. You will need to substitute your own file paths. Open an elevated powershell command prompt and enter the following commands

  1. Set-ADResourceProperty '"Enabled:$true '"Identity:'CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=Company,DC=com'
    Set-ADResourceProperty '"Enabled:$true '"Identity:'CN=NI_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=Company,DC=com'

  2. Update-FsrmClassificationPropertyDefinition
    $date = Get-Date
    $AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;$AutomaticClassificationScheduledTask
    Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
    New-FSRMClassificationRule -Name 'Company Confidential' -Property "Impact_MS" -PropertyValue "3000" -Namespace @('F:\Projects') -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Company Confidential") -ReevaluateProperty Overwrite

  3. Update-FsrmClassificationPropertyDefinition
    New-FSRMClassificationRule -Name "NI Rule" -Property "NI_MS" -PropertyValue "5000" -Namespace @('F:\Personel') -ClassificationMechanism "Content Classifier" -Parameters @("RegularExpressionEx=Min=10;Expr=^(G[ACEGHJ-NPR-TW-Z]|B[A-CEHJ-NPR-TW-Z]|N[A-CEGHJL-NPR-SW-Z]|K[A-CEGHJ-MPR-TW-Z]|T[A-CEGHJ-MPR-TW-Z]|Z[A-CEGHJ-NPR-TW-Y])[0-9]{6}[A-DFM]{0,1}$ -ReevaluateProperty Overwrite

  4. Start-FSRMClassification '"RunDuration 0 -Confirm:$false


    Now navigate one of the folders that you picked out in the classification rules, right-click a file in that folder, and then click Properties.
    Check out the 'Classification' tab, and you should see that the file is classified correctly.

back to top