Windows Server 8 Gets Serious About Centralized Security

Trying to control file security on enterprise servers is like herding extremely fertile cats; without clamping down on breeding, they're soon too numerous to control. Microsoft (NSDQ:MSFT) addresses this problem with Dynamic Access Control, a feature in the forthcoming Windows Server 8 that introduces centralized, domain-level security for file and folder access that layers atop any existing file system permissions.

According to Microsoft, upwards of 80 percent of corporate data is found on company servers, often will little or no content documentation, custody auditing or departmental ownership metadata. "IT administrators don't actually know what data is on their servers," even though they might have set up the systems and allocated the storage, said Nir Ben-Zvi, a senior program manager at Microsoft, at a press event last week.

Delivered via a new version of Active Directory, Dynamic Access Control works by layering Kerberos security and an enhanced file-level auditing and authentication system that can automatically tag sensitive data based on content and creator. "Credit card numbers, for instance, can be identified and tagged as high-impact," Ben-Zvi said. Dynamic Access Control introduces claims into the Windows Server security lexicon, a concept long present in the broader realm of federated Internet security, but in Microsoft parlance refers to object assertions issued by Active Directory.