Exercise 5: Removing Anonymous Access to Confidential Files
In this lesson, you will configure the File Classification Infrastructure to find files that contain the word Confidential. Additionally, you will use File Management Tasks to remove anonymous access to the file.
Files that a company considers confidential need to be kept secured. However it is very easy to mistakenly allow random or even anonymous users to access a file. It is common to require users to restrict access to such files, but this is a manual process that can be error prone. The File Classification Infrastructure provides a simpler way for automating tasks like this.
Part 1: Removing Anonymous Access to Confidential Files
In FSRM, expand Classification Management and select Classification Properties:
- Click Create Property in the Actions pane.
This opens the Create Classification Property Definition dialog box
- In the Property name text box, type the name Confidential for the property.
In the Property Type drop-down menu, select Yes/No from the list:
- Click OK to close the Create Classification Property Definition dialog.
In FSRM, expand Classification Management and select Classification Rules:
- Click Create a New Rule in the Actions pane.
This opens the Classification Rule Definitions dialog box.
- In the text box labeled Rule name type Find Confidential as the name for the rule.
In the Scope section Click Add and select the following path:
C:\Server 2008 R2 Labs\File System Classification Infrastructure\Data
- Select the Classification tab
- From the Classification mechanism dropdown select Content Classifier.
This classification mechanism uses the same mechanism used by the Search Indexer to extract text from files and search for patterns
- Select the value Confidential from the Property name dropdown
Select the value Yes from the Property value dropdown:
- Click the Advanced button to open the Additional Rule Parameters dialog.
- On the Additional Classification Parameters tab, add a new entry with the following values:
- Name: String
Value: Confidential
This configures the Content Classifier to search for the string “Confidential” regardless of the case of the string. Other parameter names the Content Classifier accepts are StringWithCase (for strings where the case is important) and RegularExpression (for standard .Net regular expressions).
- Click OK to close the Advanced dialog box.
- Click OK once more to close the Classification Rule Definitions dialog.
This rule will look for any files containing the word “Confidential” regardless of case and classify the file as “Confidential=Yes.”
- In FSRM, select File Management Tasks, and click Create File Management Task in the Actions pane.
This opens the Create File Management Task dialog box
- In the Task name text box, enter Restrict confidentialfiles for the new task.
Under Scope, add the following directory by using the Add button:
C:\Server 2008 R2 Labs\File System Classification Infrastructure\Data
- From the Action tab, select Custom from the dropdown box labeled Type.
- Enter the following application path onto the into the Executable text box
c:\windows\system32\icacls.exe
- Enter [Source File Path] /remove:g Everyone into the Arguments text box.
These parameters will be passed to the command. These arguments cause icacls.exe to remove any granted access rights for the Everyone SID for the file. By altering these parameters other ACLs can be set.
In the Command security section select Local System:
- Select the Condition tab.
- Click Add to create a new condition based on the file’s classification.
This will open the Property Condition dialog box, which allows you to select a property, an operator to perform on the property, and the value to compare the property against.
- Select the property Confidential from the Property dropdown
- Select the condition Equal from the Operator dropdown
Select the property value Yes from the Value dropdown
- Click OK
- Select the Schedule tab
- Click Create…, and then in the Schedule dialog box, click New.
This displays a default schedule set for 9:00 A.M. daily.
- Click OK
- Click OK
This File Management Task will find all files on “C:\Server 2008 R2 Labs\File System Classification Infrastructure\Data” that had the Confidential classification property set to Yes by the Content Classifier looking for the word Confidential. For these files, it will remove all granted ACLs for the Everyone SID.
- Open an explorer, navigate to the following path:
C:\Server 2008 R2 Labs\File System Classification Infrastructure\Data
- Right-click the file set-permissions.bat and select Run as Administrator
- Click Yes when UAC prompts you about opening the file.
This batch file will set the read permissions for everyone on all files found under a user directory.
- Open an explorer, navigate to the following path and note any existing files:
C:\Server 2008 R2 Labs\File System Classification Infrastructure\Data\Shares\Users\Alice
- Open the individual files and note that the file Plans for V2.docx and Feature list.TIF both have the word Confidential in them.
Right click on each file, select Properties, and click on the Security tab.
Note that all files grant the Everyone SID read access.
In FSRM, right click on the Restrict confidential files File Management Task you just created and select Run File Management Task Now:
- Select Wait for task to complete execution and click OK
- Inspect the generated report for files affected by the File Management Task and note that the files in the report are the same files that have the word Confidential in them.
Right click on each file in “C:\Server 2008 R2 Labs\File System Classification Infrastructure\Data\Shares\Users\Alice”, select Properties, and click on the Security tab. Note that Everyone does not have read access anymore for the files containing the word Confidential: