Data Classification Toolkit for Windows Server 2012 R2 Release Notes

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice.

The Data Classification Toolkit for Windows Server® 2012 R2 works in conjunction with Windows Server 2008 R2 File Classification Infrastructure (FCI) and Dynamic Access Control in Windows Server 2012 and Windows Server 2012 R2 to help IT pros gain insight into stored information, enforce access policies, and configure access policies for files based on claims. For more information about Dynamic Access Control, see "What Is the Data Classification Toolkit?" in the Data Classification Toolkit User Guide.

The Data Classification Toolkit contains classification knowledge and scripted processes that help automate the file classification process and make file management more efficient. The Data Classification Toolkit takes advantage of Dynamic Access Control in Windows Server 2012 and Windows Server 2012 R2 to help IT pros configure access policies for files based on claims. The toolkit includes a Claims Wizard to provision claims values based on Active Directory® Domain Services (AD DS) resources. This toolkit also provides tools to provision and standardize central access policy configuration across forests.

The Data Classification Toolkit for Windows Server 2012 R2 uses Windows Server FCI to classify files based on predefined knowledge contained in the toolkit. In addition, the toolkit contains predefined automation tasks designed to help you manage files based on their classification. Finally, the toolkit includes predefined reports that you can view using Microsoft® Office Excel® 2010. The toolkit can also help organizations quickly create their own file classification solutions.

You can use the Data Classification Toolkit to configure and collect file classification on any number of servers running the Windows Server File Classification Infrastructure. You can provide the toolkit with either a specific list of servers, or you can query a Microsoft System Center Operations Manager database or other SQL Server® database to locate any servers that are running the Windows Server File Classification Infrastructure.

The Data Classification Toolkit for Windows Server 2012 R2 works with files stored in Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1 with FCI. Files stored in other technologies or products, such as Microsoft SharePoint® 2010, are not supported.

The Data Classification Toolkit for Windows Server 2012 R2 can integrate with the IT GRC Process Management Pack SP1 for Microsoft System Center Service Manager 2010 using the IT Compliance Management Library Management Pack. The IT Compliance Management Library Management Pack contains the control activities for Windows Server 2012 FCI that support control objectives in the IT GRC Process Management Pack SP1 (Microsoft.ControlActivity.WinSrvr08R2.FCI.Library.mp). This file is contained in the Windows Server 2008 R2 baseline for File Classification Infrastructure (WS08R2-File-Server-FCI) that is available in Microsoft Security Compliance Manager (SCM) 2.0 or later. You can save the IT Compliance Management Library Management Pack from SCM and then import it into System Center Service Manager. For more information about the IT Compliance Management Library Management Pack, see Appendix D, "Integration with IT GRC Process Management Pack SP1 for System Center Service Manager" in the Data Classification Toolkit User Guide.
§3. Getting Started

See the Data Classification Toolkit User Guide.

The following are known functional issues for this release:

• 
  Exporting a File Classification Rule that uses the Windows PowerShell Classifier to set the value of a DateTime Classification Property fails.
  
• 
  Importing a Baseline which have Storage Reports Jobs that make use of the Files by File Group Report and/or the Files by Owner Report when these reports parameters are set to use a subset of the available file groups/owners (ex. Creating a Files by File Group Report with only the ‘Audio and Video Files’ file group selected) fails on Windows Server 2008 R2.
  
• 
  Windows Server 2012 R2 enables the setting of limits on Storage Reports. These limits are not exported to the Baseline, and therefore are not automatically configured when the Baseline is deployed.
  
• 
  When comparing file servers against a Baseline, Storage Reports are not included.
  
• 
  The Files by File Group Report allows the definition of new file groups. These new definitions are not included in the Baseline.
  
• 
  If you import the out-of-the-box classification XML packages without first enabling AD DS global properties, the import and deploy operations on the Windows Server 2012 or Windows Server 2012 R2 file server fail for the rules and tasks that depend on the missing properties. This is by design. Rules, tasks, and report jobs with existing properties will complete the import process. To work around this issue, choose one of the following three options: Ignore errors, Enable the dependent AD DS global properties, or use the Import with downgrade always option to convert the global properties to local properties.
  
• 
  The import command fails if the scope parameter includes any shares that use the FAT32 file system. Only NTFS file system-based shares are supported for rules, tasks, and report jobs. The import command fails if any share on the target file server is FAT32 file system-based, and you run the command with the AllShares option to dynamically discover all shares on the target file server. To work around this issue, either use only NTFS file system-based shares, or explicitly define the scope parameter to exclude FAT32 file system-base shares before running the import command.
  
• 
  If you delete out-of-the-box properties with IDs that exceed the ID format restriction of 16_15 characters, such as ProtectedHealthInformation_MS, there is no easy way to recreate them. The Active Directory Central Access Policy Configuration Export and Import tool will not import properties with IDs that exceed this format restriction.
  
• 
  Not all options to schedule tasks on a Windows Server 2012 and Windows Server 2012 R2 file servers are supported on a Windows Server 2008 R2 file server. For this reason, some scheduled tasks on a Windows Server 2012 file server are ignored during the downgrade process. For example, exporting the configured Every x days schedule task from a Windows Server 2012 file server is ignored during the import process on a Windows Server 2008 R2 file server.
  
• 
  Scheduling a task to run on the last day of the month on a computer running Windows Server 2012 or Windows Server 2012 R2, and then exporting this setting configuration to a server running Windows Server 2008 R2 results in an error message indicating that the schedule for the task cannot be created. This is because File Server Resource Manager in Windows Server 2008 R2 does not support "Last day of the month" task scheduling functionality.
  
• 
  In order to successfully run a cmdlet on a local target server, you must run it from a Windows PowerShell™ command prompt with administrator permissions. To do so, on the target server, reference Windows PowerShell, right-click the program, and then choose Run as administrator.
  
• 
  Task schedules with advanced task schedule settings are not exported. Ensure all task schedules are created without using advanced settings. This issue only applies to computers running Windows Server 2008 R2.
  
• 
  Providing IP addresses for the ComputerName parameter in cmdlets requires additional configuration. To work around this issue, perform the following steps on the computer on which the toolkit is installed:
  

1. 
   Start a command prompt using the Run as administrator option.
   
2. 
   At the command prompt, type the following command and then press Enter (where <ip_address> is the IP address of the computer you want to use in the ComputerName parameter):
   

1. 
   winrm set winrm/config/client @{TrustedHosts="<ip_address>"}
   

3. 
   Exit the command prompt.
   

• 
  Rules with duplicate classification parameter names and corresponding duplicate values entered on the Additional Classification Parameters tab of the Additional Rule Parameters dialog box generate the following error message: "An item with the same key has already been added" when running the Compare-FileClassificationPackage cmdlet. This issue only applies to computers running Windows Server 2008 R2.
  
• 
  Rules with duplicate classification parameter names and corresponding duplicate values entered in the Classification Parameters dialog box generate noncompliant results when running the Compare-FileClassificationPackage cmdlet. This issue only applies to computers running Windows Server 2012 or Windows Server 2012 R2.
  
• 
  Running the Import-FileClassificationPackage cmdlet with the Overwrite parameter may produce unexpected errors. The Overwrite parameter forces the cmdlet to resolve any dependencies when overwriting properties, rules, tasks, and report tasks. If the classification package that is supplied to the cmdlet does not contain sufficient definitions for the cmdlet to resolve the dependencies, an error is produced during the import process.
  

• 
  The "Configure IT Process Management Pack Integration" section in the Data Classification Toolkit User Guide prompts users to save the IT Compliance Management Library Management Pack file, Microsoft.ControlActivity.WinSrvr08R2.FCI.Library.mp, from the Security Compliance Manager 2.0 Windows Server 2008 R2 baseline. This file is not directly available as an attachment in the Windows Server 2008 R2 baseline. Users must first save the Microsoft.ControlActivity.WS2008R2SP1.FCI.cab file from the security baseline, and then extract the Microsoft.ControlActivity.WinSrvr08R2.FCI.Library.mp file from the saved CAB file.
  
• 
  In the System Center Service Manager IT GRC Process Management Pack SP1, if the scope of a compliance program with FCI control activities contains computers running Windows Server 2008 R2 that do not have the FCI feature enabled, the managed entity result reported for those computers will be unknown. Program implementers must ensure that the program has the right scope defined through the Control Activity Applicability Group and the Computer Collection in System Center Configuration Manager. The scope for the control activity should include the file servers on which the organization’s classification configuration and policies are applied. Report unknown results can help program implementers identify file servers that either do not have the correct classification and policies applied, or do not have the FCI feature enabled.
  
• 
  The Claims Wizard results screen only displays results information if the upload claims data is valid. If the upload claim values data is not valid, no results are displayed. When the Claims Wizard scans an Active Directory® forest or domain for claim values, the results screen only displays results information if claim values are found. If no claim values are found, then no results are displayed.
  
• 
  Baseline classification configuration files that were exported from a staging file server using the beta release of the Data Classification Toolkit cannot be imported using this release of the software. In order to ensure that your baseline classification configuration files can be imported correctly, export the configuration using this release of the software. This will generate a compatible version of the configuration that will import without errors.
  
• 
  Microsoft Excel® workbooks created when a scan for claim values was performed using the beta release of the Data Classification Toolkit cannot be uploaded using this release of the software. In order to upload claim values, rescan the environment for claim values using this release of the software, and then create a new Excel workbook. This will create a compatible version of the workbook that you can use to upload claim values.