Data Classification Toolkit for Windows Server 2012 R2 Release

Notes
Published: June 2014

2014 Microsoft Corporation. All rights reserved.

Contents
1. Notices
2. Brief Description of the Data Classification Toolkit for Windows Server 2012 R2
3. Getting Started
4. Known Issues
5. Feedback

1. Notices
IMPORTANT INFORMATION: The Microsoft Data Classification Toolkit for Windows Server 2012 R2 (the software) is
intended to help organizations simplify their ability to search, identify, and apply rules to data they specify. The software
provides sample search expressions and rules that can be used to assist with your compliance activities conducted by
your organizations IT professionals, auditors, accountants, attorneys and other compliance professionals. The software
does not replace those professionals. The software ships with some authority document citations, but these citations do
not verify or guarantee fulfillment of your organizations compliance obligations under applicable laws, regulations or
industry standards. The software has not been certified as compliant with any PCI or NIST standards. It is the
responsibility of your organization to handle data in accordance with legal and compliance obligations based on guidance
from your organizations compliance professionals. Reports and any other information provided by or generated from the
software do not constitute auditing, accounting, legal or other professional advice. You must consult compliance
professionals to confirm compliance with specific governance, risk, and compliance (GRC) authority documents. The
software is provided on an as is basis, and Microsoft has no responsibility with respect to its use. For more information,
see http://go.microsoft.com/fwlink/?LinkId=224957.
This document is provided as-is. Information and views expressed in this document, including URL and other Internet
website references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is
intended or should be inferred.
2014 Microsoft. All rights reserved.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes.

2. Brief Description of the Data Classification Toolkit for Windows Server

2012
The Data Classification Toolkit for Windows Server 2012 R2 works in conjunction with Windows Server 2008 R2 File
Classification Infrastructure (FCI) and Dynamic Access Control in Windows Server 2012 and Windows Server 2012 R2 to
help IT pros gain insight into stored information, enforce access policies, and configure access policies for files based on
claims. For more information about Dynamic Access Control, see "What Is the Data Classification Toolkit?" in the Data
Classification Toolkit User Guide.
The Data Classification Toolkit contains classification knowledge and scripted processes that help automate the file
classification process and make file management more efficient. The Data Classification Toolkit takes advantage of
Dynamic Access Control in Windows Server 2012 and Windows Server 2012 R2 to help IT pros configure access policies
for files based on claims. The toolkit includes a Claims Wizard to provision claims values based on Active Directory

Domain Services (AD DS) resources. This toolkit also provides tools to provision and standardize central access policy
configuration across forests.
The Data Classification Toolkit for Windows Server 2012 R2 uses Windows Server FCI to classify files based on
predefined knowledge contained in the toolkit. In addition, the toolkit contains predefined automation tasks designed to
help you manage files based on their classification. Finally, the toolkit includes predefined reports that you can view using
Microsoft Office Excel 2010. The toolkit can also help organizations quickly create their own file classification solutions.
You can use the Data Classification Toolkit to configure and collect file classification on any number of servers running the
Windows Server File Classification Infrastructure. You can provide the toolkit with either a specific list of servers, or you
can query a Microsoft System Center Operations Manager database or other SQL Server database to locate any
servers that are running the Windows Server File Classification Infrastructure.
The Data Classification Toolkit for Windows Server 2012 R2 works with files stored in Windows Server 2012 R2, Windows
Server 2012, or Windows Server 2008 R2 SP1 with FCI. Files stored in other technologies or products, such as Microsoft
SharePoint 2010, are not supported.
The Data Classification Toolkit for Windows Server 2012 R2 can integrate with the IT GRC Process Management Pack
SP1 for Microsoft System Center Service Manager 2010 using the IT Compliance Management Library Management
Pack. The IT Compliance Management Library Management Pack contains the control activities for Windows Server 2012
FCI that support control objectives in the IT GRC Process Management Pack SP1
(Microsoft.ControlActivity.WinSrvr08R2.FCI.Library.mp). This file is contained in the Windows Server 2008 R2 baseline for
File Classification Infrastructure (WS08R2-File-Server-FCI) that is available in Microsoft Security Compliance Manager
(SCM) 2.0 or later. You can save the IT Compliance Management Library Management Pack from SCM and then import it
into System Center Service Manager. For more information about the IT Compliance Management Library Management
Pack, see Appendix D, "Integration with IT GRC Process Management Pack SP1 for System Center Service Manager" in
the Data Classification Toolkit User Guide.

3. Getting Started
See the Data Classification Toolkit User Guide.

4. Known Issues
The following are known functional issues for this release:

Exporting a File Classification Rule that uses the Windows PowerShell Classifier to set the value of a DateTime
Classification Property fails.

Importing a Baseline which have Storage Reports Jobs that make use of the Files by File Group Report and/or the
Files by Owner Report when these reports parameters are set to use a subset of the available file groups/owners (ex.
Creating a Files by File Group Report with only the Audio and Video Files file group selected) fails on Windows
Server 2008 R2.

Windows Server 2012 R2 enables the setting of limits on Storage Reports. These limits are not exported to the
Baseline, and therefore are not automatically configured when the Baseline is deployed.

When comparing file servers against a Baseline, Storage Reports are not included.

The Files by File Group Report allows the definition of new file groups. These new definitions are not included in the
Baseline.

If you import the out-of-the-box classification XML packages without first enabling AD DS global properties, the
import and deploy operations on the Windows Server 2012 or Windows Server 2012 R2 file server fail for the
rules and tasks that depend on the missing properties. This is by design. Rules, tasks, and report jobs with
existing properties will complete the import process. To work around this issue, choose one of the following three
options: Ignore errors, Enable the dependent AD DS global properties, or use the Import with downgrade
always option to convert the global properties to local properties.

The import command fails if the scope parameter includes any shares that use the FAT32 file system. Only NTFS
file system-based shares are supported for rules, tasks, and report jobs. The import command fails if any share on
the target file server is FAT32 file system-based, and you run the command with the AllShares option to
dynamically discover all shares on the target file server. To work around this issue, either use only NTFS file

system-based shares, or explicitly define the scope parameter to exclude FAT32 file system-base shares before
running the import command.

If you delete out-of-the-box properties with IDs that exceed the ID format restriction of 16_15 characters, such as
ProtectedHealthInformation_MS, there is no easy way to recreate them. The Active Directory Central Access
Policy Configuration Export and Import tool will not import properties with IDs that exceed this format restriction.

Not all options to schedule tasks on a Windows Server 2012 and Windows Server 2012 R2 file servers are
supported on a Windows Server 2008 R2 file server. For this reason, some scheduled tasks on a Windows
Server 2012 file server are ignored during the downgrade process. For example, exporting the configured Every x
days schedule task from a Windows Server 2012 file server is ignored during the import process on a Windows
Server 2008 R2 file server.

Scheduling a task to run on the last day of the month on a computer running Windows Server 2012 or Windows
Server 2012 R2, and then exporting this setting configuration to a server running Windows Server 2008 R2 results
in an error message indicating that the schedule for the task cannot be created. This is because File Server
Resource Manager in Windows Server 2008 R2 does not support "Last day of the month" task scheduling
functionality.

In order to successfully run a cmdlet on a local target server, you must run it from a Windows PowerShell
command prompt with administrator permissions. To do so, on the target server, reference Windows PowerShell,
right-click the program, and then choose Run as administrator.

Task schedules with advanced task schedule settings are not exported. Ensure all task schedules are created
without using advanced settings. This issue only applies to computers running Windows Server 2008 R2.

Providing IP addresses for the ComputerName parameter in cmdlets requires additional configuration. To work
around this issue, perform the following steps on the computer on which the toolkit is installed:
Start a command prompt using the Run as administrator option.
At the command prompt, type the following command and then press Enter (where <ip_address> is the IP
address of the computer you want to use in the ComputerName parameter):
1.
winrm set winrm/config/client @{TrustedHosts="<ip_address>"}
Exit the command prompt.

1.
2.

3.

Rules with duplicate classification parameter names and corresponding duplicate values entered on the
Additional Classification Parameters tab of the Additional Rule Parameters dialog box generate the following
error message: "An item with the same key has already been added" when running the CompareFileClassificationPackage cmdlet. This issue only applies to computers running Windows Server 2008 R2.
Rules with duplicate classification parameter names and corresponding duplicate values entered in the
Classification Parameters dialog box generate noncompliant results when running the CompareFileClassificationPackage cmdlet. This issue only applies to computers running Windows Server 2012 or
Windows Server 2012 R2.
Running the Import-FileClassificationPackage cmdlet with the Overwrite parameter may produce unexpected
errors. The Overwrite parameter forces the cmdlet to resolve any dependencies when overwriting properties,
rules, tasks, and report tasks. If the classification package that is supplied to the cmdlet does not contain sufficient
definitions for the cmdlet to resolve the dependencies, an error is produced during the import process.
For example, users may encounter unexpected errors if they try to import the "NIST SP 800-53 Classification Tasks
Example.xml" package with the Overwrite parameter if they previously imported the same package. This behavior
results because some of the properties referenced in the "NIST SP 800-53 Classification Tasks Example.xml"
package are instead defined in the "NIST SP 800-53 Classification Package Example.xml" package. If all properties,
rules, tasks, and report tasks are defined in a single package, the cmdlet works with the Overwrite parameter as
expected.
The "Configure IT Process Management Pack Integration" section in the Data Classification Toolkit User Guide
prompts users to save the IT Compliance Management Library Management Pack file,
Microsoft.ControlActivity.WinSrvr08R2.FCI.Library.mp, from the Security Compliance Manager 2.0 Windows
Server 2008 R2 baseline. This file is not directly available as an attachment in the Windows Server 2008 R2 baseline.
Users must first save the Microsoft.ControlActivity.WS2008R2SP1.FCI.cab file from the security baseline, and then
extract the Microsoft.ControlActivity.WinSrvr08R2.FCI.Library.mp file from the saved CAB file.
In the System Center Service Manager IT GRC Process Management Pack SP1, if the scope of a compliance
program with FCI control activities contains computers running Windows Server 2008 R2 that do not have the FCI
feature enabled, the managed entity result reported for those computers will be unknown. Program implementers
must ensure that the program has the right scope defined through the Control Activity Applicability Group and the
Computer Collection in System Center Configuration Manager. The scope for the control activity should include the

file servers on which the organizations classification configuration and policies are applied. Report unknown results
can help program implementers identify file servers that either do not have the correct classification and policies
applied, or do not have the FCI feature enabled.
The Claims Wizard results screen only displays results information if the upload claims data is valid. If the upload
claim values data is not valid, no results are displayed. When the Claims Wizard scans an Active Directory forest or
domain for claim values, the results screen only displays results information if claim values are found. If no claim
values are found, then no results are displayed.
Baseline classification configuration files that were exported from a staging file server using the beta release of the
Data Classification Toolkit cannot be imported using this release of the software. In order to ensure that your baseline
classification configuration files can be imported correctly, export the configuration using this release of the software.
This will generate a compatible version of the configuration that will import without errors.
Microsoft Excel workbooks created when a scan for claim values was performed using the beta release of the Data
Classification Toolkit cannot be uploaded using this release of the software. In order to upload claim values, rescan
the environment for claim values using this release of the software, and then create a new Excel workbook. This will
create a compatible version of the workbook that you can use to upload claim values.

5. Feedback
For information about how to interact with the product team and provide feedback, see the "Feedback" section in the Data
Classification Toolkit User Guide, which is included in the download for the Data Classification Toolkit for Windows
Server 2012 R2.