New to Server 2012 is the Server Message Block (SMB) 3.0 protocol. The SMB 3.0 protocol provides access to files, printers, and serial ports, as well as handling the transfer of files between different systems. SMB is not backwards-compatible – the best performance obtained is between Windows Server 2012 servers or with Windows 8. One great feature of SMB is when using it with clustering and replication. Clustering in Widows Server 2012 can now be done with SMB which means you no longer have to use a Storage-area Network (SAN).
SMB Direct — SMB Direct (SMB over Remote Direct Memory Access [RDMA]) is a new transport protocol for SMB in Windows Server 2012. It enables direct memory-to-memory data transfers between servers with low latency. Only clients and servers that support SMB 3.0 can use SMB Direct.
SMB Directory Leasing — SMB Directory Leasing reduces the response time seen by branch office users accessing files over high-latency WAN networks.
SMB Encryption — Only clients and servers that support SMB 3.0 can use SMB encryption, which protects data in-flight from eavesdropping and tampering attacks by providing end-to-end encryption.
SMB Multichannel — Aggregates available bandwidth, allowing server applications to take full advantage of all available network capacity and can provide for a more resilient network
SMB PowerShell — SMB now has its own PowerShell cmdlets.
SMB Scale Out — When using Clustered Share Volumes the Continuously Available property is set and you can create file shares that provide simultaneous access to data files. Only clients and servers that support SMB 3.0 can use SMB Scale Out.
SMB Transparent Failover — You can perform maintenance (hardware or software) on nodes in a cluster file server without causing interruptions on server applications.
VSS for SMB file shares — This is an easy feature to implement as it leverages any existing VSS software or applications.
Dynamic Access Control (DAC)
Dynamic Access Control is new to Windows Server 2012 and is used to further augment file system security, whicih has been a challenging part of file system security since the Windows NT days. Prior to the release of DAC, administrators would use the NTFS file system and Access Control Lists (ACLs) to grant or limit access to resources on the network. Permissions were determined based on user accounts and group memberships, whereas now we can also specify a conditional access (you would still need to meet normal NTFS user/group permissions and meet a specific attribute setting as well).
Using Dynamic Access Control, you can set conditional access to a resource. Administrators can set centralized access policies for file-servers throughout the entire organization. Access control can be enabled or disabled based on users or groups. You can classify and tag data either manually or by doing a keyword assessment and tag application. Tags can be applied through identification of keyword data looking for specific words, format, or patterns. In short, you can enable or disable access based on attribute values on user or resource objects. Dynamic Access Control has six major components.
Access-denied assistance — This can be used in troubleshooting access to a resource. This can be accomplished through:
- Assistance by the data owner
- Assistance by the file server administrator
Central Access Policies — An administrator can create and deploy centrally administered policies to meet compliance and other requirements. Access policies contain conditional expressions that are used to determine access based on users, groups, user claims and resource properties. Central Access Policies contain:
- Applicability — What data is this policy applicable
- Access Conditions — What ACEs (access control entries) are used to determine who can access resources
- Exceptions — Other ACE entries that may be used as an exception.
Central Audit Policies — Policies that are applied to ensure regulatory compliance, reporting and forensics analysis. Central Audit policies are typically applied at one of four levels:
- Business policy
- Departmental Policy
- Information Security
- Organizational policy
Claim Type — A condition or property that must be met – such as membership in a specific group or a setting in a user account such as country
Classification — Rules that are used to determine the classification properties of resources. The file classification infrastructure is claims aware and the classification properties are assigned to the metadata this is associated with the resources..
Resource Property — These are labels or properties that are downloaded by servers and used to classify files.