Tech Ed North America 2010 11/19/2018 1:27 AM SESSION CODE: SIA-323 Business Ready Security: Securely Collaborate with Partners and Employees Using SharePoint, Microsoft Forefront, and Active Directory Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Business Ready Security Collaboration Scenarios Agenda Business Ready Security Collaboration Scenarios Information Protection Anywhere Access Cross organizational collaboration Summary

Business Needs and IT Challenges Prevent sensitive information from leaking Provide secure access to applications from anywhere Simplify user experience for collaboration Protect from threats Difficulty in extending business resources Increasing volume of sensitive information Financially motivated evolving threats Multiple locations and devices BUSINESS Needs IT Needs Agility and Flexibility Control

Business Ready Security Help securely enable business by managing risk and empowering people Across on-premises & cloud Protection Access Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance Block from: Enable Cost Value Siloed Seamless to: © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

Current Situation Limited collaboration impacts user productivity Sensitive information is sent via e-mail since partners do not have access to collaboration site PARTNER EMPLOYEES (remote) ON PREMISES EXTERNAL (non-trusted) Limited to no access Limited to no access Malware on non-trusted machines

Collaboration Scenarios EMPLOYEES (remote) ON PREMISES PARTNER Forefront scans for viruses EXTERNAL (non-trusted) DIRECT ACCESS Protecting information Anywhere Access to collaboration services External Collaboration Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information

EXTERNAL (non-trusted) Protect Information EXTERNAL (trusted) EXTERNAL (non-trusted) ON-PREMISES Automatically secure sensitive documents with AD RMS Ensure only authorized usage through persistent policies Works online and offline, across organizations Integrated malware protection “ We store lots of sensitive information in SharePoint libraries, which can be selectively configured to apply rights protection to documents when they’re downloaded… Setting everything up only took about five minutes. Christian Arpino, IT Administrator Source: Food Distributor Deploys Enterprise Rights Management to Help Protect Sensitive Data. Microsoft case study, February 2008. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000001482

Overview of AD RMS Components Active Directory Authentication Service Discovery Group Membership SQL Server Configuration data Logging Cache RMS Server Certification Licensing Templates MOSS 2007 Document Libraries with IRM Workstaton RMS Lockbox Client API Templates Exchange Server 2007/2010 Pre-licensing Fetching Content filtering Keyword filtering Clients and Servers compatible with RMS ©Microsoft Confidential 2005. All rights reserved.

SharePoint IRM Workflow Author publishes content into SharePoint Server AD RMS Server Recipient requests document from SharePoint. 3 SharePoint requests credentials (the first time), then protects the file according to the permissions on the document library 1 2 4 5 SharePoint sends protected file to recipient The RMS-enabled application renders file and enforces rights Author using Office 2010/2007/2003 The Recipient 10 10

Protect Sensitive Information

Protect Documents from Malware Microsoft Solution “Defense in Depth” Competitors’ Solutions Multiple Engines Single Engine 38 times faster response An AV-Test of consumer antivirus products revealed: On average, Forefront engine sets provided a response in 3.1 hours or less. Single-engine vendors provided responses in 5 days, 4 days, and 6 days respectively. Automatic Engine Updates Eliminates single point of failure “ Forefront Security for SharePoint…gives us an extra layer of protection for our SharePoint environment in ways that no other product can match. - Tom Booth, Sr. Collaboration Engineer Source: SAS Gains Extranet Benefits with Confidence – Security Solution Makes it Easy. Microsoft case study, March 2007. http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=201164

Forefront Protection for SharePoint 2010 Tech Ed North America 2010 11/19/2018 1:27 AM Forefront Protection for SharePoint 2010 SharePoint is a great place to store information but when it is on the Extranet you might want to keep a tighter control. Normal malware filtering is turned on of course but in addition, Woodgrove wants to block all docs that contain budget details Examining Antimalware Engine configurations Configure keyword filtering DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Provide More Secure, Anywhere Access DIRECT ACCESS EXTERNAL (trusted) EXTERNAL (non-trusted) TRUSTED SSL VPN Simplified, always-on access Consolidated secure portal to simplify remote access Restricted, policy-based access to SharePoint “ Using Intelligent Application Gateway, employees can connect easily, which means that our important customer information is accessible for them wherever they are. - Raymond Provily, Manager of Facilities Source: Easy, Integrated Solution Gives Workers Remote Access, Improved Productivity. Microsoft case study, July 2007 http://www.microsoft.com/emea/partnersolutionmarketplace/CaseStudyDetail.aspx?casestudyid=4000000405

Addressing Access Security Single point of control for access policies Access control based on user identity, role & endpoint device Built-in security policies to choose from for endpoint security enforcement Inactivity timeouts and re-authentication Filter inbound requests (App Firewall) Overlay granular access control to specific sites and features Pre-defined control over uploads, downloads, edits, etc. Clean up cache and temp files when session terminated

Forefront UAG – Providing Secure Access Tech Ed North America 2010 11/19/2018 1:27 AM Forefront UAG – Providing Secure Access Employee at Woodgrove Bank is travelling and needs to check on project data and later also upload new information to project site. Differentiated Secure Access to SharePoint Configuring end point scanning in UAG Controlling access based on Employee Type (FTE gets access to Remote Desktop) DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

External Collaboration Empower Business Ability to move seamlessly between applications using a single identity Collaboration across organizations Empower IT No need to manage external accounts Simplified and flexible claims-based federation Common authentication controls for building custom applications ON-PREMISES ACTIVE DIRECTORY FEDERATION SERVICES WS-* and SAML 2.0 EXTERNAL/CUSTOMERS PARTNER “ Access claims are arbitrated by digital tokens, which mean that users won't necessarily need to supply Web sites with personal information to conduct transactions. Information Weekly, April 2009 Source: RSA: Microsoft Pushes 'Geneva' In War On Passwords. Information Week, April 2009. http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=216600105&pgno=2&queryText=

Extended Collaboration with Single Sign On Single user access model with single sign on (SSO) and easy to setup federation to on- premise and cloud services Helps provide consistent security with user access model externalized from applications Based on industry standard protocols for interoperability Exchange SharePoint Web App Security Token (e.g., Kerberos Ticket) AD DS Claims-Aware app Corporate User AD FS Cloud Services Shared identity with partners and cloud services Boost cross-organizational efficiency Share rights-protected messages Improved support for SharePoint as a claims-aware application Partner Claims-Aware Application

AD RMS and AD FS Collaboration Scenarios 11/19/2018 1:27 AM AD RMS and AD FS Collaboration Scenarios Trey Engineering Woodgrove AD AD Assume author is already bootstrapped Author sends protected email to recipient at Trey Engineering post to Extranet Sharepoint Recipient contacts Published Woodgrove RMS server to get bootstrapped WebSSO agent intercepts request RMS client is redirected to FS-RP for home realm discovery through TMG or UAG RMS client is redirected to FS-IP for authentication RMS client is redirected back to FS-RP for authentication RMS client makes request to RMS server for bootstrapping WebSSO agent intercepts request, checks authentication, and sends request to RMS server RMS server returns bootstrapping certificates to recipient RMS server returns use license to recipient Recipient accesses protected content AD FS Relying Party AD FS Identity Provider WebSSO 9 4 6 5 7 3 Forefront TMG/UAG RMS 8 PL 2 12 RAC CLC 10 RAC CLC 1 UL 11 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Extending Collaboration to Partners Tech Ed North America 2010 11/19/2018 1:27 AM Extending Collaboration to Partners Charlie at Trey Engineering needs to access Woodgrove Bank Extranet Configure Trey Engineering AD Federation Services 2.0 Examine how group membership in Trey Engineering becomes access right on Woodgrove Bank Extranet Rights Management integrated with SharePoint Malware protection Updating access to SharePoint sites Role changes on Trey Engineering DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Collaboration Scenarios EMPLOYEES (remote) ON PREMISES PARTNER Forefront scans for viruses EXTERNAL (non-trusted) DIRECT ACCESS Protecting information Anywhere Access to collaboration services External Collaboration

Track Resources Business Ready Security – www.microsoft.com/brs Tech Ed North America 2010 11/19/2018 1:27 AM Track Resources Business Ready Security – www.microsoft.com/brs Test it your self virtual environment – Bing: BRS Demo Environment http://www.microsoft.com/downloads/details.aspx?FamilyID=726f943e-d107-4b4d-a86e-dfb605e30ce5&displaylang=en Secure Collaboration: www.microsoft.com/forefront/en/us/secure-collaboration.aspx © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Track Resources Learn more about our solutions: Try our products: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

Resources Learning Required Slide www.microsoft.com/teched Tech Ed North America 2010 11/19/2018 1:27 AM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 11/19/2018 1:27 AM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration   You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

Tech Ed North America 2010 11/19/2018 1:27 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Tech Ed North America 2010 11/19/2018 1:27 AM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.