Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
The High Cost of Data Leakage “HR executive accidentally s lay-off plan to entire organization.” “A Wyoming bank sent an containing sensitive customer data to the wrong mail account, and now wants mail provider to reveal the identity of the account holder who received the data..” “Public-relations firm faces PR nightmare after unintentionally ing journalists about one of its clients.” “Secret Service agent sends unencrypted revealing details of vice presidential tour.”
Information Protection and Control (IPC) Exchange Server 2010 helps prevent the unauthorized transmission of sensitive information with tools that can automatically: MONITOR for specific content, recipients and other attributes CONTROL distribution with automated, granular polices PROTECT access to data wherever it travels using rights management PREVENT Violations of corporate policy and best practices Non-compliance with government and industry regulations Loss of intellectual property and proprietary information High-profile leaks of private information and customer records Damage to corporate brand image and reputation
Benefits of Automated Controls Reduce User Error Majority of data loss incidents are accidental Users forget policies or apply incorrect policy Enable More Consistent Policy Automation facilitates rapid policy changes across the organization Critical for internal/external governance and compliance Improve Efficiency Offload complex data polices from users Enable centralized policy creation, execution and management
LESS RESTRICTIVE MORE RESTRICTIVE Apply the right level of control based on the sensitivity of the data Maximize control and minimize unnecessary user disruptions Benefits of Granular Controls Alert “Allow delivery but add a warning.” Append “Allow delivery but add a disclaimer.” Protect “Allow delivery but prevent forwarding.” Redirect “Block delivery and redirect.” Review “Block delivery until reviewed.” Block “Do not deliver.” Modify “Allow delivery but modify message.” Classify “Allow delivery but apply classification.”
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
MailTips Alert users about potential risks Alert
MailTips - Architecture Web service in Exchange 2010 Supported by Outlook Web App Microsoft Outlook 2010 Triggered when Add a recipient Add an attachment Reply or Reply to all Open a message, already addressed to recipients, from the Drafts folder Alert
MailTips - Evaluation a 3b 3c Alert
MailTips - Offline Support Offline Address Book structure expanded Message delivery restrictions Custom MailTips Maximum receive size Moderation enabled Distribution Group - Total member count Distribution Group - External member count Not available offline Invalid internal recipient Mailbox full Automatic replies Alert
MailTips - Limits Individual mailbox MailTips not evaluated Message sent to a distribution group (Except external recipient) Messsage sent to more than 200 recipients Custom MailTips limited to 250 characters Time out = 10 seconds Alert
MailTips – Group Metrics Used to support Mailtips Large Audience External Recipients Generated on same Mailbox server as OAB Full Group Metrics data generation on Sunday Associated files GroupMetrics- T.bin GroupMetrics-.xml ChangedGroups.txt Alert
MailTips – Organizational Settings Set-OrganizationConfig -MailTipsAllTipsEnabled -MailTipsLargeAudienceTreshold -MailTipsExternalRecipientsTipsEnabled -MailTipsMailboxSourcedTipsEnabled -MailTipsGroupMetricsEnabled
MailTips
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
Transport Rules Executed on the Hub Transport Server Structured like Inbox rules Apply to all messages sent inside and outside the organization Configured with simple GUI in Exchange Management Console Easily enforce granular policies >
Conditions Specific UsersDetects mail between people, distribution lists Specific ContentInspects subject, header and body for keywords, regular expressions Message PropertiesInspect message headers and properties or type ClassificationsScans for classifications such as Attorney-Client Privileged AttachmentsScans size, name and content (Office documents) ClassificationsCan now also act on No Classifications Message TypesIRM protected, auto-replies, calendaring, voice mail Supervision ListsAllows/Blocks based on listed recipients Management PropertiesIdentifies manager and applies policy User PropertiesScans for user attributes (such as department, country) Fine tune rules with detailed criteria >
Actions BlockBlocks and deletes message and can send non-delivery report ClassifyApplies classification such as attorney-client privilege ModifyAdds disclaimer to body or text to subject line RerouteAdds additional recipients to cc or Bcc line or re-directs AppendApplies disclaimer per each user’s specific attributes ReviewEnables review and approval of before delivery ProtectApplies rights protection to messages, attachments Apply the appropriate level of control >
Dynamic Signatures Signatures integrated with Active Directory attributes Option of basic text or HTML Automatically apply signatures per user attributes Append
Dynamic Signatures
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
Moderation Review Moderate based on sender, DL, content Approve or Reject with option to send response Moderator can be a specific user or sender’s manager Enable review and approval of before delivery
Moderated Transport Message Flow b 6a
Moderated Transport Relies on the Exchange 2010 Approval Framework Handles multiple moderated recipients Bypassing moderation Moderator bypasses Owners of distribution groups and dynamic distribution groups do not bypass by default Previous versions of Exchange don’t support moderated recipients Designate Exchange 2010 Hub Transport server as expansion server Review
Moderated Transport
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
Protect Information Rights Management Persistent protection Protects your sensitive information no matter where it is sent Usage rights locked within the document itself Protects online and offline, inside and outside of the firewall Granular control Users apply IRM protection directly within an Organizations can create custom usage policy templates such as "Confidential—Read Only" Limit file access to only authorized users Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an . Granular protection that travels with the data
IRM – S/MIME Signing/Encryption FeatureRMSS/MIME Signing S/MIME Encryption Verifies identity of publisherNoYesNo Differentiates permissions by userYesNo Prevents unauthorized viewingYesNoYes Encrypts protected contentYesNoYes Offers content expirationYesNoYes Controls content reading, forwarding, saving, modifying, or printing by user YesNo Extends protection beyond initial publication location Yes
Transport Protection Rules IRM protection can be triggered based on sender, recipient, content and other conditions Office 2003, 2007, and 2010 attachments also protected Apply RMS policies automatically using Transport Rules Apply “Do Not Forward” or custom RMS templates Automatically apply IRM Protect
Provide users more IRM protection options Outlook Protection Rules Provide users more IRM protection options IRM protection can still be applied manually User can be granted option to turn off rule for non-sensitive Adding recipient or distribution list can trigger IRM protection automatically before sending Protect
Outlook Protection Rules Protect
Protection Rules
IRM in Outlook Web App Native support for IRM in OWA eliminates need for Internet Explorer Rights Management add-on Access to standard and custom RMS templates Read and reply to protected messages Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages Protect Office documents also protected Office documents also protected
Protected Voice Mail Prevent forwarding of voice mail Integration with AD RMS and Exchange Unified Messaging Permissions designated by sender (by marking the message as private) or by administrative policy Protect
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
Ethical Wall Zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive information Configurable using EMC or EMS Control
Ethical Wall
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
IRM Search Multi-mailbox search includes option to search IRM-protected items Conduct full-text search of IRM- protected mail and attachments in Outlook (online) and OWA Index and search protected items Protect
Journal Report Decryption Journal Report Decryption Agent Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Requires super-user privileges, off by default Requires super-user privileges, off by default Requires Premium Journaling Requires Premium Journaling Journal Report Decryption Agent Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Requires super-user privileges, off by default Requires super-user privileges, off by default Requires Premium Journaling Requires Premium Journaling Archive/Journal
Transport Pipeline Decryption Enables Hub Transport Agents scan/modify messages IRM-protected by the user in OWA messages IRM-protected by the user in Outlook 2010 messages IRM-protected automatically by Outlook Protection Rules in Outlook 2010 Messages protected in-transit using Transport Protection Rules are not required to be decrypted by the Decryption agent Protect
Transport Pipeline Decryption Pipeline Decryption Agent uses Super-User privileges to decrypt decrypts message and attachments protected with same Publishing License Option to NDR messages that can’t be decrypted Low performance impact message decrypted at 1st Hub of each forest Agents not prevented from copying decrypted content Protect
Configuring IRM - Exchange To enable Transport Decryption Journal Report Decryption IRM in OWA IRM for Search Add the Federated Delivery Mailbox (system mailbox created by Exchange 2010 setup), to the SuperUsers group on the AD RMS cluster Protect
IRM Decryption - Journaling
Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways
Automatically monitor and control the distribution of sensitive information Better protect access to data with persistent Information Rights Management Ensure the right level of control is applied to the right messages Session Takeaways
Related Content UNC316Microsoft Exchange Server 2010 Management and Operations Ilse Van Criekinge 11/12/2009 * 17: :15 SIA05-ISSecure Messaging Using Active Directory Rights Management Services (AD RMS) and Microsoft Exchange Server 2010 Cristian Mora 11/11/2009 * 13: :45 SIA304 Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive 11/12/2009 * 17: :15 UNC16-HOLMicrosoft Exchange Server 2010 Compliance: Information Leakage Protection and Control Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session.
UNC Track Call to Action! Learn More! Related Content at TechEd on “Related Content” Slide Attend in-person or consume post-event at TechEd OnlineTechEd Online Check out learning/training resources at Microsoft TechNet Exchange ServerExchange Server and Office Communications ServerOffice Communications Server Check out Exchange Server 2010 at Virtual Launch Experience (VLE) at the new efficiency.comthe new efficiency.com Try It Out! Download the Exchange Server 2010 TrialExchange Server 2010 Trial Take a simple Web-based test drive of UC solutions through the 60-Day Virtual Experience60-Day Virtual Experience
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Unified Communications Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! Required Slide
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide