Amit Fulay Senior Lead Program Manager Microsoft SIA 324

$40

US military secrets were found in USB sticks on sale outside US airbase

85%

28% IDC 2009 Report

Session Objectives as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

Business Ready Security Help securely enable business by managing risk and empowering people Highly Secure & Interoperable Platform Block from: Enable CostValue SiloedSeamless to:

Session Objectives as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

Information Leakage is Broadly Reaching Financial Services Equity Research, M&A GLB, NASD 2711 Healthcare & Life Services Research, Clinical Trials HIPAA Manufacturing & High Technology Collaborative Design, Data Protection in Outsourcing Government RFP Process, Classified Information National Security Horizontal Scenarios Sensitive s Executive communications Financial data Price lists HR Information Legal information Corporate Governance: Sarbanes Oxley (US) Horizontal Scenarios Sensitive s Executive communications Financial data Price lists HR Information Legal information Corporate Governance: Sarbanes Oxley (US)

Legal, Regulatory and Financial impacts Cost of digital leakage per year is measured in $Billions Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more Damage to Image and Credibility Damage to public image and credibility with customers Financial impact on company Leaked s or memos can be embarrassing Loss of Competitive Advantage Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization Loss of research, analytical data, and other intellectual capital Information Leakage is Costly On Multiple Fronts

Session Objectives as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

Traditional Solutions Protect Initial Access … Access Control List Perimeter List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not ongoing usage

What is Rights Management Services? Better safeguard sensitive information Protect against unauthorized viewing, editing, copying, printing, or forwarding of information Limit file access to only authorized users Audit trail tracks usage of protected files Persistent protection Protects your sensitive information no matter where it goes Uses technology to enforce organizational policies Authors define how recipients can use their information Flexible and customizable technology RMS integrates with familiar applications and is easy to use Users assign “Full Control” rights to a trusted group ISVs build custom solutions via SDKs

System Architecture SQL OS Platform Security Processor Client API Application HTTP/SOAP RMS Server HTTP/SOAP Admin MMC Snap-in RMS Client (Built into Windows Vista and Windows 7) RMS Server (WS08 /08 R2 server role) RMS Administration AD WS2008 Admin Scripting API MMC 3.0 Host

Assume author and recipient are already bootstrapped with a RAC and CLC 2. Author creates mail 3. Author protects mail using RAC and CLC 4. Author sends mail to recipient 5. Recipient gets use license from RMS 6. Recipient can access content Information Workflow Information Workflow Publishing and consumption 1 1 RACCLCRACCLC 6 6 UL 45 PL 3 3 AD SQL RMS AuthorRecipient

System Workflow 1.Deployment 2.User certification 3.Publishing information 4.Licensing 5.Information consumption System Workflow 1.Deployment 2.User certification 3.Publishing information 4.Licensing 5.Information consumption 1. RMS Client 2. SPC 1 To server: 1. SPC 2. Authentication To client: 1. RAC 2. CLC 2 1. Symmetric key 2. Protect information 3. PL3 To server: 1. RAC 2. PL To client: 1. UL 4 1. Authorize UL 2. Decrypt information 5 RMS System Workflow

What’s on the user’s PC? Client Licensor Certificate Rights Account Certificate RMS Client “Lock Box” Machine Private Key obfuscated User Private Key (encrypted by machine public key) User Public Key Server Public Key Machine Certificate Machine Public Key Per machine keys guaranteeing that content cannot be exploited by just moving content or certificates to another machine Credentials to consume rights-protected content Credentials to publish rights-protected content offline Public key for this machine; necessary in order to acquire a RAC (Rights Account Certificate) RMS-enabled Applications

Example: Rights-Protected Doc Rights Info (w/ addresses) Content Key (random AES-128) Encrypted with server public key PL (Publish license) File content (Text, Pictures, metadata, etc.) File content (Text, Pictures, metadata, etc.) UL (Use License) Content Key Rights (for a particular user) Rights (for a particular user) Encrypted with the user public key Created when content (file) is protected Only added to file after server licenses a user to open it Encrypted with content key Encrypted with server public key Encrypted with user public key NOTE: Outlook EULs are stored in the local user profile directory

External Collaboration Trusted User Domains Special AD Accounts Trust Windows Live ID Hosted Service Identity Federation

External Collaboration via AD FS Scenario Fabrikam is a supplier to Contoso They have set up a federated trust relationship using AD FS (access to SharePoint libraries, Intranet sites, etc.) Contoso deploys RMS Contoso is able to protect content it shares with Fabrikam Contoso RMS server issues use licenses to Fabrikam employees

New content New content  Assume author is already bootstrapped  Author sends protected mail to recipient at Fabrikam  Recipient contacts RMS server to get bootstrapped  WebSSO agent intercepts request  RMS client is redirected to FS-R for home realm discovery  RMS client is redirected to FS-A for authentication  RMS client is redirected back to FS-R for authentication  RMS client makes request to RMS server for bootstrapping  WebSSO agent intercepts request, checks authentication, and sends request to RMS server  RMS server returns bootstrapping certificates to recipient  RMS server returns use license to recipient  Recipient accesses protected content ContosoFabrikam AD RMS AD FS-A FS-R 1 RACCLC PL 2 WebSSO RACCLC 10 UL External Collaboration via AD FS

Vista/WS2008 Investments Easy deployment External collaboration (through AD FS federation) Policy distribution (Vista SP1 + WS2008) Native 64-bit client XPS integration

Win 7/WS2008 R2 Investments External collaboration Support extended to include 3rd-party identity providers Internal group support (i.e., groups on the federation side that include external users) Deployment Through PowerShell Administration Through PowerShell New reports

Session Objectives as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

Exhange 2010 Investments Manage Inbox Overload Manage Inbox Overload Enhance Unified Messaging Enhance Unified Messaging Anywhere Access and Collaboration Anywhere Access and Collaboration Deployment Flexibility Deployment Flexibility High Availability High Availability Simplified Administration Simplified Administration Protect Communications Protect Communications Compliance and Archiving Compliance and Archiving Reporting and Alerts Reporting and Alerts

RMS Integration Overview Transport Rules Protected Unified Messaging Outlook Protection Rules Automatic Content Based Privacy IRM in OWA Search IRM mails in OWA Streamline End User Experience Journal Decryption Transport Pipeline Decryption Enable IT Infrastructure

Automatic Content-Based Privacy Eliminate reliance on end-user Enforcement Tools are required. Content Protection should be automated. Enforcement Tools are required. Content Protection should be automated.

Automatic Content-Based Privacy Eliminate reliance on end-user Protect messages in transit via Transport Rules action Protect messages by default at Outlook Client Private voice message automatically protected by Unified Messaging (UM) Delegate policy determination to Compliance Officer role via RBAC

Transport Rule Protection

Automatic Content-Based Privacy Transport Rule Protection Exchange Server 2010 provides a single point in the organization to control the protection of messages Automatic Content-Based Privacy: Transport Rule action to apply RMS template to message Transport Rules support regex scanning of attachments in Exchange 2010 Internet Confidential and Do Not Forward Policies available out of box Automatic Content-Based Privacy: Transport Rule action to apply RMS template to message Transport Rules support regex scanning of attachments in Exchange 2010 Internet Confidential and Do Not Forward Policies available out of box

Transport Rule Protection Rules Agent stamps X-Org Header to message with value set to RMS template GUID Encryption Agent applies RMS protection to message and attachments on onRouted Transport Agent Event Office 2003, 2007, 14 and XPS docs supported as attachments All encryption/decryption API located in XSO layer

Transport Rule Protection Active Directory AD RMS Exchange 2010 Enterprise 2) Bootstrap ( RAC, CLC ) 3) Acquire Template Informaiton 1) Service Lookup 4) Publish 5) Encrypt

RMS Integration in UM

UM Administrator can allow incoming voice mail messages to be marked as “private” Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying content Uses the Encryption/Decryption XSO API to rights protect Private Voice mail supported by Unified Messaging in Outlook 14 and OWA

Outlook Protection Rules Small scale rules engine delivered in Outlook 2010 add-in Prevents host/Admin from accessing sensitive mail Rules Predicates: Sender’s department, recipient’s identity, recipient’s scope retrieved by add-in from CAS through EWS optional/mandatory, applied offline/online

Step 1: User creates a new message in Outlook

Step 2: User adds the R&D distribution list to the To line

Step 3: Outlook detects a sensitive DL and automatically protects as confidential

Step 4: Administrator can define a policy as required, disabling the Permission button

RMS Integration Overview Transport Rules Protected Unified Messaging Outlook Protection Rules Automatic Content Based Privacy IRM in OWA Search IRM mails in OWA Streamline End User Experience Journal Decryption Transport Pipeline Decryption Enable IT Infrastructure

Streamline End User Experience Prevent RMS Protection from Getting In IW's Way Prelicensing enables offline and mobile access to RMS protected messages Create and compose RMS protected messages in OLK and OWA Conduct full-text search on RMS protected messages in OWA

RMS Integration in OWA

Create/Consume RMS protected messages natively, just like Outlook No client download or installation required Supports Firefox, Safari, Macintosh and Windows Conversation view, Preview pane Full-text search on RMS protected messages

RMS Integration in OWA CAS uses Super User Privileges to decrypt End User License (EUL) to determine which rights to enforce Single EUL shared across all CAS servers to give multiple machines a common RMS identity Rights enforcement concerns in the browser mitigated by disabling feature at mailbox policy level

RMS Integration Overview Transport Rules Protected Unified Messaging Outlook Protection Rules Automatic Content Based Privacy IRM in OWA Search IRM mails in OWA Streamline End User Experience Journal Decryption Transport Pipeline Decryption Enable IT Infrastructure

Enable IT Infrastructure RMS protection should not break IT infrastructure Simplified Exchange-RMS Integration via installation scripts and health check task Enable e-discovery via Journal Report Decryption Virus and spam filtering of RMS protected messages enabled at Hub Transport

Journal Report Decryption Journal Report Decryption Agent Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Requires super-user privileges, off by default Requires super-user privileges, off by default Stamps x-Org header to prevent future decrypt attempts Stamps x-Org header to prevent future decrypt attempts Journal Report Decryption Agent Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Attaches clear-text copies of RMS protected messages and attachments to journal mailbox Requires super-user privileges, off by default Requires super-user privileges, off by default Stamps x-Org header to prevent future decrypt attempts Stamps x-Org header to prevent future decrypt attempts Archive/Journal

Journal Report Decryption

Transport Pipeline Decryption Enables Hub Transport Agents scan/modify RMS protected messages Pipeline Decryption Agent uses Super-User privileges to decrypt decrypts message and attachments protected with same Publishing License Encryption Agent re-encrypts messages, forks and NDRs with original PL

Transport Pipeline Decryption Option to NDR messages that can’t be decrypted Low performance impact message decrypted at 1st Hub of each forest Message property to determine whether clear- text message was decrypted by pipeline decryption Agents not prevented from copying decrypted content

RMS Integration Agents All RMS Integration Agents implemented as Transport agents Hub Transport Pipeline Decryption Agent Decrypt RMS message from SMTP End of Data Transport Rules Agent Journal Report Decryption Agent Encryption Agent PreLicense Agent Journal Agent On Routed Pipeline RMS Decryption Agent Decrypt AD RMS message from Pipeline On Submitted

Session Objectives as the primary leak vector Understand AD RMS Understand Exchange 2010 – RMS Integration Features Understand how to deploy them together Demos

Deployment Pre-requisites Exchange 2010 Windows Server 2008 R2 Configure AD RMS server role on WS08R2 MBX and CAS servers must have Exchange 2010

Exchange Configuration Exchange Server must be part of RMS “Super- user” group. Enable corresponding Transport Agents For e.g. to enable Transport Rules agent, use Exchange Management Shell Set- IRMConfiguration –EncryptionEnabled $true

RMS Configuration 1.Register a Service Connection Point in AD 2.Add permissions for Exchange to access AD RMS 3.Setup an RMS Super User Group

Transport Rules, IRM in OWA, Journal Decryption

Key Takeaway Exchange 2010 and AD RMS can help your organization safeguard sensitive communication

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.