Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive

Published byDortha Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive"— Presentation transcript:

1

2 Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive
Abhijat Kanade Senior Program Manager Microsoft Corporation Session Code: SIA304

3 Agenda Information Leakage Problem AD RMS History What’s New in CY09
With Demos Information Leakage Problem AD RMS History What’s New in CY09 AD RMS Server Role in Windows Server 2008 R2 Exchange 2010 integration AD RMS Bulk Protection Tool RSA DLP 6.5+ integration Q&A

4 Business Ready Security Help securely enable business by managing risk and empowering people
Protection Access Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance Block from: Enable Cost Value Siloed Seamless to:

5 The Information Workplace

6 The Information Workplace
Home USB Drive Mobile Devices Independent Consultant Partner Organization Companies face growing risks of data leaks

7 Information Leakage Is Costly On Multiple Fronts
Legal, Regulatory, and Financial impacts Cost of digital leakage per year is measured in $Billions Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees Damage to Image and Credibility Damage to public image and credibility with customers Financial impact on company Leaked s or memos can be embarrassing Loss of Competitive Advantage Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization Loss of research, analytical data, and other intellectual capital Data must be protected, but must remain accessible

8 Location Based Solutions Protect Initial Access
Firewall Perimeter Authorized Users Authorized Users Access Control List Perimeter

9 Location Based Solutions Protect Initial Access… But Do Not Protect Usage
Firewall Perimeter Authorized Users Authorized Users Access Control List Perimeter Unauthorized Users Unauthorized Users Information Leakage

10 AD RMS Is A Content-Based Solution Protects the Information Itself – No Matter How It Is Shared And Where It Goes Policy Policy

11 Active Directory Rights Management Services
Persistent + Encryption Policy Access Permissions (Who) Use Right Permissions (What)

12 AD RMS Workflow Publishing and Consumption
Assume author and recipient are already bootstrapped with a RAC and CLC Author creates mail Author protects mail using RAC and CLC Author sends mail to recipient Recipient gets use license from RMS Recipient can access content SQL AD DS AD RMS 5 Author Recipient UL 4 PL 3 2 6 RAC CLC 1 RAC CLC

13 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Client
Out-of-band installer for RMS Server (v1, v1 SP1, v1 SP2) AD RMS Trust TUD, WLID Windows Server 2008 AD RMS server role (v2) AD RMS Trust AD FS federation support Improved installation and mgmt AD RMS template distribution (Vista SP1 and above) Admin reports Different admin roles Windows Server 2008 R2 AD RMS server role (v3) AD RMS Trust Publishing org (internal) group support for federated users Improved installation and mgmt through PowerShell Additional admin reports Client Out-of-band installer for RMS Client (v1, v1 SP1, v1 SP2) on Windows XP and WS2003 Client AD RMS client integrated in Windows Vista and WS2008 Client AD RMS client integrated in Windows 7 and WS2008 R2 Microsoft Solutions Office 2003 (Outlook, Word, Excel, PowerPoint) Internet Explorer Add-On (RMA) Microsoft Solutions Windows Mobile 6 integration Office 2007 (+InfoPath) XPS Viewer SharePoint 2007 (Doc libraries) Exchange 2007 SP1 (Prelicensing) Microsoft Solutions Exchange 2010 AD RMS Bulk Protection Tool WS2008 R2 FCI integration Partner Solutions RSA DLP PDF solution - Foxit Secure Content Mgmt – OpenText Partner Solutions PDF and other file formats & Blackberry support – Gigatrust, Liquid Machines CAD file format - Dassault Systems Classification - Titus Labs Secure Content Mgmt - Workshare * Each consecutive release on this slide includes features from the prior release

14 AD RMS Server Role in WS2008 R2 Customer Ask #1
Deployment and Administration Consistency Ensure identical deployments Automate common tasks Flexibility For managing the server Local and remote access

15 AD RMS Server Role in WS2008 R2 Deployment and Administration
PowerShell support for deployment and admin Deployment cmdlets available out-of-the box Admin cmdlets available after the AD RMS server role has been deployed Additional admin reports (system health)

16 demo AD RMS Administration

17 AD RMS Server Role in WS2008 R2 Customer Ask #2
Simplify collaboration Enable secure external collaboration Consistent end user experience when working with internal and external users Control access Publishing organization maintains full control of content Groups defined by publishing organization

18 AD RMS Server Role in WS2008 R2 Secure External Collaboration
WS2008 introduced federation support via AD FS – Need to individually identify external users when protecting information WS2008 R2 supports protecting to publishing org (internal) groups that include external users – No need to individually identify external users

19 External Collaboration via ADFS
Assume author is already bootstrapped Alice sends protected mail to of which Bob at Fabrikam is a member Recipient contacts RMS Server to get bootstrapped WebSSO agent intercepts request RMS Client is redirected to FS-R for home realm discovery RMS Client is redirected to FS-A for authentication RMS Client is redirected back to FS-R for authentication RMS Client makes request to RMS Server for bootstrapping RMS Server returns certificates to recipient RMS Client makes request to RMS Server for use license RMS Server retrieves Bob’s group membership from AD and compares to PL RMS Server returns use license to recipient Recipient accesses protected content AD Contoso Fabrikam AD Bob projectX ADFS FS-A 11 ADFS FS-R WebSSO 4 6 5 7 3 8 10 RMS Alice Bob PL 2 UL 12 13 RAC CLC 9 1 RAC CLC

20 Exchange 2010 RMS Integration Themes
Streamline end-user experience Enable automatic protection Integrate seamlessly with IT infrastructure

21 Exchange 2010 RMS Integration
Customer Ask #1 Seamless protection Ensure identical end user experience for unprotected and RMS-protected s OWA support View and reply to RMS-protected s in OWA without an additional add-on

22 Exchange 2010 RMS Integration
Streamline End-user Experience Prelicensing support enables offline and mobile access to RMS-protected s – introduced in Exchange 2007 SP1 Consume and publish RMS-protected s in OWA – Internet Explorer, Firefox, Safari Conduct full-text search on RMS-protected s in OWA

23 RMS-Protected E-mails in OWA
demo RMS-Protected s in OWA

24 Exchange 2010 RMS Integration
Streamline End-user Experience: RMS Integration In OWA: Details Client Access Server (CAS) uses Superuser privileges to decrypt Prelicensed use license (UL) used to determine rights to enforce Rights enforcement concerns in the browser mitigated by enabling the feature for a specific set of users (at mailbox policy level)

25 Enable automatic protection
Exchange 2010 RMS Integration Customer Ask #2 Enable automatic protection Based on content and context analysis

26 Exchange 2010 RMS Integration
Automatic Protection Automatically protect s in transit via Exchange transport rules Automatically protect s in Outlook 2010 (through an add-in) Automatically protect private voic s through Exchange Unified Messaging (UM)

27 Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules Transport Rule action to apply AD RMS template to message Based on content and context analysis Content analysis: Keywords and RegEx scanning of s and attachments Context examples: From, To

28 Exchange Transport Rules Based Automatic RMS-Protection
demo Exchange Transport Rules Based Automatic RMS-Protection

29 Exchange 2010 RMS Integration
Automatic Protection: Through Transport Rules: Details Rules agent stamps x-org header in with RMS template GUID Encryption agent applies RMS template to e- mail and attachments on onRouted Transport Agent event Office 2003 and above file formats (Word, Excel, PowerPoint) and XPS attachments also get automatically protected Extensible to other file formats through the IRM Protector implementation

30 Exchange 2010 RMS Integration
Automatic Protection: Through Outlook Protection Rules Outlook 2010 add-in (small-scale rules engine) Mitigates concerns of Exchange admin or host accessing sensitive mail Rules Context only: Sender’s department, recipient’s identity, recipient’s scope (internal/external) Retrieved by add-in from CAS through Exchange Web Services (EWS) API Ability to allow/disallow user to override automatic protection

31 Outlook 2010 Add-In Protection Rules
demo Outlook 2010 Add-In Protection Rules

32 Exchange 2010 RMS Integration
Automatic Protection: Through Unified Messaging UM admin can allow incoming voic s to be marked as “private” Private voic s can be protected using “Do Not Forward” RMS template preventing forwarding and copying of voic content Private voic s supported in OWA and Outlook 2010 Uses the Encryption/Decryption XSO API to RMS-protect

33 Exchange Unified Messaging Protected Voicemails
demo Exchange Unified Messaging Protected Voic s

34 RMS-protected based on sender marking voicemail as ‘private’ or through administrative policy

35 Allow scanning of protected e-mails
Exchange 2010 RMS Integration Customer Ask #3 Enable e-discovery Support in-the-clear archival of RMS-protected s Allow scanning of protected s Ability to scan RMS-protected s in transport Ability to modify RMS-protected s in transport

36 Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration Enables e-discovery via journal decryption Enables anti-malware and other scenarios (such as adding a disclaimer) at hub transport via transport decryption and re-encryption

37 Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Journal Decryption Journal Report Decryption Agent Attaches clear-text copies of RMS-protected s and attachments to journal mailbox Requires superuser privileges Feature is off by default Archive/Journal

38 Exchange Journal Decryption
demo Exchange Journal Decryption

39 Exchange 2010 RMS Integration
Seamless IT Infrastructure Integration: Transport Pipeline Decryption Enables Hub Transport Agents to scan/modify RMS-protected s Pipeline Decryption Agent Uses superuser privileges to decrypt s Decrypts and attachments Encryption Agent re-encrypts messages Option to NDR messages that cannot be decrypted All AD RMS integration agents are implemented as internal agents

40 Exchange Transport Decryption and Re-Encryption
demo Exchange Transport Decryption and Re-Encryption

41 Exchange 2010 RMS Integration
Streamline end-user experience Consume and Publish RMS-protected s in OWA Search RMS-protected s in OWA Enable automatic protection Through Transport rules Through Outlook protection rules Through Unified messaging (voic s) Integrate seamlessly with IT infrastructure In-the-clear archival of RMS-protected s Ability to scan and modify RMS-protected s in transport Exchange RMS integration features require AD RMS Server Role in WS2008 R2 or WS2008 SP2 + KB hotfix

42 AD RMS Bulk Protection Tool Customer Ask
Bulk decryption tool Recover RMS-protected documents Help in e-discovery efforts

43 AD RMS Bulk Protection Tool Details
Command line tool Bulk decryption E-Discovery of content for litigation/audit purposes Bulk encryption Safeguard existing sensitive information Can be integrated with WS2008 R2 File Classification Infrastructure (FCI) to classify and automatically RMS-protect files on the file server

44 AD RMS Bulk Protection Tool Details
Supported file formats Office 2003 and above (Word, Excel, PowerPoint) XPS Extensible to other file formats via IRM protector implementation Bulk decryption also available for items within Outlook PSTs (requires Outlook 2007) Supported on XP/WS2003 and above Requires RMS Client v1 SP2 and .NET Framework 2.0 on XP and WS2003

45 AD RMS Bulk Protection Tool With WS2008 R2 FCI
4 FCI Classify 2 c Mgmt Task: AD RMS Protect 3 c 1 Full Time Employee can access “marketing.docx” 5 User creates a file “marketing.docx” on Windows server 2008 R2 file server File Classification Infrastructure (FCI) classifies file as sensitive based on content analysis (keyword/RegEx) and/or folder location (e.g., Business Impact = High) Automated File Management Task invokes AD RMS Bulk Protection Tool to automatically RMS-protect the file (restrict access to Full-Time Employees only) A malicious user getting access to the file through an un-intentional leak is not able to access file content

46 AD RMS Bulk Protection Tool with WS2008 R2 FCI
demo AD RMS Bulk Protection Tool with WS2008 R2 FCI

47 Partner Solution: RSA DLP Automatic Protection For Datacenters and Endpoints
Integrated solution to discover and automatically RMS-protection sensitive data on endpoints and the datacenter Requirements RSA DLP 6.5 and above (RSA DLP Datacenter and RSA DLP Endpoint Discover products) AD RMS Server Role in WS2008 and above

48 Partner Solution: RSA DLP How The Integration Works
R&D Department Marketing Department Others View, Edit, Print View No Access Intellectual Property (IP) template 1. AD RMS admin creates AD RMS templates for data protection Microsoft AD RMS 2. RSA DLP admin selects/ creates policies to find sensitive data and protect it using AD RMS RSA DLP Find ‘IP’ documents Apply ‘IP’ AD RMS template IP Policy R&D department Marketing department Others 3. RSA DLP discovers and classifies sensitive files, and applies AD RMS protection based on policy Endpoints: Laptops/Desktops File Shares SharePoint 4. Users request files. AD RMS provides identity-based access

49 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Client
Out-of-band installer for RMS Server (v1, v1 SP1, v1 SP2) AD RMS Trust TUD, WLID Windows Server 2008 AD RMS server role (v2) AD RMS Trust AD FS federation support Improved installation and mgmt AD RMS template distribution (Vista SP1 and above) Admin reports Different admin roles Windows Server 2008 R2 AD RMS server role (v3) AD RMS Trust Publishing org (internal) group support for federated users Improved installation and mgmt through PowerShell Additional admin reports Client Out-of-band installer for RMS Client (v1, v1 SP1, v1 SP2) on Windows XP and WS2003 Client AD RMS client integrated in Windows Vista and WS2008 Client AD RMS client integrated in Windows 7 and WS2008 R2 Microsoft Solutions Office 2003 (Outlook, Word, Excel, PowerPoint) Internet Explorer Add-On (RMA) Microsoft Solutions Windows Mobile 6 integration Office 2007 (+InfoPath) XPS Viewer SharePoint 2007 (Doc libraries) Exchange 2007 SP1 (Prelicensing) Microsoft Solutions Exchange 2010 AD RMS Bulk Protection Tool FCI integration Partner Solutions RSA DLP PDF solution - Foxit Secure Content Mgmt – OpenText Partner Solutions PDF and other file formats & Blackberry support – Gigatrust, Liquid Machines CAD file format - Dassault Systems Classification - Titus Labs Secure Content Mgmt - Workshare * Each consecutive release on this slide includes features from the prior release

50 More Information AD RMS TechNet TechCenter [Link] and Documentation Roadmap [Link] Exchange 2010 and AD RMS Integration [Link] AD RMS Bulk Protection Tool Download [Link] WS2008 R2 FCI Website [Link] RSA DLP Website [Link] MSIT Deployment AD RMS Deployment [Link] FCI and AD RMS Bulk Protection Tool Deployment [Link] RSA DLP and AD RMS Deployment [Link] Blogs AD RMS Product Team Blog [Link] Jason Tyler Blog [Link] (Jason is a Senior Support Escalation Engineer for AD RMS)

51 Q&A

52 Resources Required Slide Speakers, www.microsoft.com/teched
TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Resources Sessions On-Demand & Community Microsoft Certification & Training Resources Resources for IT Professionals Resources for Developers

53 Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

54 Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive"

Similar presentations

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.

Agenda Customer pain points and how data classification can help Ecosystem Windows Server 2008 R2 for file Classification Infrastructure Demos Customer.
Mohan Atreya Sr. Product Manager RSA Corporation SIA311 Marcio Mello Sr. Program Manager Lead Microsoft Corporation.

Mohan Atreya Sr. Product Manager RSA Corporation SIA311 Marcio Mello Sr. Program Manager Lead Microsoft Corporation.
Joe Schulman Program Manager, Forefront For Office

Joe Schulman Program Manager, Forefront For Office
Understanding Active Directory

Understanding Active Directory
As Never Seen Before Ronen Gabbay Microsoft Exchange Regional Director U-BTech & Hi-Tech CTO.

As Never Seen Before Ronen Gabbay Microsoft Exchange Regional Director U-BTech & Hi-Tech CTO.
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.

What’s New in Exchange Online. Disclaimer This presentation contains preliminary information that may be changed substantially prior to final commercial.
SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.

SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.
Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306.

Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306.
Srinivas L Technology Specialist – Security | Microsoft

Srinivas L Technology Specialist – Security | Microsoft
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.

Clinton Ho Program Manager Microsoft Corporation SESSION CODE: SIA311.
Larry Mead Microsoft Corp. Jon Flanders Session Code: INT203.

Larry Mead Microsoft Corp. Jon Flanders Session Code: INT203.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Dan Parish Program Manager Microsoft Session Code: OFC 304.

Dan Parish Program Manager Microsoft Session Code: OFC 304.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.

Similar presentations

Ads by Google