Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIM328. Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but.

Published byNoel Thornton Modified over 9 years ago

Similar presentations

Presentation on theme: "SIM328. Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but."— Presentation transcript:

1 SIM328

2

3

4

5

6 Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not indirect usage

7 Protects documents and email Encrypts data Decrypts for authorized personnel Can restrict other capabilities Forward Print Cut/Copy/Paste Enforces document security after the file is opened Central policy management via templates

8 1 3. 4. Consumption Protection 2. 5. ( Author automatically receives AD RMS credentials (“rights account certificate” and “client licensor certificate”) the FIRST TIME they rights-protect information The application works with the AD RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it The AD RMS Author distributes file Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the AD RMS server, which validates the user and issues a “use license.” Application renders file and enforces rights.

9 a Rights Info w/ email addresses Content Key Encrypted with the server’s public key Publishing License The Content of the File (Text, Pictures, metadata, etc) End User Licenses Content Key (big random number) Rights for a particular user Encrypted with the user’s public key Created when file is protected Only added to the file after server licenses a user to open it Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key Encrypted with the server’s public key Encrypted with the user’s public key NOTE: Outlook E-mail EULs are stored in the local user profile directory

10

11

12

13

14 AD RMS server Information protection Recipient SQL Server keeps the latest templates Template Document protected based on template RM-enabled application requests use license with latest rights

15 AD RMS Client AD RMS Server

16

17 AD RMS Topology AD RMS Root Server Database License-only Server Database License-only Server Cluster AD RMS Root Cluster

18 AD RMS Server Active Directory SQL MOSS 2007 Exchange Server 2007 SP1 RMS Client RM-enabled application AD RMS Infrastructure Components (cont.)

19 AD RMS Server

20

21 Active Directory

22

23

24 User Identity SLC Issuer Pub key Signature Server Identity CLC Issuer Prv key Signature Pub key Encrypted with Issuer is Certificate key pairs : RSA-1024 Content key: AES-128 SLC: Server Licensor Certificate RAC: Rights Account Certificate CLC: Client Licensor Certificate SPC: Security Processor Certificate PL: Publish License UL: Use License PL Issuer Signature Content key Issuer is Encrypted with UL Issuer Signature Content key Issuer is Encrypted with AD RMS uses XrML certificates, not X.509 certificates AD RMS Certificates and Licenses Machine Identity SPC Issuer Pub key Prv key Signature Protected using both DPAPI and RSAVault (for obfuscation) Issuer Prv key Signature Pub key RAC

25

26

27

28

29

30

31

32

33

34 www.microsoft.com/teched Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://northamerica.msteched.com Connect. Share. Discuss.

35

36 Scan the Tag to evaluate this session now on myTechEd Mobile

37

38 RMS Protected Document Signed

39 RMS Protected Document Signed Client Licensor Certificate Public Key Rights Account Certificate Public Key Unencrypted document Client Server ?

40

Download ppt "SIM328. Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but."

Similar presentations

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.
WSV405. IPv6 Ready Logo Program www.ipv6ready.org.

WSV405. IPv6 Ready Logo Program
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
OSP303. demo Status Bar Notification.

OSP303. demo Status Bar Notification.
Mohan Atreya Sr. Product Manager RSA Corporation SIA311 Marcio Mello Sr. Program Manager Lead Microsoft Corporation.

Mohan Atreya Sr. Product Manager RSA Corporation SIA311 Marcio Mello Sr. Program Manager Lead Microsoft Corporation.
SIM344. 2 Separate solution install paths can be taken, stand alone and SCOM integrated. Both require core AVIcode web apps and DB’s.

SIM Separate solution install paths can be taken, stand alone and SCOM integrated. Both require core AVIcode web apps and DB’s.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
S/MIME Email and PKI Dartmouth College PKI Lab. What Is S/MIME? RFC 2633 (S/MIME Version 3)RFC 2633 Extensions to MIME Uses PKI certificates, keys, and.

S/MIME and PKI Dartmouth College PKI Lab. What Is S/MIME? RFC 2633 (S/MIME Version 3)RFC 2633 Extensions to MIME Uses PKI certificates, keys, and.
4/19/2017 5:50 AM SIA323 Planning, Designing & Deploying a Highly Available AD RMS Infrastructure Jovita Nsoh Senior Security Architect Security Governance.

4/19/2017 5:50 AM SIA323 Planning, Designing & Deploying a Highly Available AD RMS Infrastructure Jovita Nsoh Senior Security Architect Security Governance.
SIM346. General information about the software application.

SIM346. General information about the software application.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
DEV207. SSDT Database Services Database Services Analysis Services Reporting Services Integration Services.

DEV207. SSDT Database Services Database Services Analysis Services Reporting Services Integration Services.
DEV314. Entity Data Model demo Entity Data Model.

DEV314. Entity Data Model demo Entity Data Model.
DEV202 Before I get started... …is too expensive. …is too complex. …requires a server.

DEV202 Before I get started... …is too expensive. …is too complex. …requires a server.
Module 6: Configuring AD RMS

Module 6: Configuring AD RMS
SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.

SIM318. Protect Sensitive Information Reduce risk associated with information leaks Improve regulatory compliance Centrally manage information protection.
WCL309. Demo.

WCL309. Demo.
SIM329. Certificate Enrollment Without CEP/CES Certificate Authority Active Directory Client Workstations 3 4 1 2 LDAP RPC/DCOM.

SIM329. Certificate Enrollment Without CEP/CES Certificate Authority Active Directory Client Workstations LDAP RPC/DCOM.
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?

Similar presentations

Ads by Google