510 likes | 1.33k Views
Required Slide. SESSION CODE: SIA311. Information Protection: Active Directory Rights Management Services in the Windows Server 2008 R2 Wave and Beyond. Clinton Ho Program Manager Microsoft Corporation. Agenda. Microsoft Business Ready Security AD RMS Bulk Protection Tool
E N D
Required Slide SESSION CODE: SIA311 Information Protection: Active Directory Rights Management Services in the Windows Server 2008 R2 Wave and Beyond Clinton Ho Program Manager Microsoft Corporation
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
AD RMS Bulk Protection Tool Feature Details • Simple command-line interface • Bulk decrypts Microsoft Office files and items within Outlook PSTs • Bulk encrypts Microsoft Office files to an RMS template • Extensible to support other file formats via Information Rights Management (IRM) protectors (e.g., support for Foxit PDF)
AD RMS Bulk Protection Tool Command Line Examples • Bulk Decryption • RMSBulk.exe /decrypt \\Share\Folder\ /log RMSBulk.log • Bulk Encryption • RMSBulk.exe /encrypt \\Share\Folder\file.doc ContosoConfidential.xml /log C:\Logs\RMSBulk.log
AD RMS Bulk Protection Tool Available on Microsoft Download Centerhttp://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd System Requirements • Windows XP, Windows Vista, Windows 7 • Windows Server 2008 R2 • Outlook 2007, Outlook 2010 (Required only for PST operations)
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
AD RMS & File Classification Infrastructure Identify and protect sensitive documents on file servers Complement manual RMS protection with automated server-side IT policies for complete ownership of security infrastructure and prevention of inadvertent data leakage 2 3 4 5 1 c Mgmt Task: RMS Protect FCI Classify Full-Time Employee can access “marketing.docx” c File Classification Infrastructure (FCI) classifies file as “sensitive” based on content, including “Confidential” and “Internal only” Automated File Management Task invokes RMS protection to restrict access to “Full-Time Employees” only User creates a file “marketing.docx” on Windows Server 2008 R2 file server A malicious user getting access to the file through unintentional leak is not able to access file content Businesses can automatically RMS protect 1,000s of confidential files on their file servers
Better Together:AD RMS Bulk Protection Tool & File Classification Infrastructure DEMO
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
AD RMS PowerShell • Faster way to manage ADRMS deployments • AD RMS PowerShell scripts expose all the functionality of AD RMS administrator’s interface • Users familiar with the GUI can see the same breakdown of functions in the PowerShell cmdlets
ADRMS PowerShell • Split into deployment and administration functionalities • Deployment • These cmdlets are available out of the box on Windows Server 2008 R2 • ADRMS can be installed and configured with these scripts • Admin • These cmdlets are available after the AD RMS role is installed on Windows Server 2008 R2 • Very convenient for repetitive tasks on the server • Managing user lists • Managing exclusion policies • Creating licensing and usage reports
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
Automatic Content Based PrivacyEliminate reliance on end-user Enforcement Tools are required. Content Protection should be automated.
Transport Protection Rule Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages • Automatic Content-Based Privacy: • Transport Rule action to apply RMS template to e-mail message • Transport Rules support regex scanning of attachments in Exchange 2010 • Do Not Forward policy available out of box
Protect Voice Message • UM Administrator can allow incoming voice mail messages to be marked as “private” • Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying of content • Private Voice mail supported by Unified Messaging in Outlook 2010 and OWA
Outlook Protection Rule • Small scale rules engine delivered in Outlook 2010 add-in • Rules • Can be applied to a sender’s department, a recipient, or a recipient’s scope (inside or outside of the organization) • Retrieved by add-in from CAS through EWS • Optional or mandatory • Applied offline or online
RMS Integration in OWA • Create or consume RMS protected messages just like in Outlook • No client download or installation required • Supports • IE, Firefox, Safari, Chrome • Conversation view • Preview pane • Full-text search on RMS protected messages
RMS Integration in OWA • CAS uses • Super User Privileges to decrypt • End User License (EUL) to determine which rights to enforce • Single RAC shared across all client access servers to give multiple machines a common RMS identity • Feature can be enabled or disabled at mailbox policy level
Enable IT InfrastructureRMS protection should not break IT infrastructure • Virus and spam filtering of RMS protected messages enabled at Hub Transport • Enable e-discovery via Journal Report Decryption
Transport Pipeline Decryption • Enables Hub Transport Agents to scan/modify RMS protected messages • Pipeline Decryption Agent • Uses Super-User privileges to decrypt • Decrypts message and attachments protected with same Publishing License • Encryption Agent re-encrypts messages with original publish license
Journal Report Decryption • Journal Report Decryption Agent • Attaches clear-text copies of RMS protected messages and attachments to journal mailbox • Requires super-user privileges, off by default Archive/Journal
Agenda • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon…
On the Horizon… • Mac Office • Exchange 2010 SP1
Mac Office • Ability to open RMS-protected messages and attachments • Ability to apply RMS protection to documents and email
IRM in Exchange • View Protected attachments in OWA • IRM in Exchange Active Sync • Enhanced collaboration using Microsoft Federation Gateway • Cross Premises IRM support for Exchange Online Transport Protection Rule Outlook Protection Rule Journal Report Decryption Transport Pipeline Decryption IRM in OWA Protected Voice Message Pre-licensing
IRM in Exchange Active Sync • IRM in EAS policy can be configured on a per user basis • EAS transactions must be made over SSL • All encryption/decryption operations are executed at CAS Active Directory AD RMS 3. When a user selects a template to be applied to a new message, EAS will pass the template GUID to CAS. Once synced to CAS, mail and supported attachments will be protected appropriately. 4. Any IRM message will be decrypted at CAS and then synced to the device. Template Name, ID, description, and rights restrictions will also be passed 1. On first sync, Client advertises IRM support by sending in a value of 1 for <RightsManagementSupport> tag. 2. EAS syncs the list of AD RMS templates to the device for local storage Client Access Server
5 2 3 6 9 1 UL Enhanced Collaboration using Microsoft Federation Gateway Author sends protected mail to recipient at Trey Engineering Exchange (Trey Engineering) receives message and performs service discovery against Woodgrove Bank’s AD RMS Server Exchange (Trey Engineering) requests a token from the MFG MFG validates the claims and returns the token to Exchange (Trey Engineering) Exchange (Trey Engineering) creates a bootstrapping request including the token to the AD RMS server. AD RMS Server validates the token and then returns a RAC for Exchange(Trey Engineering) Exchange (Trey Engineering ) then requests a token on behalf of the recipient from the MFG Repeat Steps 4-6 for a licensing request The message is delivered and the recipient can consume the content via OWA Woodgrove Bank Trey Engineering MFG 4 7 5 Exchange AD RMS
Cross Premises IRM Support for Exchange Online • Exchange Online tenants get IRM capabilities • After setup, all RMS transactions in the Datacenter are executed within the Datacenter • Clients such as Outlook continue to call the web services on the on-premises AD RMS server Exchange Online Woodgrove Bank Premises Import TPD Woodgrove Bank Tenant AD RMS
What we covered today • Microsoft Business Ready Security • AD RMS Bulk Protection Tool • AD RMS & File Classification Infrastructure • AD RMS PowerShell • Exchange 2010 & AD RMS Integration Features • On the Horizon...
Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content SIA313 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties SIA322 Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory SIA08-INT Information Protection: Implementing Information Protection Using Active Directory Rights Management Services SIA03-HOL | Information Protection using Active Directory Rights Management Services (AD RMS)SIA07-HOL | Information Protection Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-2 | Microsoft Forefront Information Protection Solution
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
More Information • AD RMS TechNet TechCenter • [http://technet.microsoft.com/en-us/dd448611.aspx] • AD RMS Documentation Road Map • [http://technet.microsoft.com/en-us/library/dd772711(WS.10).aspx] • AD RMS Bulk Protection Tool Download • [http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd#tm] • Blogs • AD RMS Product Team Blog • [http://blogs.msdn.com/rms/] • Jason Tyler’s Blog • [http://blogs.technet.com/rmssupp/] • Jason is a Senior Support Escalation Engineer for AD RMS
More Information • Windows Server 2008 R2 FCI Web site • [http://www.microsoft.com/fci] • Microsoft IT Deployment • AD RMS Deployment • [http://technet.microsoft.com/en-us/library/ee156482.aspx] • FCI and AD RMS Bulk Protection Tool Deployment • [http://vepcdn.microsoft.com/prod/images/64/Area/214/2676/9fd29bc1-bd16-42fe-a39e-f1d91d62aa60.pdf]
IRM Protectors • IRM protectors control the conversion of documents to their encrypted, rights-managed format and the decryption of documents from their rights-managed format back to their original format