320 likes | 466 Views
Module 1. Overview of Access and Information Protection . Module Overview. Introduction to Access and Information Protection Solutions in Business Overview of AIP Solutions in Windows Server 2012 Overview of FIM 2010 R2.
E N D
Module 1 Overview of Access and Information Protection
Module Overview • Introduction to Access and Information Protection Solutions in Business Overview of AIP Solutions in Windows Server 2012 Overview of FIM 2010 R2
Lesson 1: Introduction to Access and Information Protection Solutions in Business • What Is Identity? What Is Authentication? What Is Authorization? Overview of AD DS and Access and Information Protection The Business Case for Access and Information Protection Control AIP Management Solutions Discussion: How Do You Manage Identities in Your Organization?
What Is Identity? • Identity. Set of data that uniquely describes a person or an object-sometimes referred to as subject or entity-and contains information about the subject's relationships to other entities: • Identities are saved in an identity store known as a directory database • In AD DS, identities are called security principals • In AD DS, identities are represented uniquely by the SID • Identities are used mainly to access the resource
What Is Authentication? Authenticationis the process that verifies a user’s identity through: • Credentials. At least two components are required • Two types of authentication: • Local (interactive) Log on, Authentication for logon to the local computer • Remote (network) Log on, Authentication for access to resources on another computer • Stand-alone authentication, users are authorized by local SAM • Joining the computer to the domain
What Is Authorization? • Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource • Three components are required for authorization: • Resource • Access request • Security token • Windows Server 2012 also introduces DAC as a new form of authorization
Overview of AD DS and Access and Information Protection • An AIP infrastructure should: • Store information about users, groups, computers and other identities • Authenticate an identity, Kerberos authentication used in an Active Directory domain provides SSO, and users authenticate only once • Control access • Provide an audit trail
The Business Case for Access and Information Protection Control AIP offers the following solutions: • Reduce the information access workload • Increase operational security • Enable secure cross-organization collaboration • Protect intellectual property
AIP Management Solutions Features of AIP management solutions include: • Maintaining multiple identity stores in an organization • Determining the current and authoritative identity information • Provisioning and deprovisioning user accounts • Authenticating and authorizing users • Securing shared information • Securing collaboration between partners and vendors • Securing access and distribution of sensitive data
Discussion: How Do You Manage Identities in Your Organization? • What AIP technologies are you currently running in your organization? • What business enhancements do your AIP technologies provide? • What risks does your business currently face that AIP could help to mitigate? • How can AIP solutions simplify IT operations? • How do AIP solutions change how people access enterprise resources?
Lesson 2: Overview of AIP Solutions in Windows Server 2012 • Identity Management in Windows Server 2012 Overview of AD CS Overview of AD RMS Overview of AD FS Overview of AD LDS Overview of Windows Azure Active Directory Overview of DAC Overview of Workplace Join
Identity Management in Windows Server 2012 Windows Server2012 provides several roles and functionalities for AIP management: • AD CS • AD RMS • AD FS • AD LDS • DAC • WorkplaceJoin • Windows Server2012R2 Server roles work together to provide full AIP functionality
Overview of AD CS • AD CSprovides services for creating, managing, and distributing digital certificates • Digital certificates are distributed to users and computers and are used to secure communications • Certificates can be issued in various ways
Overview of AD RMS • Major functional uses of AD RMS include the following: • Provides business-level encryption of information • Enables information protection while in use • Allows for simple mapping of business classifications • Provides offline use without requiring network access by users for particular amounts of time • Provides full auditing of access to documents and enables business users make changes to usage rights
Overview of AD FS • AD FS can be summarized as follows: • AD FS is an identity access solution • AD FS provides browser-based SSO • AD FS can interact with other SAML 2.0, WS*providers • AD FS enhancements in Windows Server 2012 include: • DAC integration • Improved installation experience • Enhanced Windows PowerShell cmdlets • Workplace Join • Multifactor authentication • Multifactor access control
Overview of AD LDS • AD LDS: • Provides directory service for applications • Allows data synchronization with AD DS Allows storage of application data • Can run on Windows-based desktop operating system
Overview of Windows Azure Active Directory Windows Azure AD is a cloud-based servicethatprovidesidentity management and access control capabilities for other cloud-based applications Windows Azure AD functionalities: • Access control for applications • Integrate with on-premises AD DS • SSO for cloud-based applications • Enable social connections in the enterprise
Overview of DAC • DAC is a new security mechanism for resource access control in Windows Server 2012 • DAC uses claims and properties together with expressions to control access • DAC provides: • Data classification • Access control to files • Auditing of file access • Optional Rights Management Services protection integration
Overview of Workplace Join • Workplace Join enhances the BYOD concept • Users can operate their private devices in your AD DS • Users can use their workplacejoined devices to access company resources with SSO experiences • DRS uses Windows Server2012R2 for this technology • Workplace Join is supported only on Windows Server2012R2, Windows8.1, and iOS-based devices only
Lesson 3: Overview of FIM 2010 R2 • What Is FIM? FIM Directory Synchronization Managing Identities with FIM Managing Certificates and Smart Cards with FIM Discussion: Business Scenarios for FIM Usage
What Is FIM? Certificate and smart card management Metadirectory services and user (de)provisioning Password management Directory synchronization Automated provisioning
FIM Directory Synchronization AD Management Agent HR Management Agent Metaverse person Connector Space Connector Space Employee User Connected Data Source • Connected • Data Source FIM Management Agent FIM Service
Managing Identities with FIM • User Provisioning • User Management • SharePoint-based portal • Automated, codeless user provisioning and deprovisioning • Self-service management • Group Management • Rich group management capabilities • Offline group membership approvals • Manual, manager-based, and criteria-based group membership
Managing Certificates and Smart Cards with FIM FIM CM provides full management for certificates and smart cards, and FIM CM lets you manage tasks such as : • Enrollment • Renewal • Unblocking • Disabling • Suspending • Updating
Discussion: Business Scenarios for FIM Usage • Do you use any identity management solution? • Do you have the need for identitymanagement? • In which scenariosare common identities not appropriate? • What are some real world examples of using identity management?
Lab: Choosing an Appropriate Access and Information Protection Management Solution • Exercise 1: Analyze the Lab Scenario and Identify Business Requirements Exercise 2: Propose a Solution Logon Information: There are no virtual machines in this lab Estimated Time: 30 minutes
Lab Scenario • You are working as a system administrator for A. Datum Corporation. As part of your job, you need to understand how to use AD DS to secure the company’s data and infrastructure. Management wants to ensure the protection of A. Datum’s IT infrastructure by using the most secure method of authentication and authorization. Currently, A. Datum uses passwords to protect its accounts, but that has proven to be unsecure in some cases. • Management also requests that you prevent unauthorized personnel from being able to read Microsoft Office documents. Specifically, they want to make business-critical documents inaccessible if the documents leave the company in any way, such as in email, or on a USB flash drive. It is critical that only authorized personnel can access these documents. Also, management would like to consider digital signatures on documents. • A. Datum recently has partnered with Contoso, Ltd. Contoso needs access to A. Datum’s web applications, but wants to ensure that users can continue to use their current AD DS user accounts. The web team at A. Datum has explained that they can make web applications claims aware.
Lab Scenario (continued) A. Datum has expressed concern for developer efficiency. Developers currently utilize a development instance of AD DS and have noted that they are often waiting for IT but instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them to separate identity logic from their current applications. Developers also are using iOS-based devices for testing and development, and they need to have the ability to access company resources securely from these devices. HR maintains its own database that contains much of the same information that exists in AD DS. However, some of the information in the HR database conflicts with the information in the AD DS database; it should synchronize so that the information is consistent throughout each database. Management requests that you determine the Windows Server roles and available AIP solutions to address the organization’s current issues.
Lab Review • There are no review questions for this lab.
Module Review and Takeaways • Review Questions Best Practice