1 / 46

Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory

Required Slide. SESSION CODE: SIA322. Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory. Cristian Mora Sr Product Manager Microsoft Corporation.

korbin
Télécharger la présentation

Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA322 Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory Cristian Mora Sr Product Manager Microsoft Corporation Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory Rights Management Services

  2. Business Needs and IT Challenges Discover and classify information based on business importance Sensitive information stored in multiple locations Secure sensitive information while in use, in motion, and at rest Difficulty in discovering and securing information Enable simplified access to information from anywhere Multiple locations and devices Demonstrate compliance with information control policies Easy access to sensitive information on multiple devices BUSINESS Needs IT Needs AgilityandFlexibility Control

  3. Current SituationDiscovery, classification, and protection of sensitive information is expensive • PARTNER Limited to no access Sensitive information is sent via e-mail because partners do not have access to collaboration site Limited to no access • EMPLOYEES • (REMOTE) SSN# 0000 • EXTERNAL

  4. Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless

  5. Information Protection Discover, protect, and manage confidential data throughout your business with a comprehensive solution integrated with the computing platform and applications PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Protect critical data wherever It goes • Protect data whereverit resides • Secure endpoints to reduce risk • Extend confidential communication to partners • Built into the Windows platform and applications • Simplify deployment and ongoing management • Enable compliance with information policy

  6. Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

  7. Information Protection SolutionEnterprise-wide classification, discovery, and protection • PARTNER Classification and protection built into platform • EMPLOYEES • (REMOTE) • EXTERNAL SSN# 0000

  8. Core Pre-requisites/Scenarios Cristian MoraSr Product ManagerMicrosoft Corporation Pre-requisites

  9. AD RMS Infrastructure Components Active Directory AD RMS Server SQL Server AD RMS Client AD RMS-enabled applications MOSS 2010/2007 Mobile Devices (Windows Mobile 6.x or higher) Exchange Server 2010 SP1 /2007 SP1

  10. AD RMS Applications Requirements (Summary)

  11. WRMS/AD RMS Capabilities Fully Supported Partially Supported Not Supported

  12. Scenario I – Data Protection in Use Cristian MoraSr Product ManagerMicrosoft Corporation Scenario

  13. Data Protection in Use • Encryption applied to data once AD RMS Protection applied • AES 128 • All information encrypted (body/attachments/documents) but • TO/CC/BCC, Metadata and AD RMS URL • Metadata can be encrypted with Registry Key (Requires Offices 2007 or higher) • AD RMS Server URL (digitally signed)

  14. Rights-Protected Document Overview Protect everywhere, access anywhere • Control access to content across the document lifecycle • Allow only authorized access to documents based on user or group rights • Secure transmission and storage of sensitive information within the document wherever it goes • Provide a seamless end-user experience for reading protected content through automated key acquisition Created when file is protected, encrypted with the AD RMS server’s public key Signed with the AD RMS server’s private key Publishing License Content Key Usage Rights Bob@fabrikam.com: Read, Print Lawyers@fabrikam.com: Read AD RMS Server Contents of the file (text, pictures, and so on) AD RMS Client Encrypted with content key End User

  15. Data Protection in use – Manual vs Policy Template

  16. Data in Use - Available AD RMS Permissions AD RMS - Rights

  17. Data in Use - Available AD RMS Permissions (cont.) AD RMS - Rights (Cont.)

  18. Data in Use - Available AD RMS Permissions (cont.) AD RMS – Expiration and Extended Policies

  19. Data in Use - Available AD RMS Permissions (cont.) AD RMS – Expiration, Extended Policies and Revocation

  20. AD RMS – Office IRM

  21. AD RMS – Windows Mobile 6.x WMDC http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4f68eb56-7825-43b2-ac89-2030ed98ed95 Active Sync http://www.microsoft.com/downloads/details.aspx?familyid=9E641C34-6F7F-404D-A04B-DC09F8141141&displaylang=en Microsoft Office Mobile 6.1: Upgrade for Microsoft Office 2007 file formats http://www.microsoft.com/downloads/details.aspx?familyid=4B106C1F-51E2-42F0-BA32-69BB7E9A3814&displaylang=en

  22. Scenario II – Data Protection at Rest Cristian MoraSr Product ManagerMicrosoft Corporation SCENARIO

  23. Data protection at Rest - Scenarios

  24. AD RMS – MOSS IRM

  25. AD RMS – FCI AD RMS Bulk Protection Tool - Download http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd AD RMS Bulk Protection Tool and FCI - Guidance http://www.microsoft.com/downloads/details.aspx?familyid=A1ABC2AF-8AF5-4B32-BF9F-63424A6409D9&displaylang=en

  26. File Classification Infrastructure and AD RMS Identify and protect sensitive documents on file servers Compliment manual AD RMS protection with automated server side IT policies for complete ownership of security infrastructure and prevention of inadvertent data leakage 2 3 4 5 1 c Mgmt Task: AD RMS Protect FCI Classify Full Time Employee can access “marketing.docx” c File Classification Infrastructure (FCI) classifies file as “sensitive” based on content including “Confidential” and “Internal only” Automated File Management Task invokes RMS protection to restrict access to “Full Time Employees” only User creates a file “marketing.docx”on Windows server 2008 R2 file server A malicious user getting access to the file through un intentional leak is not able to access file content Businesses can automatically AD RMS protect 1000’s of confidential files on their file servers

  27. AD RMS -RSA DLP • How Microsoft deploys AD RMS + RSA DLP http://technet.microsoft.com/en-us/library/bb897856.aspx

  28. Scenario III – Data in Motion Protection Cristian MoraSr Product ManagerMicrosoft Corporation SCENARIO

  29. AD RMS – Exchange 2010 SP1 Integration

  30. Data in Motion Protection • Pre-requisites • AD RMS admin gives the Exchange server access to certify against an AD RMS cluster. • AD RMS admin adds Exchange servers as AD RMS-super user/Federation E-mail Account. • Exchange admin enables IRM in Exchange (Set-IRMConfiguration -InternalLicensingEnabled $true).

  31. Data in Motion Protection (Cont.) • Configuration Steps • Pre-Licensing • Transport Pipeline Decryption (Value is Optional) • Search • OWA/Web Ready • Journal Report Decryption (Added Step: You need to manually create journal rules for this to trigger) • Transport Protection Rules (Added Step: You need to manually create transport rules for this to trigger) • EAS IRM • B2B RMS (Added Step: Federation Trust with Microsoft Federation Gateway must be created) • More Info: http://technet.microsoft.com/en-us/library/dd351212.aspx

  32. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • Breakout Sessions (session codes and titles) • SIA311 - Information Protection: Active Directory Rights Management Services in the Windows Server 2008 R2 Wave and Beyond • SIA313 - Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties • Interactive Sessions (session codes and titles) • SIA08-INT - Information Protection: Implementing Information Protection Using Active Directory Rights Management Services

  33. Business Ready Security Demo Environment Available for Download

  34. Business Ready Security Demo Environment 3.0b • End to end Customer ready environment • All Identity and Security Solutions/Technologies • Demo scripts/architecture overview documentation provided

  35. Business Ready Security Demo Environment - Scenarios

  36. Appendix

  37. AD RMS – Bulk Protection Tool Download http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd

  38. AD RMS - Bootstrapping Process • Bootstrapping • _wmcs/licensing/publish.asmx • _wmcs/certification/certification.asmx GIC/RAC CLC Cert-Machine DRM Folder

  39. Steps in the Publishing and Licensing Process Server Identity SLC AD RMS Certificates and Licenses (v1 and v2) Issuer AD RMS uses XrML certificates, not X.509 certificates Pub key Is Signature User Identity Is RAC CLC Encrypted by Issuer Issuer Encrypted by Is Pub key Pub key PL Prv key Prv key Issuer Signature Signature Content key • Certificate key pairs : RSA-1024 • Content key: AES-128 • SLC: Server Licensor Certificate • RAC: Rights Account Certificate • CLC: Client Licensor Certificate • SPC: Security Processor Certificate • PL: Publish License • UL: Use License Signature Machine Identity Encrypted by SPC Issuer Pub key Protected using both DPAPI and RSAVault (Obfuscation) Pri key Signature

  40. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content SIA08-INT Information Protection: Implementing Information Protection Using Active Directory Rights Management Services • SIA03-HOL | Information Protection using Active Directory Rights Management Services (AD RMS) • SIA07-HOL | Information Protection Solution: Business Ready Security with Microsoft Forefront and Active Directory • Red SIA-2 | Microsoft Forefront Information Protection Solution

  41. Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

  42. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  43. Required Slide Complete an evaluation on CommNet and enter to win!

  44. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  45. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  46. Required Slide

More Related