SIA322: Business Ready Security: Protecting Information ... - MSDN

licoricehealthAI and Robotics

Nov 14, 2013 (3 years and 6 months ago)

209 views

Agility

and

Flexibility
Control

BUSINESS Needs

IT Needs

Discover and classify information based
on business importance

Secure sensitive information while in
use, in motion,

and at rest

Enable simplified access to information
from anywhere

Demonstrate compliance with
information control policies

Multiple locations and devices

Sensitive information stored

in multiple
locations

Difficulty in discovering and securing
information

Easy access to sensitive information on
multiple devices

Limited to no access

Limited to no access

Sensitive information is sent via e
-
mail because
partners do not have access to collaboration
site

SSN# 0000

Across on
-
premises & cloud


Help securely enable
business by managing risk and empowering
people

Block

from:

Enable

Cost

Value

Siloed

Seamless

to:

Highly Secure
& Interoperable
Platform

Identity


Protect critical data wherever It
goes


Protect data wherever

it resides


Secure endpoints

to reduce risk

PROTECT
everywhere


ACCESS
anywhere

SIMPLIFY
security,

MANAGE

compliance


Extend confidential
communication

to partners


Built into the Windows
platform
and applications

Discover, protect, and manage confidential data throughout your business with a comprehensive solution
integrated with the computing platform and applications

INTEGRATE
and


EXTEND
security


Simplify deployment and
ongoing
management


Enable compliance with information
policy










Information Protection

Secure Messaging

Secure Endpoint

Secure Collaboration

Identity and Access Management

SSN# 0000

Classification and protection built into
platform

AD RMS Server

Active Directory

SQL Server

MOSS 2010/2007

Mobile
Devices

(Windows Mobile 6.x or higher)

AD RMS Client

AD RMS
-
enabled applications

Exchange Server 2010 SP1 /2007 SP1

#

Application

IRM Details

Server
-
side Version

Client
-
side Version

1

Office IRM

2003 pro

2007

Pro+/
Ent
/Ultimate

2010 Pro+

WRMS

v1.0 SP2 and higher


WRMS

v1.0 SP2 and higher


2

Bulk

Protection Tool

OutlookWindows

7; Windows Server
2008 R2; Windows Vista; Windows XP

2007 PST

or

WRMS

v1.0 SP2 and higher

WRMS

v1.0 SP2 and higher

3

MOSS IRM

2007/2010

WRMS

v1.0 SP2 and higher

WRMS

v1.0 SP2 and higher

4

FCI

W2008

R2
Ent
/Datacenter

AD RMS


W2008

AD RMS Client v2 (integrated

in
the OS)

5

Exchange

2010/2010 SP1

AD RMS


W2008

or AD RMS


W2008 R2 (see

details in Exchange Slide)

AD RMS Client v2 (integrated

in
the OS)


6

Windows Mobile

6.x

WRMS

v1.0 SP2 and higher

WRMS

v1.0 SP2 and higher

Capabilities

W RMS v1.0 SP2

W2008 AD RMS

W2008 AD RMS R2


Inclusion of AD

RMS in Windows Server

2008 as a server role

Administration through a Microsoft Management Console (MMC)

Integration with Active Directory Federation Services (AD

FS)

Self
-
enrollment/Self Renewal of AD

RMS servers

Ability to delegate responsibility by means of new AD

RMS administrative roles

AD RMS Reporting Capabilities

Multiple Languages support in templates

PowerShell Support

Group expansion support for Federation Parties

Third
-
party Federation support for Partner organization (FS
-
A)

Simplified Installation process (SQL Virtual names support)

Additional Reporting information

Bulk Protection Tool

MOSS IRM

FCI

Exchange 2010 IRM

Others


RSA DLP Integration


Fully Supported


Partially Supported


Not Supported


Control access to content across the document lifecycle


Allow only authorized access to documents based on user or group rights


Secure transmission and storage of sensitive information within the document wherever it goes


Provide a seamless end
-
user experience for reading protected content through automated key acquisition

Publishing
License

AD RMS
Server

AD RMS
Client

Signed with the AD RMS server’s private
key

Created when file is protected, encrypted
with the AD RMS server’s public key

Encrypted with content key

Contents
of the file

(text, pictures, and so on)

Usage Rights

Bob@fabrikam.com: Read, Print

Lawyers@fabrikam.com: Read

Content Key

End User

Manual “Add

Hoc Policies”

“Centralized” Rights Policy
Templates

Pro


Provide Options to
customers without

requiring to request
Admin to create a Policy


Complete

list of
permissions available


Simple!, one click!, User
does not need to
remember who can do
what but assign the right
Policy


Cons


Limited rights

options
available for protection


User might assign
more/less rights than
needed to use the content


User need to remember
Policies and understand
tool


Administrator has to
maintain

and distribute
policies in the clients

Permission

Office
IRM

Rights Policy
Templates

XPS
IRM

MOSS
IRM

Windows
Mobile 6
x

Full Control











Export (Save As)











View (Read)











Extract (copy)











Allow Macros









Reply









AD RMS
-

Rights

Permission

Office
IRM

Rights Policy
Templates

XPS
IRM

MOSS
IRM

Windows
Mobile 6

View Rights







Save









Print











Edit









Forward







Reply All







AD RMS
-

Rights (Cont.)

Permission

Office
IRM

Rights Policy
Templates

XPS
IRM

MOSS
IRM

Windows
Mobile

6

Content
Never Expires





Content Expires
On







Content License Expires (Days
)



Use License for Content must be Renewed
Every





Author is granted Full rights without
expiration





RM
-
Protected Content can be viewed in trusted
browsers





AD RMS


Expiration and Extended Policies

Permission

Office
IRM

Rights Policy
Templates

XPS
IRM

MOSS
IRM

Windows
Mobile

6

Requires
a new use license each time content is
consumed. (Connection is
required)





Enforce Application
-
Specific
Data



Requires Revocation



Sign




Does not allow users to upload documents that do
not support IRM (MOSS)




Stop
restricting permission to documents in this
library on DATE (MOSS
)



AD RMS


Expiration, Extended Policies and Revocation

#

Office Version

Protection/Consumption

Consumption

1

Office 2003

Professional

Standard

2

Office 2007

Professional+, Ultimate,

Enterprise

Other versions

3

Office 2010

Professional+

Other versions


#

Windows Versions

Windows Vista and Higher

Legacy (XP)

1

Windows

Mobile 6.x

WMDC 6.1 or higher


Active Sync 4.5

or higher

WMDC

http://
www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4f68eb56
-
7825
-
43b2
-
ac89
-
2030ed98ed95


Active Sync

http://
www.microsoft.com/downloads/details.aspx?familyid=9E641C34
-
6F7F
-
404D
-
A04B
-
DC09F8141141&displaylang=en


Microsoft Office Mobile 6.1: Upgrade for Microsoft Office 2007 file
formats

http://
www.microsoft.com/downloads/details.aspx?familyid=4B106C1F
-
51E2
-
42F0
-
BA32
-
69BB7E9A3814&displaylang=en


Where?

Scenario

Technologies

Required

Server
-
Side

MOSS PORTAL

Automatic Content Protection when downloaded


MOSS 2010/2007 IRM


Server
-
Side


MOSS PORTAL

Automatic Content Protection after

inspection

MOSS

+ RSA DLP


Server
-
Side


FILE SERVER

Automatic Content Protection after

inspection

Windows Server 2008 R2 FCI


Server
-
Side

FILE SERVER

Automatic Content Protection after

inspection

Windows Server + RSA

DLP

Client
-
Side

ENDPOINT

Automatic Content Protection after

inspection

Windows Client + RSA

DLP

#

MOSS Version

Document Protection

1

MOSS 2007
Std
/
Ent

doc, dot,
xla
,
xls
,
xlt
,
pps
,
ppt

docm
,
docx
,
dotm
,
dotx
,
xlam
,
xlsb
,

xlsm
,
xlsx
,
xltm
,
xltx
,
xps
,
potm
,
potx
,

ppsx
,
ppsm
,
pptm
,
pptx
,
thmx

2

MOSS 2010

Std
/
Ent

doc, dot,
xla
,
xls
,
xlt
,
pps
,
ppt

docm
,
docx
,
dotm
,
dotx
,
xlam
,
xlsb
,

xlsm
,
xlsx
,
xltm
,
xltx
,
xps
,
potm
,
potx
,

ppsx
,
ppsm
,
pptm
,
pptx
,
thmx

#

Windows Versions

Document Protection

Others

1

Windows Server 2008 R2
Enterprise/Datacenter

doc, dot,
xla
,
xls
,
xlt
,
pps
,
ppt

docm
,
docx
,
dotm
,
dotx
,
xlam
,
xlsb
,

xlsm
,
xlsx
,
xltm
,
xltx
,
xps
,
potm
,
potx
,

ppsx
,
ppsm
,
pptm
,
pptx
,
thmx

In order to apply
protection to content the
bulk protection tool is
needed.

AD RMS Bulk Protection Tool
-

Download


http
://
www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f
-
c175
-
41d0
-
afdc
-
6f160ab809cd


AD RMS Bulk Protection Tool
and FCI
-

Guidance

http://
www.microsoft.com/downloads/details.aspx?familyid=A1ABC2AF
-
8AF5
-
4B32
-
BF9F
-
63424A6409D9&displaylang=en


FCI Classify

2

Identify and protect sensitive documents on file servers


Compliment manual AD RMS protection with automated server side IT policies for complete
ownership of security infrastructure
and
prevention of
inadvertent data leakage

Mgmt Task:
AD
RMS
Protect

3

4

5

User creates a file
“marketing.docx”
on Windows server 2008 R2 file
server

File
Classification Infrastructure
(FCI) classifies
file as
“sensitive”
based on content including
“Confidential” and “Internal only”

Automated File Management Task
invokes RMS protection to restrict
access to “Full Time Employees” only

Full Time Employee can
access
“marketing.docx”

A malicious user getting access to the
file through un intentional leak is not
able to access file content

Businesses can
automatically AD RMS
protect 1000’s of confidential
files on their file servers

c

c

1

#

Windows Versions

RSA DLP Versions

Others

1

Windows Server 2008 R2, Windows Server 2008
Enterprise/Datacenter/Standard AD RMS

7.3 and Higher

Requires changes in AD RMS ACLs

http://
technet.microsoft.com/en
-
us/library/bb897856.aspx
#

Exchange IRM Feature

Exchange 2010/2010
Version

Minimum Exchange
server
role

to be running
on that version

Additional roles/IRM features
that need to be running in
Exchange 2010 (
dependencies
)

Minimum AD RMS Version to be
implemented

1

Pre
-
Licensing

2010

Hub Transport



WS2008 SP2

WS2008 R2

2

OWA IRM

2010

CAS, Mailbox

Pre
-
Licensing

WS2008 SP2

WS2008 R2

3

OWA Search

2010

Hub Transport,
Mailbox

Pre
-
Licensing

WS2008 SP2

WS2008 R2

4

OWA
WebReady

Document
Viewing

2010 SP1

CAS, Mailbox

Pre
-
Licensing

WS2008 SP2

WS2008 R2

5

Transport Rules

2010

Hub Transport



WS2008 SP2

WS2008 R2

6

Transport Pipeline Decryption

2010

Hub Transport



WS2008 SP2

WS2008 R2

7

Journal Decryption

2010

Hub Transport



WS2008 SP2

WS2008 R2

8

EAS IRM

2010 SP1

CAS, Mailbox



WS2008 SP2

WS2008 R2

9

Business to Business IRM (Reach)

2010 SP1

CAS, Mailbox



WS2008 R2

10

Cross Premise IRM

Exchange Online Only

Exchange Online Only

Exchange Online Only

Any Version

11

Transport Rule Segregation of
roles

2010

CAS, Hub Transport



Any Version That Supports
Exchange 2010

http://
technet.microsoft.com/en
-
us/library/dd351212.aspx
SIA311
-

Information Protection: Active Directory Rights Management Services in
the Windows Server 2008 R2 Wave and
Beyond

SIA313
-

Secure
Collaboration: All You Need to Know about Extending Active
Directory Rights Management Services (AD RMS) Protected Content to External
Parties

SIA08
-
INT
-

Information
Protection: Implementing Information Protection Using
Active Directory Rights Management Services
3.0b

Solution

Scenarios

Secure Messaging

Seamless, secure access through Unified Access Gateway (UAG)

Automatically control confidential e
-
mail with built
-
in information protection

Protect Exchange with multiple best
-
in
-
class anti
-
malware engines

Outlook Web Access 2010 integration with AD RMS

Outlook 2010 automatic protection

Secure Collaboration Solution


Secure collaboration by using AD FS and AD RMS (for Partner employees)

Protection your collaboration portal from malware infection

Secure collaboration by using UAG (for Internal employees)

Secure Endpoint Solution


Advanced threat protection with Forefront TMG 2010

Malware protection when not connecting to the company network

Malware protection when using USB drives

Direct Access with Unified Access Gateway (UAG)

Information Protection Solution


Protecting data
-
in
-
motion with Exchange 2010 and AD RMS

Protecting data
-
at
-
rest with SharePoint 2007, AD FS and AD RMS

Protection data
-
at
-
rest with File Classification Infrastructure (FCI) and AD RMS

Identity and Access Management
Solution


Secure Remote Access

Group management with FIM 2010 and Outlook

Self
-
service password reset with FIM 2010

Claims
-
based authentication with AD FS 2.0

#

Windows Versions

PST integration Requirements

Document Protection

1

Windows 7; Windows Server
2008 R2; Windows Vista;
Windows XP

Outlook 2007 or later PST

doc, dot,
xla
,
xls
,
xlt
,
pps
,
ppt

docm
,
docx
,
dotm
,
dotx
,
xlam
,
xlsb
,

xlsm
,
xlsx
,
xltm
,
xltx
,
xps
,
potm
,
potx
,

ppsx
,
ppsm
,
pptm
,
pptx
,
thmx

Download


http
://
www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f
-
c175
-
41d0
-
afdc
-
6f160ab809cd


DRM
Folder

GIC/RAC

AD RMS
-

Bootstrapping Process

CLC

Cert
-
Machine

_
wmcs
/certification/certification.asmx

_
wmcs
/licensing/publish.asmx

User Identity

SLC

Issuer

Pub key

Signature

Server Identity

CLC

Issuer

Prv key

Signature

Pub key

Encrypted by

Encrypted by

Is


Certificate key pairs
:
RSA
-
1024


Content key
:
AES
-
128


SLC
:
Server Licensor Certificate


RAC
:
Rights Account Certificate


CLC
:
Client Licensor Certificate


SPC
:
Security Processor Certificate


PL
:
Publish License


UL
:
Use License

PL

Issuer

Signature

Content key

Is

Is

Encrypted by

AD RMS
uses XrML certificates, not X.509
certificates

AD RMS
Certificates and Licenses

(v1 and v2)

Machine Identity

SPC

Issuer

Pub key

Pri key

Signature

Protected using both

DPAPI and

RSAVault (Obfuscation)

Issuer

Prv key

Signature

Pub key

RAC

Steps in the Publishing and Licensing Process

SIA08
-
INT

Information Protection: Implementing Information Protection Using
Active Directory Rights Management Services

SIA03
-
HOL |

Information Protection using Active Directory Rights Management
Services (AD RMS)


SIA07
-
HOL |

Information Protection Solution: Business Ready Security with Microsoft
Forefront and Active Directory

Red SIA
-
2 |
Microsoft Forefront Information Protection Solution

Learn more about our solutions:

http://www.microsoft.com/forefront



Try our products:

http://www.microsoft.com/forefront/trial

www.microsoft.com/teched

www.microsoft.com/learning


http://microsoft.com/technet


http://microsoft.com/msdn


Sign up for Tech∙Ed 2011 and save $500

starting June 8


June 31
st

http://
northamerica.msteched.com/registration



You can also register at the

North
America 2011
kiosk
located at
registration

Join us in Atlanta next year