Discover and classify information based on business importance Sensitive information stored in multiple locations Secure sensitive information while in use, in motion, and at rest Difficulty in.
Download ReportTranscript Discover and classify information based on business importance Sensitive information stored in multiple locations Secure sensitive information while in use, in motion, and at rest Difficulty in.
Discover and classify information based on business importance Sensitive information stored in multiple locations Secure sensitive information while in use, in motion, and at rest Difficulty in discovering and securing information Enable simplified access to information from anywhere Multiple locations and devices Demonstrate compliance with information control policies Easy access to sensitive information on multiple devices BUSINESS Needs Agility and Flexibility IT Needs Control Sensitive information is sent via e-mail because partners do not have access to collaboration site Limited to no access Limited to no access SSN# 0000 Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless Discover, protect, and manage confidential data throughout your business with a comprehensive solution integrated with the computing platform and applications PROTECT everywhere ACCESS anywhere • Protect critical data wherever It goes • Protect data wherever it resides • Secure endpoints to reduce risk INTEGRATE and EXTEND security • Extend confidential communication to partners • Built into the Windows platform and applications SIMPLIFY security, MANAGE compliance • Simplify deployment and ongoing management • Enable compliance with information policy Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint Classification and protection built into platform SSN# 0000 Active Directory Mobile Devices (Windows Mobile 6.x or higher) SQL Server AD RMS Server AD RMS Client AD RMS-enabled applications MOSS 2010/2007 Exchange Server 2010 SP1 /2007 SP1 # Application IRM Details Server-side Version Client-side Version 1 Office IRM 2003 pro 2007 Pro+/Ent/Ultimate 2010 Pro+ WRMS v1.0 SP2 and higher WRMS v1.0 SP2 and higher 2 Bulk Protection Tool OutlookWindows 7; Windows Server 2008 R2; Windows Vista; Windows XP 2007 PST or WRMS v1.0 SP2 and higher WRMS v1.0 SP2 and higher 3 MOSS IRM 2007/2010 WRMS v1.0 SP2 and higher WRMS v1.0 SP2 and higher 4 FCI W2008 R2 Ent/Datacenter AD RMS – W2008 AD RMS Client v2 (integrated in the OS) 5 Exchange 2010/2010 SP1 AD RMS – W2008 or AD RMS – W2008 R2 (see details in Exchange Slide) AD RMS Client v2 (integrated in the OS) 6 Windows Mobile 6.x WRMS v1.0 SP2 and higher WRMS v1.0 SP2 and higher Capabilities W RMS v1.0 SP2 W2008 AD RMS Inclusion of AD RMS in Windows Server 2008 as a server role Administration through a Microsoft Management Console (MMC) Integration with Active Directory Federation Services (AD FS) Self-enrollment/Self Renewal of AD RMS servers Ability to delegate responsibility by means of new AD RMS administrative roles AD RMS Reporting Capabilities Multiple Languages support in templates PowerShell Support Group expansion support for Federation Parties Third-party Federation support for Partner organization (FS-A) Simplified Installation process (SQL Virtual names support) Additional Reporting information Bulk Protection Tool MOSS IRM FCI Exchange 2010 IRM Others – RSA DLP Integration Fully Supported Partially Supported Not Supported W2008 AD RMS R2 • • • • Control access to content across the document lifecycle Allow only authorized access to documents based on user or group rights Secure transmission and storage of sensitive information within the document wherever it goes Provide a seamless end-user experience for reading protected content through automated key acquisition Signed with the AD RMS server’s private key Created when file is protected, encrypted with the AD RMS server’s public key Content Key Publishing License Usage Rights [email protected]: Read, Print [email protected]: Read Encrypted with content key Contents of the file (text, pictures, and so on) AD RMS Server AD RMS Client End User Manual “Add Hoc Policies” “Centralized” Rights Policy Templates Pro • Provide Options to customers without requiring to request Admin to create a Policy • Complete list of permissions available • Simple!, one click!, User does not need to remember who can do what but assign the right Policy Cons • Limited rights options available for protection • User might assign more/less rights than needed to use the content • User need to remember Policies and understand tool • Administrator has to maintain and distribute policies in the clients AD RMS - Rights Permission Office IRM Rights Policy Templates XPS IRM MOSS IRM √ Full Control √ √ √ Export (Save As) √ √ √ View (Read) √ √ √ √ Extract (copy) √ √ √ √ Allow Macros √ √ Reply √ √ Windows Mobile 6 x √ √ AD RMS - Rights (Cont.) Permission Office IRM Rights Policy Templates XPS IRM MOSS IRM View Rights √ Save √ √ √ √ √ Print √ √ Edit √ √ Forward √ Reply All √ Windows Mobile 6 √ √ AD RMS – Expiration and Extended Policies Permission Office IRM Content Never Expires Content Expires On √ Rights Policy Templates √ √ √ √ Content License Expires (Days) √ Use License for Content must be Renewed Every √ Author is granted Full rights without expiration √ RM-Protected Content can be viewed in trusted browsers √ XPS IRM √ MOSS IRM Windows Mobile 6 √ √ AD RMS – Expiration, Extended Policies and Revocation Permission Requires a new use license each time content is consumed. (Connection is required) Office IRM √ Rights Policy Templates MOSS IRM √ Enforce Application-Specific Data √ Requires Revocation √ Sign XPS IRM √ Does not allow users to upload documents that do not support IRM (MOSS) √ Stop restricting permission to documents in this library on DATE (MOSS) √ Windows Mobile 6 # Office Version Protection/Consumption Consumption 1 Office 2003 Professional Standard 2 Office 2007 Professional+, Ultimate, Enterprise Other versions 3 Office 2010 Professional+ Other versions # Windows Versions Windows Vista and Higher Legacy (XP) 1 Windows Mobile 6.x WMDC 6.1 or higher Active Sync 4.5 or higher WMDC http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=4f68eb56-7825-43b2-ac892030ed98ed95 Active Sync http://www.microsoft.com/downloads/details.aspx?familyid=9E641C34-6F7F-404D-A04BDC09F8141141&displaylang=en Microsoft Office Mobile 6.1: Upgrade for Microsoft Office 2007 file formats http://www.microsoft.com/downloads/details.aspx?familyid=4B106C1F-51E2-42F0-BA3269BB7E9A3814&displaylang=en Where? Scenario Technologies Required Server-Side MOSS PORTAL Automatic Content Protection when downloaded MOSS 2010/2007 IRM Server-Side MOSS PORTAL Automatic Content Protection after inspection MOSS + RSA DLP Server-Side FILE SERVER Automatic Content Protection after inspection Windows Server 2008 R2 FCI Server-Side FILE SERVER Automatic Content Protection after inspection Windows Server + RSA DLP Client-Side ENDPOINT Automatic Content Protection after inspection Windows Client + RSA DLP # MOSS Version Document Protection 1 MOSS 2007 Std/Ent doc, dot, xla, xls, xlt, pps, ppt docm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx 2 MOSS 2010 Std/Ent doc, dot, xla, xls, xlt, pps, ppt docm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx # Windows Versions Document Protection Others 1 Windows Server 2008 R2 Enterprise/Datacenter doc, dot, xla, xls, xlt, pps, ppt docm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx In order to apply protection to content the bulk protection tool is needed. AD RMS Bulk Protection Tool - Download http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc6f160ab809cd AD RMS Bulk Protection Tool and FCI - Guidance http://www.microsoft.com/downloads/details.aspx?familyid=A1ABC2AF-8AF5-4B32-BF9F63424A6409D9&displaylang=en Identify and protect sensitive documents on file servers Compliment manual AD RMS protection with automated server side IT policies for complete ownership of security infrastructure and prevention of inadvertent data leakage 4 2 3 1 c FCI Classify Mgmt Task: AD RMS Protect c User creates a file “marketing.docx” on Windows server 2008 R2 file server File Classification Infrastructure (FCI) classifies file as “sensitive” based on content including “Confidential” and “Internal only” Full Time Employee can access “marketing.docx” 5 Automated File Management Task invokes RMS protection to restrict access to “Full Time Employees” only A malicious user getting access to the file through un intentional leak is not able to access file content Businesses can automatically AD RMS protect 1000’s of confidential files on their file servers # Windows Versions RSA DLP Versions Others 1 Windows Server 2008 R2, Windows Server 2008 Enterprise/Datacenter/Standard AD RMS 7.3 and Higher Requires changes in AD RMS ACLs http://technet.microsoft.com/en-us/library/bb897856.aspx # Exchange IRM Feature Exchange 2010/2010 Version Minimum Exchange server role to be running on that version 1 Pre-Licensing 2010 Hub Transport 2 OWA IRM 2010 CAS, Mailbox Pre-Licensing 3 OWA Search 2010 Pre-Licensing 4 2010 SP1 5 OWA WebReady Document Viewing Transport Rules Hub Transport, Mailbox CAS, Mailbox 2010 Hub Transport 6 Transport Pipeline Decryption 2010 Hub Transport 7 Journal Decryption 2010 Hub Transport 8 EAS IRM 2010 SP1 CAS, Mailbox 9 Business to Business IRM (Reach) 2010 SP1 CAS, Mailbox 10 Cross Premise IRM 11 Transport Rule Segregation of roles Exchange Online Only Exchange Online Only 2010 CAS, Hub Transport Additional roles/IRM features that need to be running in Exchange 2010 (dependencies) Pre-Licensing Minimum AD RMS Version to be implemented WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 SP2 WS2008 R2 WS2008 R2 Exchange Online Only Any Version Any Version That Supports Exchange 2010 http://technet.microsoft.com/en-us/library/dd351212.aspx SIA311 - Information Protection: Active Directory Rights Management Services in the Windows Server 2008 R2 Wave and Beyond SIA313 - Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties SIA08-INT - Information Protection: Implementing Information Protection Using Active Directory Rights Management Services 3.0b Solution Scenarios Secure Messaging Seamless, secure access through Unified Access Gateway (UAG) Automatically control confidential e-mail with built-in information protection Protect Exchange with multiple best-in-class anti-malware engines Outlook Web Access 2010 integration with AD RMS Outlook 2010 automatic protection Secure Collaboration Solution Secure collaboration by using AD FS and AD RMS (for Partner employees) Protection your collaboration portal from malware infection Secure collaboration by using UAG (for Internal employees) Secure Endpoint Solution Advanced threat protection with Forefront TMG 2010 Malware protection when not connecting to the company network Malware protection when using USB drives Direct Access with Unified Access Gateway (UAG) Information Protection Solution Protecting data-in-motion with Exchange 2010 and AD RMS Protecting data-at-rest with SharePoint 2007, AD FS and AD RMS Protection data-at-rest with File Classification Infrastructure (FCI) and AD RMS Identity and Access Management Solution Secure Remote Access Group management with FIM 2010 and Outlook Self-service password reset with FIM 2010 Claims-based authentication with AD FS 2.0 # Windows Versions PST integration Requirements Document Protection 1 Windows 7; Windows Server 2008 R2; Windows Vista; Windows XP Outlook 2007 or later PST doc, dot, xla, xls, xlt, pps, ppt docm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx Download http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc6f160ab809cd AD RMS - Bootstrapping Process _wmcs/licensing/publish.asmx _wmcs/certification/certification.asmx CLC GIC/RAC DRM Folder Cert-Machine Steps in the Publishing and Licensing Process Server Identity SLC AD RMS Certificates and Licenses (v1 and v2) Issuer AD RMS uses XrML certificates, not X.509 certificates Pub key Signature Is Is User Identity RAC CLC Issuer Pub key Encrypted by Issuer Encrypted by Pub key Is Prv key Prv key PL Signature Signature Issuer Content key •Certificate key pairs : RSA-1024 •Content key: AES-128 •SLC: Server Licensor Certificate •RAC: Rights Account Certificate •CLC: Client Licensor Certificate •SPC: Security Processor Certificate •PL: Publish License •UL: Use License Signature Machine Identity Encrypted by SPC Issuer Pub key Pri key Signature Protected using both DPAPI and RSAVault (Obfuscation) SIA08-INT Information Protection: Implementing Information Protection Using Active Directory Rights Management Services SIA03-HOL | Information Protection using Active Directory Rights Management Services (AD RMS) SIA07-HOL | Information Protection Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-2 | Microsoft Forefront Information Protection Solution Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year