Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306 Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways.
Download ReportTranscript Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306 Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways.
Ilse Van Criekinge Technology Advisor Microsoft BeLux Session Code: UNC306 Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways The High Cost of Data Leakage “Public-relations firm faces PR nightmare after unintentionally e-mailing journalists about one of its clients.” “A Wyoming bank sent an e-mail containing sensitive customer data to the wrong mail account, and now wants mail provider to reveal the identity of the account holder who received the data..” “Secret Service agent sends unencrypted e-mail revealing details of vice presidential tour.” Information Protection and Control (IPC) Exchange Server 2010 helps prevent the unauthorized transmission of sensitive information with tools that can automatically: MONITOR e-mail for specific content, recipients and other attributes CONTROL distribution with automated, granular polices PROTECT access to data wherever it travels using rights management PREVENT • • • • • Violations of corporate policy and best practices Non-compliance with government and industry regulations Loss of intellectual property and proprietary information High-profile leaks of private information and customer records Damage to corporate brand image and reputation Benefits of Automated Controls Reduce User Error • Majority of data loss incidents are accidental • Users forget policies or apply incorrect policy Enable More Consistent Policy • Automation facilitates rapid policy changes across the organization • Critical for internal/external governance and compliance Improve Efficiency • Offload complex data polices from users • Enable centralized policy creation, execution and management Benefits of Granular Controls Alert Modify Protect “Allow delivery “Allow delivery “Allow delivery but add a but modify but prevent warning.” message.” forwarding.” LESS RESTRICTIVE Classify “Allow delivery but apply classification.” • • Redirect “Block delivery and redirect.” MORE RESTRICTIVE Append “Allow delivery but add a disclaimer.” Review “Block delivery until reviewed.” Block “Do not deliver.” Apply the right level of control based on the sensitivity of the data Maximize control and minimize unnecessary user disruptions Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways MailTips Alert users about potential risks Alert MailTips - Architecture Alert Web service in Exchange 2010 Supported by Outlook Web App Microsoft Outlook 2010 Triggered when Add a recipient Add an attachment Reply or Reply to all Open a message, already addressed to recipients, from the Drafts folder MailTips - Evaluation Alert 2 3a 1 4 3c 3a 3b MailTips - Offline Support Offline Address Book structure expanded Message delivery restrictions Custom MailTips Maximum receive size Moderation enabled Distribution Group - Total member count Distribution Group - External member count Not available offline Invalid internal recipient Mailbox full Automatic replies Alert MailTips - Limits Individual mailbox MailTips not evaluated Message sent to a distribution group (Except external recipient) Messsage sent to more than 200 recipients Custom MailTips limited to 250 characters Time out = 10 seconds Alert MailTips – Group Metrics Alert Used to support Mailtips Large Audience External Recipients Generated on same Mailbox server as OAB Full Group Metrics data generation on Sunday Associated files GroupMetrics-<date>T<time>.bin GroupMetrics-<servername>.xml ChangedGroups.txt MailTips – Organizational Settings Set-OrganizationConfig -MailTipsAllTipsEnabled -MailTipsLargeAudienceTreshold -MailTipsExternalRecipientsTipsEnabled -MailTipsMailboxSourcedTipsEnabled -MailTipsGroupMetricsEnabled MailTips Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways Transport Rules Easily enforce granular policies If the message... Is from a member of the group ‘Executives’ And is sent to recipients that are 'Outside the organization' And contains the keyword ‘Merger’ Do the following... Redirect message to: [email protected] Except if the message... Is sent to ‘[email protected] • • • • Executed on the Hub Transport Server Structured like Inbox rules Apply to all messages sent inside and outside the organization Configured with simple GUI in Exchange Management Console << >> << >> Conditions Fine tune rules with detailed criteria Specific Users Detects mail between people, distribution lists Specific Content Inspects subject, header and body for keywords, regular expressions Message Properties Inspect message headers and properties or type Classifications Scans for classifications such as Attorney-Client Privileged Attachments Scans size, name and content (Office documents) Classifications Can now also act on No Classifications Message Types IRM protected, auto-replies, calendaring, voice mail Supervision Lists Allows/Blocks based on listed recipients Management Properties Identifies manager and applies policy User Properties Scans for user attributes (such as department, country) << >> Actions Apply the appropriate level of control Block Blocks and deletes message and can send non-delivery report Classify Applies classification such as attorney-client privilege Modify Adds disclaimer to body or text to subject line Reroute Adds additional recipients to cc or Bcc line or re-directs Append Applies disclaimer per each user’s specific attributes Review Enables review and approval of e-mail before delivery Protect Applies rights protection to messages, attachments Dynamic Signatures Append Automatically apply signatures per user attributes Option of basic text or HTML Signatures integrated with Active Directory attributes Dynamic Signatures Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways Moderation Review Enable review and approval of e-mail before delivery Approve or Reject with option to send response Moderate based on sender, DL, content Moderator can be a specific user or sender’s manager Moderated Transport Message Flow 3 4 1 2 6b 5 6a Moderated Transport Review Relies on the Exchange 2010 Approval Framework Handles multiple moderated recipients Bypassing moderation Moderator bypasses Owners of distribution groups and dynamic distribution groups do not bypass by default Previous versions of Exchange don’t support moderated recipients Designate Exchange 2010 Hub Transport server as expansion server Moderated Transport Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways Information Rights Management Protect Granular protection that travels with the data Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an e-mail. Persistent protection Protects your sensitive information no matter where it is sent Usage rights locked within the document itself Protects online and offline, inside and outside of the firewall Granular control Users apply IRM protection directly within an e-mail Organizations can create custom usage policy templates such as "Confidential—Read Only" Limit file access to only authorized users IRM – S/MIME Signing/Encryption Feature RMS S/MIME Signing S/MIME Encryption Verifies identity of publisher No Yes No Differentiates permissions by user Yes No No Prevents unauthorized viewing Yes No Yes Encrypts protected content Yes No Yes Offers content expiration Yes No Yes Controls content reading, forwarding, saving, modifying, or printing by user Yes No No Extends protection beyond initial publication location Yes Yes Yes Transport Protection Rules Automatically apply IRM Protect Apply RMS policies automatically using Transport Rules Apply “Do Not Forward” or custom RMS templates • • IRM protection can be triggered based on sender, recipient, content and other conditions Office 2003, 2007, and 2010 attachments also protected Outlook Protection Rules Protect Provide users more IRM protection options Adding recipient or distribution list can trigger IRM protection automatically before sending IRM protection can still be applied manually User can be granted option to turn off rule for non-sensitive e-mail Outlook Protection Rules Protect Protection Rules IRM in Outlook Web App Protect Read and reply to protected messages Native support for IRM in OWA eliminates need for Internet Explorer Rights Management add-on Access to standard and custom RMS templates Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages Office documents also protected Protected Voice Mail Protect Prevent forwarding of voice mail • • Integration with AD RMS and Exchange Unified Messaging Permissions designated by sender (by marking the message as private) or by administrative policy Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways Ethical Wall Control Zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive information Configurable using EMC or EMS Ethical Wall Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways IRM Search Index and search protected items Conduct full-text search of IRMprotected mail and attachments in Outlook (online) and OWA Multi-mailbox search includes option to search IRM-protected items Protect Journal Report Decryption Journal Report Decryption Agent • Attaches clear-text copies of RMS protected messages and attachments to journal mailbox • Requires super-user privileges, off by default • Requires Premium Journaling Archive/Journal Transport Pipeline Decryption Protect Enables Hub Transport Agents scan/modify messages IRM-protected by the user in OWA messages IRM-protected by the user in Outlook 2010 messages IRM-protected automatically by Outlook Protection Rules in Outlook 2010 Messages protected in-transit using Transport Protection Rules are not required to be decrypted by the Decryption agent Transport Pipeline Decryption Protect Pipeline Decryption Agent uses Super-User privileges to decrypt decrypts message and attachments protected with same Publishing License Option to NDR messages that can’t be decrypted Low performance impact message decrypted at 1st Hub of each forest Agents not prevented from copying decrypted content Configuring IRM - Exchange Protect To enable Transport Decryption Journal Report Decryption IRM in OWA IRM for Search Add the Federated Delivery Mailbox (system mailbox created by Exchange 2010 setup), to the SuperUsers group on the AD RMS cluster IRM Decryption - Journaling Content Introduction MailTips Transport Rules Moderation Information Rights Management Ethical Wall Search, Transport and Journal Report Decryption Session Takeaways Session Takeaways Automatically monitor and control the distribution of sensitive information Ensure the right level of control is applied to the right messages Better protect access to data with persistent Information Rights Management Related Content UNC316 Microsoft Exchange Server 2010 Management and Operations Ilse Van Criekinge 11/12/2009 * 17:00 - 18:15 SIA05-IS Secure Messaging Using Active Directory Rights Management Services (AD RMS) and Microsoft Exchange Server 2010 Cristian Mora 11/11/2009 * 13:30 - 14:45 SIA304 Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive 11/12/2009 * 17:00 - 18:15 UNC16-HOL Microsoft Exchange Server 2010 Compliance: Information Leakage Protection and Control UNC Track Call to Action! Learn More! Related Content at TechEd on “Related Content” Slide Attend in-person or consume post-event at TechEd Online Check out learning/training resources at Microsoft TechNet Exchange Server and Office Communications Server Check out Exchange Server 2010 at Virtual Launch Experience (VLE) at thenewefficiency.com Try It Out! Download the Exchange Server 2010 Trial Take a simple Web-based test drive of UC solutions through the 60-Day Virtual Experience Unified Communications Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.