clinton ho program manager microsoft corporation session code: sia311
TRANSCRIPT
Information Protection: Active Directory Rights Management Services in the Windows Server 2008 R2 Wave and BeyondClinton HoProgram ManagerMicrosoft Corporation
SESSION CODE: SIA311
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
• E-discovery of content for litigation or audit purposesBulk decryption
• Safeguarding existing sensitive information• Classifying and protecting sensitive information with File
Classification Infrastructure (FCI)Bulk encryption
AD RMS Bulk Protection Tool Customer Scenarios
AD RMS Bulk Protection Tool Feature Details
Simple command-line interface
Bulk decrypts Microsoft Office files and items within Outlook PSTs
Bulk encrypts Microsoft Office files to an RMS template
Extensible to support other file formats via Information Rights Management (IRM) protectors (e.g., support for Foxit PDF)
• Bulk DecryptionRMSBulk.exe /decrypt \\Share\Folder\ /log RMSBulk.log
• Bulk EncryptionRMSBulk.exe /encrypt \\Share\Folder\file.doc ContosoConfidential.xml /log C:\Logs\RMSBulk.log
AD RMS Bulk Protection Tool Command Line Examples
AD RMS Bulk Protection Tool
Available on Microsoft Download Center http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd
System RequirementsWindows XP, Windows Vista, Windows 7Windows Server 2008 R2Outlook 2007, Outlook 2010 (Required only for PST operations)
AD RMS Bulk Protection Tool
DEMO
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
FCI Classify
2
Identify and protect sensitive documents on file serversComplement manual RMS protection with automated server-side IT policies for complete ownership of security infrastructure and prevention of inadvertent data leakage
Mgmt Task: RMS Protect
34
5
User creates a file “marketing.docx” on Windows Server 2008 R2 file server
File Classification Infrastructure (FCI) classifies file as “sensitive” based on content, including “Confidential” and “Internal only”
Automated File Management Task invokes RMS protection to restrict access to “Full-Time Employees” only
Full-Time Employee can access “marketing.docx”
A malicious user getting access to the file through unintentional leak is not able to access file content
Businesses can automatically RMS protect 1,000s of confidential files on their file servers
c
c
1
AD RMS & File Classification Infrastructure
Better Together:AD RMS Bulk Protection Tool & File Classification Infrastructure
DEMO
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
AD RMS PowerShell
Faster way to manage ADRMS deployments
AD RMS PowerShell scripts expose all the functionality of AD RMS administrator’s interface
Users familiar with the GUI can see the same breakdown of functions in the PowerShell cmdlets
ADRMS PowerShell
Split into deployment and administration functionalities
Deployment
These cmdlets are available out of the box on Windows Server 2008 R2
ADRMS can be installed and configured with these scripts
Admin
These cmdlets are available after the AD RMS role is installed on Windows Server 2008 R2
Very convenient for repetitive tasks on the server
Managing user lists
Managing exclusion policies
Creating licensing and usage reports
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
Exchange 2010 and AD RMS Integration Overview
•Transport Protection Rule•Protected Voice Message•Outlook Protection Rule
Automatic Content Based Privacy
•RMS Integration in OWAStreamline End User Experience
•Transport Pipeline Decryption•Journal Report Decryption
Enable IT Infrastructure
Automatic Content Based Privacy
•Transport Protection Rule•Protected Voice Message•Outlook Protection Rule
Automatic Content Based Privacy
•RMS Integration in OWAStreamline End User Experience
•Transport Pipeline Decryption•Journal Report Decryption
Enable IT Infrastructure
Automatic Content Based PrivacyEliminate reliance on end-user
Enforcement Tools are required.Content Protection should be automated.
Transport Protection Rule
Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages
Automatic Content-Based Privacy:• Transport Rule action to apply RMS template to e-mail message• Transport Rules support regex scanning of attachments in Exchange 2010• Do Not Forward policy available out of box
Transport Protection Rule
DEMO
Protect Voice Message
UM Administrator can allow incoming voice mail messages to be marked as “private”
Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying of content
Private Voice mail supported by Unified Messaging in Outlook 2010 and OWA
Protect Voice Message
Outlook Protection Rule
Small scale rules engine delivered in Outlook 2010 add-inRules
Can be applied to a sender’s department, a recipient, or a recipient’s scope (inside or outside of the organization)Retrieved by add-in from CAS through EWSOptional or mandatoryApplied offline or online
Streamline End User Experience
•Transport Protection Rule•Protected Voice Message•Outlook Protection Rule
Automatic Content Based Privacy
•RMS Integration in OWAStreamline End User Experience
•Transport Pipeline Decryption•Journal Report Decryption
Enable IT Infrastructure
RMS Integration in OWA
Create or consume RMS protected messages just like in OutlookNo client download or installation requiredSupports
IE, Firefox, Safari, ChromeConversation viewPreview paneFull-text search on RMS protected messages
RMS Integration in OWACAS uses
Super User Privileges to decryptEnd User License (EUL) to determine which rights to enforce
Single RAC shared across all client access servers to give multiple machines a common RMS identityFeature can be enabled or disabled at mailbox policy level
Enable IT Infrastructure
•Transport Protection Rule•Protected Voice Message•Outlook Protection Rule
Automatic Content Based Privacy
•RMS Integration in OWAStreamline End User Experience
•Transport Pipeline Decryption•Journal Report Decryption
Enable IT Infrastructure
Enable IT InfrastructureRMS protection should not break IT infrastructure
Virus and spam filtering of RMS protected messages enabled at Hub Transport
Enable e-discovery via Journal Report Decryption
Transport Pipeline DecryptionEnables Hub Transport Agents to scan/modify RMS protected messages
Pipeline Decryption Agent Uses Super-User privileges to decrypt
Decrypts message and attachments protected with same Publishing License
Encryption Agent re-encrypts messages with original publish license
Journal Report Decryption
Journal Report Decryption Agent• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default
Archive/Journal
Journal Report Decryption
DEMO
Agenda
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon…
On the Horizon…
Mac OfficeExchange 2010 SP1
Mac Office
Ability to open RMS-protected messages and attachmentsAbility to apply RMS protection to documents and email
IRM in Exchange
Pre-licensing
Transport Protection RuleOutlook Protection RuleJournal Report DecryptionTransport Pipeline DecryptionIRM in OWAProtected Voice Message
View Protected attachments in OWAIRM in Exchange Active SyncEnhanced collaboration using Microsoft Federation GatewayCross Premises IRM support for Exchange Online
View Protected attachments in OWA
• IRM in EAS policy can be configured on a per user basis• EAS transactions must be made over SSL• All encryption/decryption operations are executed at CAS
3. When a user selects a template to be applied to a new message, EAS will pass the template GUID to CAS. Once synced to CAS, mail and supported attachments will be protected appropriately.
1. On first sync, Client advertises IRM support by sending in a value of 1 for <RightsManagementSupport> tag.
2. EAS syncs the list of AD RMS templates to the device for local storage
Client Access Server
Active Directory AD RMS
4. Any IRM message will be decrypted at CAS and then synced to the device. Template Name, ID, description, and rights restrictions will also be passed
IRM in Exchange Active Sync
62
1. Author sends protected mail to recipient at Trey Engineering2. Exchange (Trey Engineering) receives message and performs
service discovery against Woodgrove Bank’s AD RMS Server 3. Exchange (Trey Engineering) requests a token from the MFG4. MFG validates the claims and returns the token to Exchange
(Trey Engineering)5. Exchange (Trey Engineering) creates a bootstrapping request
including the token to the AD RMS server.6. AD RMS Server validates the token and then returns a RAC for
Exchange(Trey Engineering)7. Exchange (Trey Engineering ) then requests a token on behalf of
the recipient from the MFG8. Repeat Steps 4-6 for a licensing request 9. The message is delivered and the recipient can consume the
content via OWA
Woodgrove Bank Trey Engineering
Exchange
3
5
7
UL
91
MFG
AD RMS
4
5
Enhanced Collaboration using Microsoft Federation Gateway
Cross Premises IRM Support for Exchange Online
Exchange Online tenants get IRM capabilities
After setup, all RMS transactions in the Datacenter are executed within the Datacenter
Clients such as Outlook continue to call the web services on the on-premises AD RMS server
Woodgrove Bank PremisesExchange Online
AD RMS
Woodgrove Bank Tenant
Import TPD
What we covered today
Microsoft Business Ready Security
AD RMS Bulk Protection Tool
AD RMS & File Classification Infrastructure
AD RMS PowerShell
Exchange 2010 & AD RMS Integration Features
On the Horizon...
Related ContentSIA313 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External PartiesSIA322 Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory
SIA08-INT Information Protection: Implementing Information Protection Using Active Directory Rights Management ServicesSIA03-HOL | Information Protection using Active Directory Rights Management Services (AD RMS)SIA07-HOL | Information Protection Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-2 | Microsoft Forefront Information Protection Solution
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Appendix
More InformationAD RMS TechNet TechCenter
[http://technet.microsoft.com/en-us/dd448611.aspx] AD RMS Documentation Road Map
[http://technet.microsoft.com/en-us/library/dd772711(WS.10).aspx]AD RMS Bulk Protection Tool Download
[http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd#tm]
BlogsAD RMS Product Team Blog
[http://blogs.msdn.com/rms/]Jason Tyler’s Blog
[http://blogs.technet.com/rmssupp/]Jason is a Senior Support Escalation Engineer for AD RMS
More InformationWindows Server 2008 R2 FCI Web site
[http://www.microsoft.com/fci]Microsoft IT Deployment
AD RMS Deployment [http://technet.microsoft.com/en-us/library/ee156482.aspx]
FCI and AD RMS Bulk Protection Tool Deployment[http://vepcdn.microsoft.com/prod/images/64/Area/214/2676/9fd29bc1-bd16-42fe-a39e-f1d91d62aa60.pdf]
IRM Protectors
• IRM protectors control the conversion of documents to their encrypted, rights-managed format and the decryption of documents from their rights-managed format back to their original format
Name Supported File FormatsMsoIrmProtector doc, dot, xla, xls, xlt, pps, ppt
OpcIrmProtectordocm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx
JUNE 7-10, 2010 | NEW ORLEANS, LA