Exchange Server 2010 Information Protection and Control
Ilse Van CriekingeTechnology AdvisorMicrosoft BeLuxSession Code: UNC306
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
The High Cost of Data Leakage
“HR executive accidentallye-mails lay-off plan to entire organization.”
“A Wyoming bank sent an e-mail containing sensitive customer data to the wrong mail account, and now wants mail provider to reveal the identity of the account holder who received the data..”
“Public-relations firm faces PR nightmare after unintentionally e-mailing journalists about one of its clients.”
“Secret Service agent sends unencrypted e-mail revealing details of vice presidential tour.”
Information Protection and Control (IPC)
Exchange Server 2010 helps prevent the unauthorized transmission of sensitive information with tools that can automatically:
MONITOR e-mail for specific content, recipients and other attributes
CONTROL distribution with automated, granular polices
PROTECT access to data wherever it travels using rights management
PREVENT• Violations of corporate policy and best practices • Non-compliance with government and industry regulations• Loss of intellectual property and proprietary information • High-profile leaks of private information and customer records • Damage to corporate brand image and reputation
Benefits of Automated Controls
Reduce User Error• Majority of data loss incidents are accidental• Users forget policies or apply incorrect policy
Enable More Consistent Policy• Automation facilitates rapid policy changes across the organization• Critical for internal/external governance and compliance
Improve Efficiency • Offload complex data polices from users • Enable centralized policy creation, execution and management
LESS RESTRICTIVE MORE RESTRICTIVE
• Apply the right level of control based on the sensitivity of the data
• Maximize control and minimize unnecessary user disruptions
Benefits of Granular Controls
Alert “Allow delivery
but add a warning.”
Append “Allow delivery
but add a disclaimer.”
Protect“Allow delivery
but prevent forwarding.”
Redirect“Block delivery and redirect.”
Review “Block delivery until reviewed.”
Block“Do not deliver.”
Modify “Allow delivery
but modify message.”
Classify “Allow delivery
but apply classification.”
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
MailTipsAlert users about potential risks
Apply multiple alerts
Create custom MailTips to prompt policy reminders
Protect sensitive data from accidental distribution
Alert
MailTips - Architecture
Web service in Exchange 2010Supported by
Outlook Web AppMicrosoft Outlook 2010
Triggered whenAdd a recipientAdd an attachmentReply or Reply to allOpen a message, already addressed to recipients, from the Drafts folder
Alert
MailTips - Offline SupportOffline Address Book structure expanded
Message delivery restrictionsCustom MailTipsMaximum receive sizeModeration enabledDistribution Group - Total member countDistribution Group - External member count
Not available offlineInvalid internal recipientMailbox fullAutomatic replies
Alert
MailTips - Limits
Individual mailbox MailTips not evaluatedMessage sent to a distribution group (Except external recipient)Messsage sent to more than 200 recipients
Custom MailTips limited to 250 charactersTime out = 10 seconds
Alert
MailTips – Group Metrics
Used to support MailtipsLarge AudienceExternal Recipients
Generated on same Mailbox server as OABFull Group Metrics data generation on SundayAssociated files
GroupMetrics-<date>T<time>.binGroupMetrics-<servername>.xmlChangedGroups.txt
Alert
MailTips – Organizational Settings
Set-OrganizationConfig -MailTipsAllTipsEnabled
-MailTipsLargeAudienceTreshold
-MailTipsExternalRecipientsTipsEnabled
-MailTipsMailboxSourcedTipsEnabled
-MailTipsGroupMetricsEnabled
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
Transport Rules
Conditions
Exceptions
Actions
If the message...Is from a member of the group ‘Executives’And is sent to recipients that are 'Outside the organization' And contains the keyword ‘Merger’
Do the following...Redirect message to: [email protected]
Except if the message...Is sent to ‘[email protected]
• Executed on the Hub Transport Server
• Structured like Inbox rules
• Apply to all messages sent inside and outside the organization
• Configured with simple GUI in Exchange Management Console
Easily enforce granular policies
<< >>
Conditions
Specific Users Detects mail between people, distribution lists
Specific Content Inspects subject, header and body for keywords, regular expressions
Message Properties Inspect message headers and properties or type
Classifications Scans for classifications such as Attorney-Client Privileged
Attachments Scans size, name and content (Office documents)
Classifications Can now also act on No Classifications
Message Types IRM protected, auto-replies, calendaring, voice mail
Supervision Lists Allows/Blocks based on listed recipients
Management Properties Identifies manager and applies policy
User Properties Scans for user attributes (such as department, country)
Conditions When the message contains…
Fine tune rules with detailed criteria
<< >>
Actions
Block Blocks and deletes message and can send non-delivery report
Classify Applies classification such as attorney-client privilege
Modify Adds disclaimer to body or text to subject line
Reroute Adds additional recipients to cc or Bcc line or re-directs
Append Applies disclaimer per each user’s specific attributes
Review Enables review and approval of e-mail before delivery
Protect Applies rights protection to messages, attachments
Actions …do the following…
Apply the appropriate level of control
<< >>
Dynamic Signatures
Signatures integrated with Active Directory attributes
Option of basic text or HTML
Automatically apply signatures per user attributes
Append
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
Moderation Review
Moderate based on sender, DL, content
Approve or Reject with option to send response
Moderator can be a specific user or sender’s manager
Enable review and approval of e-mail before delivery
Moderated Transport
Relies on the Exchange 2010 Approval FrameworkHandles multiple moderated recipientsBypassing moderation
Moderator bypassesOwners of distribution groups and dynamic distribution groups do not bypass by default
Previous versions of Exchange don’t support moderated recipients
Designate Exchange 2010 Hub Transport server as expansion server
Review
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
ProtectInformation Rights Management
Persistent protection Protects your sensitive information no matter where it is sentUsage rights locked within the document itselfProtects online and offline, inside and outside of the firewall
Granular control Users apply IRM protection directly within an e-mailOrganizations can create custom usage policy templates such as "Confidential—Read Only"Limit file access to only authorized users
Information Rights Management (IRM) provides persistent protection to control who can access, forward, print, or copy sensitive data within an e-mail.
Granular protection that travels with the data
IRM – S/MIME Signing/EncryptionFeature RMS S/MIME
SigningS/MIME
EncryptionVerifies identity of publisher No Yes No
Differentiates permissions by user Yes No No
Prevents unauthorized viewing Yes No Yes
Encrypts protected content Yes No Yes
Offers content expiration Yes No Yes
Controls content reading, forwarding, saving, modifying, or printing by user
Yes No No
Extends protection beyond initial publication location
Yes Yes Yes
Transport Protection Rules
• IRM protection can be triggered based on sender, recipient, content and other conditions
• Office 2003, 2007, and 2010 attachments also protected
Apply RMS policies automatically using Transport Rules
Apply “Do Not Forward” or custom RMS templates
Automatically apply IRMProtect
Outlook Protection RulesProvide users more IRM protection options
IRM protection can still be applied manuallyUser can be granted option to turn off rule for non-sensitive e-mail
Adding recipient or distribution list can trigger IRM protection automatically before sending
Protect
IRM in Outlook Web App
Native support for IRM in OWA eliminates need for Internet Explorer Rights Management add-on
Access to standard and custom RMS templates
Read and reply to protected messages
Cross-browser support enables Firefox and Safari users to create and consume IRM-protected messages
Protect
Office documents also protected
Protected Voice MailPrevent forwarding of voice mail
• Integration with AD RMS and Exchange Unified Messaging
• Permissions designated by sender (by marking the message as private) or by administrative policy
Protect
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
Ethical Wall
Zone of non-communication between distinct departments of a business or organization to prevent conflicts of interest that might result in the inappropriate release of sensitive informationConfigurable using EMC or EMS
Control
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
IRM Search
Multi-mailbox search includes option to search IRM-protected items
Conduct full-text search of IRM-protected mail and attachments in Outlook (online) and OWA
Index and search protected items
Protect
Journal Report Decryption
Journal Report Decryption Agent• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default• Requires Premium Journaling
Archive/Journal
Transport Pipeline Decryption
Enables Hub Transport Agents scan/modify messages IRM-protected by the user in OWAmessages IRM-protected by the user in Outlook 2010messages IRM-protected automatically by Outlook Protection Rules in Outlook 2010
Messages protected in-transit using Transport Protection Rules are not required to be decrypted by the Decryption agent
Protect
Transport Pipeline Decryption
Pipeline Decryption Agent uses Super-User privileges to decryptdecrypts message and attachments protected with same Publishing License
Option to NDR messages that can’t be decryptedLow performance impact
message decrypted at 1st Hub of each forestAgents not prevented from copying decrypted content
Protect
Configuring IRM - Exchange
To enable Transport DecryptionJournal Report DecryptionIRM in OWAIRM for Search
Add the Federated Delivery Mailbox (system mailbox created by Exchange 2010 setup), to the SuperUsers group on the AD RMS cluster
Protect
Content
IntroductionMailTipsTransport RulesModerationInformation Rights ManagementEthical WallSearch, Transport and Journal Report DecryptionSession Takeaways
Automatically monitor and control the distribution of sensitive information
Better protect access to data with persistent Information Rights Management
MailTips guide users with automatic alerts before sending
Transport Rules automatically enforce granular polices
Expanded Transport Rule conditions enable more specific policies
New actions: Dynamic Signatures, Moderation, IRM Protection
Apply by policy with Transport Protection Rules, Outlook Protection Rules
Extend user access with IRM in OWA, Outlook, Windows Mobile
Enable search, AV/AS scanning, filtering, journaling of protected mail
Ensure the right level of control is applied to the right messages
Session Takeaways
Related ContentUNC316 Microsoft Exchange Server 2010 Management and Operations
Ilse Van Criekinge11/12/2009 * 17:00 - 18:15
SIA05-IS Secure Messaging Using Active Directory Rights Management Services (AD RMS) and Microsoft Exchange Server 2010
Cristian Mora11/11/2009 * 13:30 - 14:45
SIA304 Windows Server 2008 R2 Active Directory Rights Management Services Deep Dive
11/12/2009 * 17:00 - 18:15
UNC16-HOL Microsoft Exchange Server 2010 Compliance: Information Leakage Protection and Control
UNC Track Call to Action!Learn More!
Related Content at TechEd on “Related Content” SlideAttend in-person or consume post-event at TechEd Online
Check out learning/training resources at Microsoft TechNetExchange Server and Office Communications Server
Check out Exchange Server 2010 atVirtual Launch Experience (VLE) at thenewefficiency.com
Try It Out!Download the Exchange Server 2010 TrialTake a simple Web-based test drive of UC solutions through the 60-Day Virtual Experience
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Unified Communications Resources
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.