Windows Server 2008 R2Active Directory Rights Management Services Deep Dive
Abhijat KanadeSenior Program ManagerMicrosoft CorporationSession Code: SIA304
Agenda
Information Leakage ProblemAD RMS HistoryWhat’s New in CY09
AD RMS Server Role in Windows Server 2008 R2Exchange 2010 integrationAD RMS Bulk Protection ToolRSA DLP 6.5+ integration
Q&A
With Demos
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Highly Secure & Interoperable Platform
IdentityProtect everywhere,access anywhere
Integrate and extend security
across the enterprise
Simplify the security experience, manage compliance
Block
from:
EnableCost Value
Siloed Seamless
to:
The Information Workplace
The Information Workplace
IndependentConsultant
PartnerOrganization
Home
Mobile Devices
USB Drive
Companies face growing risks of data leaks
Legal, Regulatory, and Financial impactsCost of digital leakage per year is measured in $BillionsIncreasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees
Damage to Image and CredibilityDamage to public image and credibility with customersFinancial impact on companyLeaked e-mails or memos can be embarrassing
Loss of Competitive AdvantageDisclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital
Data must be protected, but must remain accessible
Information LeakageIs Costly On Multiple Fronts
Authorized
Users
Firewall Perimeter
Access Control List Perimeter
Authorized
Users
Location Based SolutionsProtect Initial Access
Authorized
Users
Firewall Perimeter
Unauthorized
Users
Information Leakage
Access Control List Perimeter
Authorized
Users
Unauthorized
Users
Location Based SolutionsProtect Initial Access… But Do Not Protect Usage
PolicyPolicy
Policy
Policy
AD RMS Is A Content-Based SolutionProtects the Information Itself – No Matter How It Is Shared And Where It Goes
Active Directory Rights Management Services
Persistent
+ PolicyEncryption • Access Permissions (Who)• Use Right Permissions (What)
2
1. Assume author and recipient are already bootstrapped with a RAC and CLC
2. Author creates mail
3. Author protects mail using RAC and CLC
4. Author sends mail to recipient
5. Recipient gets use license from RMS
6. Recipient can access content
AD RMS WorkflowPublishing and Consumption
1
RAC CLCRAC CLC6
UL
4
5
PL
3
AD DS SQL AD RMS
Author Recipient
Windows Server 2008AD RMS server role (v2)AD RMS Trust
AD FS federation supportImproved installation and mgmt AD RMS template distribution (Vista SP1 and above)Admin reportsDifferent admin roles
ClientAD RMS client integrated in Windows Vista and WS2008
Windows Server 2003Out-of-band installer for RMS Server (v1, v1 SP1, v1 SP2)AD RMS Trust
TUD, WLID
ClientOut-of-band installer for RMS Client (v1, v1 SP1, v1 SP2) on Windows XP and WS2003
Microsoft SolutionsOffice 2003 (Outlook, Word, Excel, PowerPoint)Internet Explorer Add-On (RMA)
Microsoft SolutionsWindows Mobile 6 integrationOffice 2007 (+InfoPath)XPS ViewerSharePoint 2007 (Doc libraries)Exchange 2007 SP1 (Prelicensing)
Windows Server 2008 R2AD RMS server role (v3)AD RMS Trust
Publishing org (internal) group support for federated users
Improved installation and mgmt through PowerShellAdditional admin reports
ClientAD RMS client integrated in Windows 7 and WS2008 R2
Microsoft SolutionsExchange 2010AD RMS Bulk Protection ToolWS2008 R2 FCI integration
Partner SolutionsPDF and other file formats & Blackberry support – Gigatrust, Liquid MachinesCAD file format - Dassault SystemsClassification - Titus LabsSecure Content Mgmt - Workshare
Partner SolutionsRSA DLPPDF solution - FoxitSecure Content Mgmt – OpenText
* Each consecutive release on this slide includes features from the prior release
AD RMS Server Role in WS2008 R2Customer Ask #1
•Ensure identical deployments
•Automate common tasks
Consistency
•For managing the server
•Local and remote access
Flexibility
Deployment and Administration
PowerShell support for deployment and adminDeployment cmdlets available out-of-the boxAdmin cmdlets available after the AD RMS server role has been deployed
Additional admin reports (system health)
AD RMS Server Role in WS2008 R2Deployment and Administration
AD RMS Administrationdemo
AD RMS Server Role in WS2008 R2Customer Ask #2
•Enable secure external collaboration
•Consistent end user experience when working with internal and external users
Simplify collaboration
•Publishing organization maintains full control of content
•Groups defined by publishing organization
Control access
WS2008 introduced federation support via AD FS – Need to individually identify external users when protecting informationWS2008 R2 supports protecting to publishing org (internal) groups that include external users – No need to individually identify external users
AD RMS Server Role in WS2008 R2Secure External Collaboration
External Collaboration via ADFS1. Assume author is already bootstrapped2. Alice sends protected mail to
[email protected] of which Bob at Fabrikam is a member
3. Recipient contacts RMS Server to get bootstrapped
4. WebSSO agent intercepts request5. RMS Client is redirected to FS-R for home
realm discovery6. RMS Client is redirected to FS-A for
authentication7. RMS Client is redirected back to FS-R for
authentication8. RMS Client makes request to RMS Server
for bootstrapping9. RMS Server returns certificates to recipient10. RMS Client makes request to RMS Server
for use license11. RMS Server retrieves Bob’s group
membership from AD and compares to PL12. RMS Server returns use license to
recipient13. Recipient accesses protected content
Contoso FabrikamAD
RMS
AD
ADFSFS-A
ADFSFS-R
1
RAC CLC
PL
2
WebSSO
4
3
56
78
11
RAC CLC
9
UL
12
13
Alice Bob
10
projectX
Bob
Streamline end-user experience
Enable automatic protection
Integrate seamlessly with IT
infrastructure
Exchange 2010 RMS IntegrationThemes
Exchange 2010 RMS IntegrationCustomer Ask #1
•Ensure identical end user experience for unprotected and RMS-protected e-mails
Seamless protection
•View and reply to RMS-protected e-mails in OWA without an additional add-on
OWA support
Exchange 2010 RMS IntegrationStreamline End-user Experience
Prelicensing support enables offline and mobile access to RMS-protected e-mails – introduced in Exchange 2007 SP1Consume and publish RMS-protected e-mails in OWA – Internet Explorer, Firefox, SafariConduct full-text search on RMS-protected e-mails in OWA
RMS-Protected E-mails in OWAdemo
Client Access Server (CAS) uses Superuser privileges to decryptPrelicensed use license (UL) used to determine rights to enforce
Rights enforcement concerns in the browser mitigated by enabling the feature for a specific set of users (at mailbox policy level)
Exchange 2010 RMS IntegrationStreamline End-user Experience: RMS Integration In OWA: Details
Exchange 2010 RMS IntegrationCustomer Ask #2
•Based on content and context analysis
Enable automatic protection
Exchange 2010 RMS IntegrationAutomatic Protection
Automatically protect e-mails in transit via Exchange transport rulesAutomatically protect e-mails in Outlook 2010 (through an add-in)Automatically protect private voicemails through Exchange Unified Messaging (UM)
• Transport Rule action to apply AD RMS template to e-mail message
• Based on content and context analysis• Content analysis: Keywords and RegEx
scanning of e-mails and attachments• Context examples: From, To
Exchange 2010 RMS IntegrationAutomatic Protection: Through Transport Rules
Exchange Transport Rules BasedAutomatic RMS-Protection
demo
Rules agent stamps x-org header in e-mail with RMS template GUIDEncryption agent applies RMS template to e-mail and attachments on onRouted Transport Agent eventOffice 2003 and above file formats (Word, Excel, PowerPoint) and XPS attachments also get automatically protected
Extensible to other file formats through the IRM Protector implementation
Exchange 2010 RMS IntegrationAutomatic Protection: Through Transport Rules: Details
Outlook 2010 add-in (small-scale rules engine)Mitigates concerns of Exchange admin or host accessing sensitive mailRules
Context only: Sender’s department, recipient’s identity, recipient’s scope (internal/external)Retrieved by add-in from CAS through Exchange Web Services (EWS) API
Ability to allow/disallow user to override automatic protection
Exchange 2010 RMS IntegrationAutomatic Protection: Through Outlook Protection Rules
Outlook 2010 Add-In Protection Rulesdemo
UM admin can allow incoming voicemails to be marked as “private”Private voicemails can be protected using “Do Not Forward” RMS template preventing forwarding and copying of voicemail contentPrivate voicemails supported in OWA and Outlook 2010
Exchange 2010 RMS IntegrationAutomatic Protection: Through Unified Messaging
Uses the Encryption/Decryption XSO API to RMS-protect
Exchange Unified Messaging Protected Voicemails
demo
• RMS-protected based on sender marking voicemail as ‘private’ or through administrative policy
Exchange 2010 RMS IntegrationCustomer Ask #3
•Support in-the-clear archival of RMS-protected e-mails
Enablee-discovery
•Ability to scan RMS-protected e-mails in transport
•Ability to modify RMS-protected e-mails in transport
Allow scanning of protected
e-mails
Exchange 2010 RMS IntegrationSeamless IT Infrastructure Integration
Enables e-discovery via journal decryptionEnables anti-malware and other scenarios (such as adding a disclaimer) at hub transport via transport decryption and re-encryption
Exchange 2010 RMS IntegrationSeamless IT Infrastructure Integration: Journal Decryption
Journal Report Decryption Agent• Attaches clear-text copies of RMS-protected e-mails and attachments to journal mailbox• Requires superuser privileges•Feature is off by default
Archive/Journal
Exchange Journal Decryptiondemo
Enables Hub Transport Agents to scan/modify RMS-protected e-mailsPipeline Decryption Agent
Uses superuser privileges to decrypt e-mailsDecrypts e-mail and attachments
Encryption Agent re-encrypts messagesOption to NDR messages that cannot be decryptedAll AD RMS integration agents are implemented as internal agents
Exchange 2010 RMS IntegrationSeamless IT Infrastructure Integration: Transport Pipeline Decryption
Exchange Transport Decryption and Re-Encryption
demo
•Consume and Publish RMS-protected e-mails in OWA
•Search RMS-protected e-mails in OWA
Streamline end-user experience
•Through Transport rules
•Through Outlook protection rules
•Through Unified messaging (voicemails)
Enable automatic protection
•In-the-clear archival of RMS-protected e-mails
•Ability to scan and modify RMS-protected e-mails in transport
Integrate seamlessly with IT
infrastructure
Exchange 2010 RMS Integration
Exchange RMS integration features require AD RMS Server Role in WS2008 R2 or WS2008 SP2 + KB973247 hotfix
AD RMS Bulk Protection ToolCustomer Ask
•Recover RMS-protected documents
•Help in e-discovery efforts
Bulk decryption
tool
AD RMS Bulk Protection ToolDetails
Command line toolBulk decryption
E-Discovery of content for litigation/audit purposesBulk encryption
Safeguard existing sensitive informationCan be integrated with WS2008 R2 File Classification Infrastructure (FCI) to classify and automatically RMS-protect files on the file server
AD RMS Bulk Protection ToolDetails
Supported file formatsOffice 2003 and above (Word, Excel, PowerPoint)XPSExtensible to other file formats via IRM protector implementationBulk decryption also available for items within Outlook PSTs (requires Outlook 2007)
Supported on XP/WS2003 and aboveRequires RMS Client v1 SP2 and .NET Framework 2.0 on XP and WS2003
4
5
User creates a file “marketing.docx” on Windows server 2008 R2 file server
File Classification Infrastructure (FCI) classifies file as sensitive based on content analysis (keyword/RegEx) and/or folder location (e.g., Business Impact = High)
Automated File Management Task invokes AD RMS Bulk Protection Tool to automatically RMS-protect the file (restrict access to Full-Time Employees only)
Full Time Employee can access “marketing.docx”
A malicious user getting access to the file through an un-intentional leak is not able to access file content
FCI Classify
2
c
Mgmt Task: AD RMS Protect
3
c
1
AD RMS Bulk Protection ToolWith WS2008 R2 FCI
AD RMS Bulk Protection Toolwith WS2008 R2 FCI
demo
Partner Solution: RSA DLPAutomatic Protection For Datacenters and Endpoints
Integrated solution to discover and automatically RMS-protection sensitive data on endpoints and the datacenterRequirements
RSA DLP 6.5 and above (RSA DLP Datacenter and RSA DLP Endpoint Discover products)AD RMS Server Role in WS2008 and above
1. AD RMS admin creates AD RMS templates for data protection
2. RSA DLP admin selects/ creates policies to find sensitive data and protect it using AD RMS
3. RSA DLP discovers and classifies sensitive files, and applies AD RMS protection based on policy
Microsoft AD RMS
RSA DLP
4. Users request files. AD RMS provides identity-based access
R&D department
Marketing department
Others
Endpoints:Laptops/Desktops
File Shares SharePoint
R&D Department
Marketing Department Others
View, Edit, Print View No Access
Intellectual Property (IP)template
Find ‘IP’ documents
Apply ‘IP’ AD RMS templateIP Policy
Partner Solution: RSA DLPHow The Integration Works
Windows Server 2008AD RMS server role (v2)AD RMS Trust
AD FS federation supportImproved installation and mgmt AD RMS template distribution (Vista SP1 and above)Admin reportsDifferent admin roles
ClientAD RMS client integrated in Windows Vista and WS2008
Windows Server 2003Out-of-band installer for RMS Server (v1, v1 SP1, v1 SP2)AD RMS Trust
TUD, WLID
ClientOut-of-band installer for RMS Client (v1, v1 SP1, v1 SP2) on Windows XP and WS2003
Microsoft SolutionsOffice 2003 (Outlook, Word, Excel, PowerPoint)Internet Explorer Add-On (RMA)
Microsoft SolutionsWindows Mobile 6 integrationOffice 2007 (+InfoPath)XPS ViewerSharePoint 2007 (Doc libraries)Exchange 2007 SP1 (Prelicensing)
Windows Server 2008 R2AD RMS server role (v3)AD RMS Trust
Publishing org (internal) group support for federated users
Improved installation and mgmt through PowerShellAdditional admin reports
ClientAD RMS client integrated in Windows 7 and WS2008 R2
Microsoft SolutionsExchange 2010AD RMS Bulk Protection ToolFCI integration
Partner SolutionsPDF and other file formats & Blackberry support – Gigatrust, Liquid MachinesCAD file format - Dassault SystemsClassification - Titus LabsSecure Content Mgmt - Workshare
Partner SolutionsRSA DLPPDF solution - FoxitSecure Content Mgmt – OpenText
* Each consecutive release on this slide includes features from the prior release
More Information
AD RMS TechNet TechCenter [Link] and Documentation Roadmap [Link]Exchange 2010 and AD RMS Integration [Link]AD RMS Bulk Protection Tool Download [Link]WS2008 R2 FCI Website [Link]RSA DLP Website [Link]MSIT Deployment
AD RMS Deployment [Link]FCI and AD RMS Bulk Protection Tool Deployment [Link]RSA DLP and AD RMS Deployment [Link]
BlogsAD RMS Product Team Blog [Link]Jason Tyler Blog [Link](Jason is a Senior Support Escalation Engineer for AD RMS)
Q&A
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related