clinton ho program manager microsoft corporation session code: sia311

Information Protection: Active Directory Rights Management Services in the Windows Server 2008 R2 Wave and BeyondClinton HoProgram ManagerMicrosoft Corporation

SESSION CODE: SIA311

Agenda

Microsoft Business Ready Security

AD RMS Bulk Protection Tool

AD RMS & File Classification Infrastructure

AD RMS PowerShell

Exchange 2010 & AD RMS Integration Features

On the Horizon…

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

Agenda




AD RMS PowerShell


On the Horizon…

• E-discovery of content for litigation or audit purposesBulk decryption

• Safeguarding existing sensitive information• Classifying and protecting sensitive information with File

Classification Infrastructure (FCI)Bulk encryption

AD RMS Bulk Protection Tool Customer Scenarios

AD RMS Bulk Protection Tool Feature Details

Simple command-line interface

Bulk decrypts Microsoft Office files and items within Outlook PSTs

Bulk encrypts Microsoft Office files to an RMS template

Extensible to support other file formats via Information Rights Management (IRM) protectors (e.g., support for Foxit PDF)

• Bulk DecryptionRMSBulk.exe /decrypt \\Share\Folder\ /log RMSBulk.log

• Bulk EncryptionRMSBulk.exe /encrypt \\Share\Folder\file.doc ContosoConfidential.xml /log C:\Logs\RMSBulk.log

AD RMS Bulk Protection Tool Command Line Examples


Available on Microsoft Download Center http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd

System RequirementsWindows XP, Windows Vista, Windows 7Windows Server 2008 R2Outlook 2007, Outlook 2010 (Required only for PST operations)


DEMO

Agenda




AD RMS PowerShell


On the Horizon…

FCI Classify

2

Identify and protect sensitive documents on file serversComplement manual RMS protection with automated server-side IT policies for complete ownership of security infrastructure and prevention of inadvertent data leakage

Mgmt Task: RMS Protect

34

5

User creates a file “marketing.docx” on Windows Server 2008 R2 file server

File Classification Infrastructure (FCI) classifies file as “sensitive” based on content, including “Confidential” and “Internal only”

Automated File Management Task invokes RMS protection to restrict access to “Full-Time Employees” only

Full-Time Employee can access “marketing.docx”

A malicious user getting access to the file through unintentional leak is not able to access file content

Businesses can automatically RMS protect 1,000s of confidential files on their file servers

c

c

1


Better Together:AD RMS Bulk Protection Tool & File Classification Infrastructure

DEMO

Agenda




AD RMS PowerShell


On the Horizon…

AD RMS PowerShell

Faster way to manage ADRMS deployments

AD RMS PowerShell scripts expose all the functionality of AD RMS administrator’s interface

Users familiar with the GUI can see the same breakdown of functions in the PowerShell cmdlets

ADRMS PowerShell

Split into deployment and administration functionalities

Deployment

These cmdlets are available out of the box on Windows Server 2008 R2

ADRMS can be installed and configured with these scripts

Admin

These cmdlets are available after the AD RMS role is installed on Windows Server 2008 R2

Very convenient for repetitive tasks on the server

Managing user lists

Managing exclusion policies

Creating licensing and usage reports

Agenda




AD RMS PowerShell


On the Horizon…

Exchange 2010 and AD RMS Integration Overview

•Transport Protection Rule•Protected Voice Message•Outlook Protection Rule

Automatic Content Based Privacy

•RMS Integration in OWAStreamline End User Experience

•Transport Pipeline Decryption•Journal Report Decryption

Enable IT Infrastructure

Automatic Content Based PrivacyEliminate reliance on end-user

Enforcement Tools are required.Content Protection should be automated.

Transport Protection Rule

Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages

Automatic Content-Based Privacy:• Transport Rule action to apply RMS template to e-mail message• Transport Rules support regex scanning of attachments in Exchange 2010• Do Not Forward policy available out of box

Transport Protection Rule

DEMO

Protect Voice Message

UM Administrator can allow incoming voice mail messages to be marked as “private”

Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying of content

Private Voice mail supported by Unified Messaging in Outlook 2010 and OWA

Protect Voice Message

Outlook Protection Rule

Small scale rules engine delivered in Outlook 2010 add-inRules

Can be applied to a sender’s department, a recipient, or a recipient’s scope (inside or outside of the organization)Retrieved by add-in from CAS through EWSOptional or mandatoryApplied offline or online

Streamline End User Experience






RMS Integration in OWA

Create or consume RMS protected messages just like in OutlookNo client download or installation requiredSupports

IE, Firefox, Safari, ChromeConversation viewPreview paneFull-text search on RMS protected messages

RMS Integration in OWACAS uses

Super User Privileges to decryptEnd User License (EUL) to determine which rights to enforce

Single RAC shared across all client access servers to give multiple machines a common RMS identityFeature can be enabled or disabled at mailbox policy level

Enable IT InfrastructureRMS protection should not break IT infrastructure

Virus and spam filtering of RMS protected messages enabled at Hub Transport

Enable e-discovery via Journal Report Decryption

Transport Pipeline DecryptionEnables Hub Transport Agents to scan/modify RMS protected messages

Pipeline Decryption Agent Uses Super-User privileges to decrypt

Decrypts message and attachments protected with same Publishing License

Encryption Agent re-encrypts messages with original publish license

Journal Report Decryption

Journal Report Decryption Agent• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default

Archive/Journal

Journal Report Decryption

DEMO

Agenda




AD RMS PowerShell


On the Horizon…

On the Horizon…

Mac OfficeExchange 2010 SP1

Mac Office

Ability to open RMS-protected messages and attachmentsAbility to apply RMS protection to documents and email

IRM in Exchange

Pre-licensing

Transport Protection RuleOutlook Protection RuleJournal Report DecryptionTransport Pipeline DecryptionIRM in OWAProtected Voice Message

View Protected attachments in OWAIRM in Exchange Active SyncEnhanced collaboration using Microsoft Federation GatewayCross Premises IRM support for Exchange Online

View Protected attachments in OWA

• IRM in EAS policy can be configured on a per user basis• EAS transactions must be made over SSL• All encryption/decryption operations are executed at CAS

3. When a user selects a template to be applied to a new message, EAS will pass the template GUID to CAS. Once synced to CAS, mail and supported attachments will be protected appropriately.

1. On first sync, Client advertises IRM support by sending in a value of 1 for <RightsManagementSupport> tag.

2. EAS syncs the list of AD RMS templates to the device for local storage

Client Access Server

Active Directory AD RMS

4. Any IRM message will be decrypted at CAS and then synced to the device. Template Name, ID, description, and rights restrictions will also be passed

IRM in Exchange Active Sync

62

1. Author sends protected mail to recipient at Trey Engineering2. Exchange (Trey Engineering) receives message and performs

service discovery against Woodgrove Bank’s AD RMS Server 3. Exchange (Trey Engineering) requests a token from the MFG4. MFG validates the claims and returns the token to Exchange

(Trey Engineering)5. Exchange (Trey Engineering) creates a bootstrapping request

including the token to the AD RMS server.6. AD RMS Server validates the token and then returns a RAC for

Exchange(Trey Engineering)7. Exchange (Trey Engineering ) then requests a token on behalf of

the recipient from the MFG8. Repeat Steps 4-6 for a licensing request 9. The message is delivered and the recipient can consume the

content via OWA

Woodgrove Bank Trey Engineering

Exchange

3

5

7

UL

91

MFG

AD RMS

4

5

Enhanced Collaboration using Microsoft Federation Gateway

Cross Premises IRM Support for Exchange Online

Exchange Online tenants get IRM capabilities

After setup, all RMS transactions in the Datacenter are executed within the Datacenter

Clients such as Outlook continue to call the web services on the on-premises AD RMS server

Woodgrove Bank PremisesExchange Online

AD RMS

Woodgrove Bank Tenant

Import TPD

What we covered today




AD RMS PowerShell


On the Horizon...

Related ContentSIA313 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External PartiesSIA322 Business Ready Security: Protecting Information with Microsoft Forefront and Windows Server 2008 R2 Active Directory

SIA08-INT Information Protection: Implementing Information Protection Using Active Directory Rights Management ServicesSIA03-HOL | Information Protection using Active Directory Rights Management Services (AD RMS)SIA07-HOL | Information Protection Solution: Business Ready Security with Microsoft Forefront and Active Directory

Red SIA-2 | Microsoft Forefront Information Protection Solution

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

More InformationAD RMS TechNet TechCenter

[http://technet.microsoft.com/en-us/dd448611.aspx] AD RMS Documentation Road Map

[http://technet.microsoft.com/en-us/library/dd772711(WS.10).aspx]AD RMS Bulk Protection Tool Download

[http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd#tm]

BlogsAD RMS Product Team Blog

[http://blogs.msdn.com/rms/]Jason Tyler’s Blog

[http://blogs.technet.com/rmssupp/]Jason is a Senior Support Escalation Engineer for AD RMS

More InformationWindows Server 2008 R2 FCI Web site

[http://www.microsoft.com/fci]Microsoft IT Deployment

AD RMS Deployment [http://technet.microsoft.com/en-us/library/ee156482.aspx]

FCI and AD RMS Bulk Protection Tool Deployment[http://vepcdn.microsoft.com/prod/images/64/Area/214/2676/9fd29bc1-bd16-42fe-a39e-f1d91d62aa60.pdf]

http://www.microsoft.com/fci

IRM Protectors

• IRM protectors control the conversion of documents to their encrypted, rights-managed format and the decryption of documents from their rights-managed format back to their original format

Name Supported File FormatsMsoIrmProtector doc, dot, xla, xls, xlt, pps, ppt

OpcIrmProtectordocm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx

JUNE 7-10, 2010 | NEW ORLEANS, LA

clinton ho program manager microsoft corporation session code: sia311

Documents

infrastructure slide

ad rms integration features

horizon slide

rms template

manual rms protection

sia311 slide

privacy rms integration

content protection