featured engagements - meetupfiles.meetup.com/18381594/azure information protection.pdf ·...

Featured Engagements

Agenda

Other IPC

AIP Integration

End User Workflows

On PremisesAIP

Service

Classification

Protection

• Azure RMS Connector

• B2B

• B2C

• AIP Bar

• Office Suite

• Sharing App

Key Management

• Azure Key Vault

Tracking & Monitoring

Azure Information Protection (AIP)

• Topics

Requirements

OverviewLicensing

Plans

Service Discovery &

AuthN

Azure IP Service

Client Software

Overview

• Key Drivers• Cyber attacks expose private company information to public (i.e. Sony Pictures).• Compliance requirements.• Growth in cloud and mobile.• Data leaks (intentional/accidental).

• What about Existing Solutions?• Scalability and collaboration challenges (i.e. partners, consumers).• Identifying sensitive data can be/is difficult.• Some are complicated and hard to manage (i.e. S/MIME encryption).• Platform incompatibilities (i.e. mobile device email).• Policies can be very restrictive or limiting

• RMS: Do Not Forward permission does not work well externally.• You may be asked to resend email unencrypted.

Requirements

• Identity and Service Providers

• Clients and Applications

• Subscription and Licensing

Identity and Service Providers

• Azure Active Directory or Active Directory (AD)• Identity providers.

• Azure AD Connect• Synchronization service.

• Azure Information Protection• Classification service.

• Azure Rights Management• Protection service.

• Azure RMS Connector• Relay service.

Clients and Applications

• Clients OS • Windows 10 (x86, x64).

• Windows 8/8.1 (x86, x64).

• Windows 7 Service Pack 1 (x86, x64).

• Mac OS, iOS and Android.

• Applications• Office Professional Plus 2016.

• Office Professional Plus 2013 with Service Pack 1.

• Office Professional Plus 2010.

Licensing Plans

Licensing Plans (cont.)

Azure Information Protection (AIP)

• What’s AIP?• New Azure multi-tenant cloud-hosted service.• Ability to classify and label documents.• Ability to track and revoke documents as needed.

• Service Request Url• https://api.informationprotection.azure.com/

• Milestones• General Availability (GA): October 4th, 2016.• Public Preview: July 12th, 2016.• Service Announcement: June 22nd, 2016.• Microsoft Acquisition of Secure Island: November 9th, 2015.

https://api.informationprotection.azure.com/

Why AIP?

• Also see• https://support.office.com/en-us/article/Plan-for-Office-365-security-and-information-

protection-capabilities-3d4ac4a1-3920-4ff9-918f-011f3ce60408?ui=en-US&rs=en-US&ad=US

https://support.office.com/en-us/article/Plan-for-Office-365-security-and-information-protection-capabilities-3d4ac4a1-3920-4ff9-918f-011f3ce60408?ui=en-US&rs=en-US&ad=US

AIP (cont.)

• Installation• Log on to Azure as Global Administrator.

• Search for and click Azure Information Protection.

AIP (cont.)

• Installation (cont.)• Click Create.

AIP (cont.)

• Configuration• Configure and publish organization Policy.

• Default policy may be all you need—if so, no additional configuration needed.

AIP Service Discovery

• Establish TCP/IP Session with Azure RMS service• TCP/IP 3-way handshake with *-a-rms .<region>.cloudapp.net on TCP port 443.

where <region> is one or ncu, eus, etc.

• TLS Handshake: Client Hello service message request• Azure Rights Management discovery service at https://discovery.aadrm.com.

• TLS Handshake: Server Hello hostname message response • With value of id-at-commonName set to: ssl.<region>.aadrm.com.

where <region> is one or na, eu, etc.

AIP Service Authentication

• Authenticate to Azure Information Protection service• Connect to company’s Azure tenant at

• https://<yourTenant>/_wmcs/licensing where <yourTenant> is represented as

<GUID>. api.informationprotection.azure.com (classification and labeling)

or

<GUID>.rms.<region>.aadrm.com (protection)

and <region> is the region.

AIP Service Authentication (cont.)

• Prompt User for Authentication• TLS Handshake: Client Hello service message request

• Azure login service at https://login.microsoftonline.com.

• TLS Handshake: Server Hello hostname message response • With value of id-at-commonName set to stam2.login.microsoftonline.com

• SSO Redirection to On Premise STS• TLS Handshake: Client Hello service message request

• Company’s on premise STS at https://sts.company.com.

• TLS Handshake: Server Hello hostname message response • With value of id-at-commonName set to: sts.company.com.

AIP Service Authentication (Workflow)• Must authenticate to Azure IP service on

company’s Azure tenant. • May be redirected to company federation

server.

• Must obtain license/policy (Policy.msip).

• Must authenticate to Azure Rights Management service if protection is requested.

Client Software

• Software Installer• Download at https://www.microsoft.com/en-us/download/details.aspx?id=53018.

• Client• Install Azure Information Protection client v1.2.4.0.

https://www.microsoft.com/en-us/download/details.aspx?id=53018

Client Software

• Policy File

Classification

• Topics

Labels

Classification Methods

Tooltips

Rules & Conditions

Azure IP Client

Classification: Methods

Manual Classification

Performed by users at content creation/modification time.

Assumes user is more familiar with the content.

Automatic Classification

Enforced through rules and conditions defined by

administrators.

Recommended Classification

Users are offered recommendations on how to best handle a type of content.

Classification: Methods (cont.)

• Manual Classification• User-driven task which involves:

• Tagging documents and emails with visual markers/indicators.• Protection can later be added based on the classification label.• Classification information is persisted to document’s metadata.

• Allows it to safely travel outside company premises.

• Automatic Classification• Makes bulk classification easier.• Targets large document repositories (e.g. FCI).

• Recommended Classification• Combination of manual and automatic.• Recommendations based on content detection rules and conditions.

Classification: Label

• Classification Type/Maker• Used to identify a type of

document or email during classification.

• Persisted in header, footer or watermark.

• Can give a better meaning to the data being handled.• Confidential vs. High Business

Impact (HBI).


• Classification Type/Maker (cont.)• By default, user must provide

justification when loweringclassification of a file/document.• For example, from Confidential to

General .


• Classification Type/Maker (cont.)• Lowering classification label is audited.

• Event ID 1000 is logged in the Application log on client’s machine.

• Log Analytics can be used to centrally manage events. • OMS service capable of ingesting logs

from a variety of formats.

OMS – Operations Management Suite

Classification: Label (cont.)

• Default Labels

Classification: Label (cont.)

• Custom Labels

Classification: Custom Label (cont.)

• Adding a custom label• Click Add a new label link (see Default Labels side above)

• Configure Rules and Conditions for applying label (see previous slide)• Name: Evaluation

• Tooltip: This information can be used by members of the product evaluation team

• Color: Yellow

• RMS template: Azure RMS: Revalida - Confidential

• Visual marking: Off, Off, Off

• Condition: Product Evaluation

• Click Save.

• Publish label.


• Adding a custom label (cont.)


• AIP Policy Enforcement• Configure the Evaluation label as the default classification

Classification: Sub-Label

• Sub-Labels• Right-click the Evaluation label to add a sub-label to it

• Click Add a sub-label.

• Fill-in the rules and conditions for the new sub-label.

Classification: Sub-Label (cont.)

• Sub-Labels (cont.)• Expand the Evaluation label to reveal sub-labels

• Collaboration sub-label now appears.

Classification: Tooltip

• Visual Indicator• Used to offer recommendations

to users on how best to label a particular type of data (i.e. SSN, DL, CC, etc.).

Classification: Rules and Conditions

• One or more administrator-defined label setting • Used to identity a type of data.

• Can be combined with tootips to offer recommendations to users on how a type of data should be classified.

• How to configure a Condition?• Click Add new condition link, choose condition type, select matching criteria

(see next slide).

• Choose how label is applied.

• Add tooltip and notes.

• Click Save.

Classification: Rules and Conditions (cont.)

File and Document Protection

• Fundamentals

Service Architecture

Azure Rights Management

Service

Protection Methods

Rights Policy Templates

Permissions

Azure Rights Management service

• What is It?• Azure multi-tenant cloud-hosted service.• Ability to collaborate securely with partners and consumers.• Ability to enforce protection policies when appropriate.

• Provides comprehensive protection across users, devices, and applications.• Enterprise Mobility + Security (EMS) suite.

• Service Request Url• https://<guid>.rms.<region>.aadrm.com/where • <guid> is an unique organization id.• <region> represents the region.

Azure RMS Service

• Configure Azure RMS• From the Azure Classic

Portal, go to All Items

• Click Active Directory to list your identity tenants.

Azure RMS Service

• Configure Azure RMS• From the Active Directory

tile, select the tenant you want to manage (i.e. Revalida in this case).

• Click Rights Management.

Azure RMS Service

• Configure Azure RMS• From the Rights

Management menu, click Activate to activate service.

Azure RMS Service

• Configure Azure RMS• Click Yes at the prompt.

Azure RMS Service

• Configure Azure RMS• The Rights Management

service status switches from Inactive to Active.

Azure RMS Service

• Configure Azure RMS• Office 365 Admin Center

also shows the service status as activated.

• Also offers the option to Deactivate the service.

Protection: Service Architecture (cont.)

Protect any file type

Delight with Office docs, PDF, Text, and Images.

Important applications and services are enlightened

Delight with Office docs, PDF, Text, and Images.

CSOs and Services can ‘reason over data’

Delegated access to datawith bring-your-own-key

Protect in place, and in flight

Data is protected all the time

Share with anyone

B2B sharing is most important with

B2C on the rise

Meet the varied organizational needs

Protection enforced in the cloud, or on-premises; with

data in both places.

Protection: Methods

• Manual Protection• User conscious choice which involves:

• Applying RMS template to protect documents and emails.• User must decide when to apply protection to documents and emails

• Choice made easier through visual tootips.

• Protection information is persisted to document’s metadata.• Allows it to safely travel outside company premises while still protected.

• Automatic Protection• Administrators define rules and conditions

• Targeting specific type of content (e.g. SSN, CC, DL, etc.).

• Wired tasks automatically trigger protection• When a condition is met (i.e. RMS-encrypt document if found to contain SSNs).

Rights Policy Templates

• Default Templates (2)• Company – Confidential.

• Company – Confidential View Only.• Can be archived, but not deleted.

• Can be copied but not modified.

• Custom Templates• Allow for more granular control over use rights, expiration, and offline access.

• Departmental Templates• Custom template with specified scope.

Rights Management Applications

• Client Mode• Clients with the RMS Client installed.

• Mobile devices with the RMS Sharing application installed.

• Server Mode• Workloads such as Exchange, SharePoint, File Classification Infrastructure (FCI).

Permissions

• Usage Rights and Restrictions

• Bulk Encrypt File/Folder• Super User

• Decrypt File/Folder• Super User.

• Owner or Extract rights.

Tracking and Monitoring

• Topics

Tracking Portal

Logging & Reporting

Tracking Portal

• Portal• Url: https://track.azurerms.com.

• Purpose: Track and revoke documents you’ve shared with others.

https://track.azurerms.com/

Tracking Portal (cont.)

• Portal (cont.)• View your shared documents.

• Export to CSV.

Tracking Portal (cont.)

• Portal (cont.)• Click Revoke access to revoke documents you’ve shared with others.

Logging and Reporting

• Event Logs• Tracks label changes in Application log.

• Usage Logs• Tracks and logs all key usage and key management operations.

• Log data stored in Azure blob storage.

• Can be managed using PowerShell• Use the Get-AadrmUserLog cmdlet to save log.

• Use the Disable-AadrmUsageLogFeature cmdlet to disable logging.

• Use the Enable-AadrmUsageLogFeature cmdlet to resume logging.

• Use the Get-AadrmUsageLogFeature cmdlet to query the logging state of the service.

Logging and Reporting (cont.)

• Saving a Log Example

Logging and Reporting(cont.)

• Saving a Log Example (cont.)• View of the output file from the previous PowerShell command.

Logging and Reporting (cont.)

• Log Table• Row definitions

Key Management

• Topics

Azure Key Vault

Tenant Keys

Azure Key Management

• Azure Key Vault• Azure cloud-hosted cryptographic key management service.

• Allows customer’s to safeguard with high degree of assurance the following:• Their must valuable key asset (e.g. ‘root key’).

• Secrets (i.e. passwords).

• Software-protected asymmetric keys.

• Symmetric keys used in bulk encryption operations

• Security Assurances• Asymmetric keys stored in tamperproof hardware security modules (HSMs).

• Use of Thales nShield HSMs validated to FIPS 140-2 Level 2.

• All crypto operations using HSM-protected keys occur inside HSM.

Azure Key Vault (cont.)

• How Does It Work• Key Vault

• Responsible for performing the requested key operation on behalf of application.• Performs all crypto operations (w/ HSM-protected or software-protected keys).

• Vault• Collection of cryptographic keys managed by one or more individuals in an organization

• Keys• Set of bits or cryptographic asset for securing service/role (e.g. Azure RMS, SQL Server TDE, etc.).• 2048 size, symmetric RSA key.• Can be HSM or software-protected.

NOTE #1: You can import or generate keys in hardware security modules (HSM). NOTE #2: Must have Azure Key Vault Premium service to support HSM-protected keys.

Azure Key Vault (cont.)

• How Does It Work (cont.)• Secrets

• Small data blobs, typically less than 25 bytes in size, which are protected by a key.

• Usage Logs• Tracks and logs all key usage and key management activity.

• Logs are stored in Azure storage blobs, but can be saved locally using PowerShell.

• Application Support• Applications can make use of Azure Key Vault by making the appropriate Web Service calls.

• Only Azure Active Directory registered application can benefit.

Tenant Keys

• Microsoft Managed Keys• Microsoft safeguards and manages your tenant encryption keys.

• Bring Your Own Key (BYOK)• You own and control your tenant encryption keys.

• Hold Your Own Key (HYOK)• You own and control your tenant encryption keys.

• Encryption keys stay local—it’s never transferred to Azure

• Like AD RMS (refer to next few slides).

Tenant Keys (cont.)

• BYOK On Boarding• Create your tenant key into your on premise Thales HSM.

• Securely transfer key to Microsoft-managed HSMs in the Azure Key Vault region of choice.

• Authorize AIP service to use key• Use Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet.

• Configure AIP to use the key as your organization’s tenant key • Use Use-AadrmKeyVaultKey PowerShell cmdlet.

• Track and monitor key usage • With Azure Key Vault and/or Azure Information Protection logging.

AD-RMS

• Architecture

Identity Store(Active Directory)

ADRMS01 (172.30.12.10)

ADRMS01 (172.30.12.10)

ADRMS02 (172.30.12.11)

ADRMS02 (172.30.12.11)

ADRMS03 (172.30.12.12)

ADRMS03 (172.30.12.12)

SQLServer Cluster

Domain Controllers

Domain Controllers

Internal FirewallExternal Firewall

Firewall Device

Inte

rna

l V

IP –

17

2.3

0.1

2.1

ad

rms.

co

nto

so.c

om

Exte

rna

l V

IP –

Pu

bli

c I

P

External User

Internal User

AD-RMS (cont.)

• Management Console

Tenant Keys (cont.)

• Migrating from AD RMS• Export from AD RMS

• Export Trusted Publishing Domains (TPDs) configuration to an .xml file.

• Use Export-RmsTPD PowerShell cmdlet.

• Import to Azure Information Protection• Use Import-AadrmTpd PowerShell cmdlet.

• Microsoft-managed Key

• If password key protection was used.

• Bring Your Own Key (BYOK)• All other AD-RMS key options.

On Premise Integration

• Topics

Architecture

Azure RMS Connector

Installation & Configuration

Configure Servers to use

RMS Connector

Diagnostics

Azure RMS Connector

• Enables on premise hybrid solutions • With Azure Information Protection.

• How Does It Work1. Information Worker (IW) sends a request for license/policy to endpoint

• IW needs information to publish/consume file or content.

• IW is unaware of RMS Connector or Azure RMS service.

• IW’s machine sends request to server running a particular workload (i.e. Exchange).

2. Server running workload sends requests to RMS Connector• Must be authorized in Active Directory

• Must be configured to communicate with RMS Connector over HTTP/HTTPS.

Azure RMS Connector (cont.)

• Configure servers to use RMS Connector• Run the following PowerShell command from an elevated command prompt

PS C:\> .\GenConnectorConfig.ps1 –ConnectorUri https://<rmsconnector_fqdn> -<flag>

where <rmsconnector_fqdn> is the connector Url and <flag> is one of the following parameters:

• SetExchange2010 or SetExchange2013

• SetSharePoint2010 or SetSharePoint2013• SetFCI2012

• Authorized server workloads to access RMS Connector• Using RMS Connector Administrator tool to add each workload instance by type. • Use either group or service account as the workload identity.


• Server Configuration• For SharePoint 2016/2013

• Determine your organization’s MicrosoftRMSUrl• Use Get-AadrmConfiguration PowerShell cmdlet.

• Registry # 1Path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\LicensingRedirection

Type: Reg_SZ

Value: https://MicrosoftRMSURL/_wmcs/licensing

Data: One of the following, depending on whether you are using HTTP or HTTPS from your SharePoint server to the RMS connector:

• http://ConnectorFQDN/_wmcs/licensing

• https://ConnectorFQDN/_wmcs/licensing


• How Does It Work (cont.)• Server Configuration (SharePoint 2016 or 2013)

• Registry # 2Path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterpriseCertification

Type: Reg_SZ

Value: Default


• http://ConnectorFQDN/_wmcs/certification

• https://ConnectorFQDN/_wmcs/certification


• How Does It Work (cont.)• Server Configuration (SharePoint 2016 or 2013)

• Registry # 3Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation\EnterprisePublishing

Type: Reg_SZ

Value: Default


• http://ConnectorFQDN/_wmcs/licensing

• https://ConnectorFQDN/_wmcs/licensing


• How Does It Work (cont.)3. RMS Connector relays request to Azure Information Protection service

• Must allow egress communication with service on TCP port 443.

4. Azure Information Protection service sends response to RMS Connector.• Must allow ingress communication with connector on TCP port 443.

5. RMS Connector relays response to endpoint.6. Endpoint sends response to Information Worker

• IW is allowed/denied access to file or content based on policy response.

• On Premise Workloads• Exchange 2010, 2013 SP1.• SharePoint 2013.• Windows Server FCI (File Classification Infrastructure).


• Architecture (stack)

TCP 443 to *.aadrm.com (Rights Management)

TCP 443 to *.cloudapp.net (rmsoprod*-b-rms*.cloudapp.net) (Rights Management)TCP 443 to api.informationprotection.azure.com (Azure IP)

TCP 443 to *.aadrm.com (Rights Management)

TCP 443 to *.cloudapp.net (rmsoprod*-b-rms*.cloudapp.net) (Rights Management)TCP 443 to api.informationprotection.azure.com (Azure IP)

Url

RMS R

elay

Tie

r

· RMSCon #1· RMSCon #2· RMS Connector clients

Active Directory

Iden

tity T

ier

DNS

· User identities· Service identities

Url

Info

rmat

ion

Tier

· Exchange IRM· SharePoint IRM· FCI IRM


• Architecture (publisher/consumer)• With AIP client software installed.

• Can classify (and optionally) protect/consume information.


• Architecture (relay service)• Works with HTTP, but HTTPS is recommended.

• Load-balanced cluster (min. of 2 nodes recommended).

Azure RMS Connector Installation

• Requirements• Installer

• Download at https://www.microsoft.com/en-us/download/details.aspx?id=40839.

• Azure Identity and Access (one of three options)• Office 365 Global Administrator.

• RMS Tenant Global Administrator.

• Azure RMS Connector Administrator.

• Active Directory Identity and Access• RMS connector servers must be domain joined.

• Authorized servers need service account or be members of domain group.


• Installer Details • There are 3 files to download

• RMSConnectorSetup.exe

Connector setup tool.

• RMSConnectorAdminToolSetup_x86.exe

Used to install RMS connector Admin console on 32 bits clients.

• GenConnectorConfig.ps1

PowerShell script used to configure authorized servers to use the RMS connector• un either locally on the authorized server or using a Group Policy.


• Configuration• Firewall Filters (allow incoming and outgoing traffic)

• To *.aip.informationprotection.zure.com on TCP port 443.• To *.cloudapp.net on TCP port 443.• To *.aadrm.com on TCP port 443.

• Configuring Servers to use RMS Connector (see next slide).• Enabling IRM on Server Workloads

• Exchange 2010• Client access servers and hub transport servers.

• Exchange 2013• Client access servers and mailbox servers.

• SharePoint 2013• SharePoint frontend servers.• SharePoint Central Administration server.

• File Classification Infrastructure (FCI)• Servers with the File Resource Manager (FSRM) role installed.


• RMS Connector Administrator Tool• Click Add to authorize server

workload instance.


• RMS Connector Administrator Tool• Enter either a group or service

account for each workload instance.

RMS Connector Troubleshooting

• Tools• Event Viewer, Log Analytics.• IIS Logs.• RMS Analyzer Tool.

• https://www.microsoft.com/en-us/download/details.aspx?id=46437.

• MSIPC Client Side Tracing• DebugView

• http://go.microsoft.com/fwlink/?LinkID=309277.

• Errors • Access/Policy errors.• Permission errors.• Configuration errors.

Diagnostics

Tools

• RMS Analyzer

Diagnostics

Access Errors

• Example # 1

• Resolution • Make sure the user account is synchronized to Azure.

• Make sure user has been assigned an RMS license.

Diagnostics

Configuration Errors

• Example # 1

• Resolution • Make sure firewall is configure to allow incoming and outgoing traffic to *.aadrm.com and

*.cloudapp.net.

Diagnostics

Permissions Errors

• Example # 1• Microsoft Word

• Resolution • Make sure user email has been granted the appropriate user right permission to

document.

Diagnostics

RMS Connector Troubleshooting (cont.)

• Logging• Connector logs written to Windows Application Event Log

• Filter: Source = Microsoft RMS Connector.

• Events Types: Informational|Warning|Errors• Event ID: 1004|The list of authorized accounts has been updated.• Event ID: 1002|Access to the Microsoft RMS connector has been allowed for an authorized

server.• Event ID: 2001|Access to the Microsoft RMS connector not authorized server.• Event ID: 3000|Microsoft RMS connector general error.

• Debug Tracing• Modify web.config file for the default IIS site so that it reads as follows:

• <trace enabled="true" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true"/>

Diagnostics

Enable IRM on Servers

• Enable SharePoint IRM• Select Use this RMS server.

• Enter the RMS Connector Url.• i.e. https://rmsconnector.contoso.com/

• Click Ok.

Administration Tools

• Azure AD Classic Portal

• Office 365 Admin Center

• PowerShell module for Azure AD Rights Management (AADRM)

• PowerShell module for RMS Protection

End User Workflows

• Topics

Office Integration

Secure Collaboration

Inside & Outside

Office

• Information Protection Bar• Classification labels and RMS Templates enabled by default.

Office (cont.)

• Information Protection Bar (cont.)• Ability to Hide/Show Bar.

• Ability to Track usage.

RMS Sharing App: Windows 10 Mobile

RMS Sharing App: Windows 10 Mobile (cont.)

• RMS Templates• Choose a template.


• Clicking on http://aka.ms/RMS taking you to the RMS portal

http://aka.ms/RMS


• Sign Up page


• Sign In page


• Sign In page (cont.)


• You get to download and install Sharing App

RMS Sharing App: Windows 10

• Windows Explorer• Right-click file

• Click Protect with RMS. Choose to • Protect in-place

• Share Protected.

• Track Usage.

Other IPC (Information Protection and Control)

• Works well w/• Office 365 DLP for Exchange Online, Outlook and Outlook on the web.

• Office 365 DLP for SharePoint Online and OneDrive for Business.

• Microsoft Cloud App Security (CAS)• Enterprise-grade security for cloud apps.

• Part of Microsoft Cloud Security Stack.

• Azure Rights Management• Azure RMS templates.

• Active Directory RMS templates.

Other IPC (Information Protection and Control)

• In Testing• Office 365 B2C

• Allows sending protected emails and attachments to consumers.

• Uses social identity providers (i.e. Google, Yahoo, etc.) or one-time passwords.

• Azure Active Directory B2B• Has been successfully tested, but not yet GA.

• Not Supported• Azure Active Directory B2C.

Survey!!

http://aka.ms/sdsurvey

http://aka.ms/ocsurvey

featured engagements - meetupfiles.meetup.com/18381594/azure information protection.pdf ·...

Documents