Windows Server 2008 R2Active Directory Rights Management Services Deep Dive

Abhijat KanadeSenior Program ManagerMicrosoft CorporationSession Code: SIA304

Agenda

Information Leakage ProblemAD RMS HistoryWhat’s New in CY09

AD RMS Server Role in Windows Server 2008 R2Exchange 2010 integrationAD RMS Bulk Protection ToolRSA DLP 6.5+ integration

Q&A

With Demos

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Highly Secure & Interoperable Platform

IdentityProtect everywhere,access anywhere

Integrate and extend security

across the enterprise

Simplify the security experience, manage compliance

Block

from:

EnableCost Value

Siloed Seamless

to:

The Information Workplace

The Information Workplace

IndependentConsultant

PartnerOrganization

Home

Mobile Devices

USB Drive

Companies face growing risks of data leaks

Legal, Regulatory, and Financial impactsCost of digital leakage per year is measured in $BillionsIncreasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees

Damage to Image and CredibilityDamage to public image and credibility with customersFinancial impact on companyLeaked e-mails or memos can be embarrassing

Loss of Competitive AdvantageDisclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital

Data must be protected, but must remain accessible

Information LeakageIs Costly On Multiple Fronts

Authorized

Users

Firewall Perimeter

Access Control List Perimeter

Authorized

Users

Location Based SolutionsProtect Initial Access

Authorized

Users

Firewall Perimeter

Unauthorized

Users

Information Leakage

Access Control List Perimeter

Authorized

Users

Unauthorized

Users

Location Based SolutionsProtect Initial Access… But Do Not Protect Usage

PolicyPolicy

Policy

Policy

AD RMS Is A Content-Based SolutionProtects the Information Itself – No Matter How It Is Shared And Where It Goes

Active Directory Rights Management Services

Persistent

+ PolicyEncryption • Access Permissions (Who)• Use Right Permissions (What)

2

1. Assume author and recipient are already bootstrapped with a RAC and CLC

2. Author creates mail

3. Author protects mail using RAC and CLC

4. Author sends mail to recipient

5. Recipient gets use license from RMS

6. Recipient can access content

AD RMS WorkflowPublishing and Consumption

1

RAC CLCRAC CLC6

UL

4

5

PL

3

AD DS SQL AD RMS

Author Recipient

Windows Server 2008AD RMS server role (v2)AD RMS Trust

AD FS federation supportImproved installation and mgmt AD RMS template distribution (Vista SP1 and above)Admin reportsDifferent admin roles

ClientAD RMS client integrated in Windows Vista and WS2008

Windows Server 2003Out-of-band installer for RMS Server (v1, v1 SP1, v1 SP2)AD RMS Trust

TUD, WLID

ClientOut-of-band installer for RMS Client (v1, v1 SP1, v1 SP2) on Windows XP and WS2003

Microsoft SolutionsOffice 2003 (Outlook, Word, Excel, PowerPoint)Internet Explorer Add-On (RMA)

Microsoft SolutionsWindows Mobile 6 integrationOffice 2007 (+InfoPath)XPS ViewerSharePoint 2007 (Doc libraries)Exchange 2007 SP1 (Prelicensing)

Windows Server 2008 R2AD RMS server role (v3)AD RMS Trust

Publishing org (internal) group support for federated users

Improved installation and mgmt through PowerShellAdditional admin reports

ClientAD RMS client integrated in Windows 7 and WS2008 R2

Microsoft SolutionsExchange 2010AD RMS Bulk Protection ToolWS2008 R2 FCI integration

Partner SolutionsPDF and other file formats & Blackberry support – Gigatrust, Liquid MachinesCAD file format - Dassault SystemsClassification - Titus LabsSecure Content Mgmt - Workshare

Partner SolutionsRSA DLPPDF solution - FoxitSecure Content Mgmt – OpenText

* Each consecutive release on this slide includes features from the prior release

AD RMS Server Role in WS2008 R2Customer Ask #1

•Ensure identical deployments

•Automate common tasks

Consistency

•For managing the server

•Local and remote access

Flexibility

Deployment and Administration

PowerShell support for deployment and adminDeployment cmdlets available out-of-the boxAdmin cmdlets available after the AD RMS server role has been deployed

Additional admin reports (system health)

AD RMS Server Role in WS2008 R2Deployment and Administration

AD RMS Administrationdemo

AD RMS Server Role in WS2008 R2Customer Ask #2

•Enable secure external collaboration

•Consistent end user experience when working with internal and external users

Simplify collaboration

•Publishing organization maintains full control of content

•Groups defined by publishing organization

Control access

WS2008 introduced federation support via AD FS – Need to individually identify external users when protecting informationWS2008 R2 supports protecting to publishing org (internal) groups that include external users – No need to individually identify external users

AD RMS Server Role in WS2008 R2Secure External Collaboration

External Collaboration via ADFS1. Assume author is already bootstrapped2. Alice sends protected mail to

projectX@contoso.com of which Bob at Fabrikam is a member

3. Recipient contacts RMS Server to get bootstrapped

4. WebSSO agent intercepts request5. RMS Client is redirected to FS-R for home

realm discovery6. RMS Client is redirected to FS-A for

authentication7. RMS Client is redirected back to FS-R for

authentication8. RMS Client makes request to RMS Server

for bootstrapping9. RMS Server returns certificates to recipient10. RMS Client makes request to RMS Server

for use license11. RMS Server retrieves Bob’s group

membership from AD and compares to PL12. RMS Server returns use license to

recipient13. Recipient accesses protected content

Contoso FabrikamAD

RMS

AD

ADFSFS-A

ADFSFS-R

1

RAC CLC

PL

2

WebSSO

4

3

56

78

11

RAC CLC

9

UL

12

13

Alice Bob

10

projectX

Bob

Streamline end-user experience

Enable automatic protection

Integrate seamlessly with IT

infrastructure

Exchange 2010 RMS IntegrationThemes

Exchange 2010 RMS IntegrationCustomer Ask #1

•Ensure identical end user experience for unprotected and RMS-protected e-mails

Seamless protection

•View and reply to RMS-protected e-mails in OWA without an additional add-on

OWA support

Exchange 2010 RMS IntegrationStreamline End-user Experience

Prelicensing support enables offline and mobile access to RMS-protected e-mails – introduced in Exchange 2007 SP1Consume and publish RMS-protected e-mails in OWA – Internet Explorer, Firefox, SafariConduct full-text search on RMS-protected e-mails in OWA

RMS-Protected E-mails in OWAdemo

Client Access Server (CAS) uses Superuser privileges to decryptPrelicensed use license (UL) used to determine rights to enforce

Rights enforcement concerns in the browser mitigated by enabling the feature for a specific set of users (at mailbox policy level)

Exchange 2010 RMS IntegrationStreamline End-user Experience: RMS Integration In OWA: Details

Exchange 2010 RMS IntegrationCustomer Ask #2

•Based on content and context analysis

Enable automatic protection

Exchange 2010 RMS IntegrationAutomatic Protection

Automatically protect e-mails in transit via Exchange transport rulesAutomatically protect e-mails in Outlook 2010 (through an add-in)Automatically protect private voicemails through Exchange Unified Messaging (UM)

• Transport Rule action to apply AD RMS template to e-mail message

• Based on content and context analysis• Content analysis: Keywords and RegEx

scanning of e-mails and attachments• Context examples: From, To

Exchange 2010 RMS IntegrationAutomatic Protection: Through Transport Rules

Exchange Transport Rules BasedAutomatic RMS-Protection

demo

Rules agent stamps x-org header in e-mail with RMS template GUIDEncryption agent applies RMS template to e-mail and attachments on onRouted Transport Agent eventOffice 2003 and above file formats (Word, Excel, PowerPoint) and XPS attachments also get automatically protected

Extensible to other file formats through the IRM Protector implementation

Exchange 2010 RMS IntegrationAutomatic Protection: Through Transport Rules: Details

Outlook 2010 add-in (small-scale rules engine)Mitigates concerns of Exchange admin or host accessing sensitive mailRules

Context only: Sender’s department, recipient’s identity, recipient’s scope (internal/external)Retrieved by add-in from CAS through Exchange Web Services (EWS) API

Ability to allow/disallow user to override automatic protection

Exchange 2010 RMS IntegrationAutomatic Protection: Through Outlook Protection Rules

Outlook 2010 Add-In Protection Rulesdemo

UM admin can allow incoming voicemails to be marked as “private”Private voicemails can be protected using “Do Not Forward” RMS template preventing forwarding and copying of voicemail contentPrivate voicemails supported in OWA and Outlook 2010

Exchange 2010 RMS IntegrationAutomatic Protection: Through Unified Messaging

Uses the Encryption/Decryption XSO API to RMS-protect

Exchange Unified Messaging Protected Voicemails

demo

• RMS-protected based on sender marking voicemail as ‘private’ or through administrative policy

Exchange 2010 RMS IntegrationCustomer Ask #3

•Support in-the-clear archival of RMS-protected e-mails

Enablee-discovery

•Ability to scan RMS-protected e-mails in transport

•Ability to modify RMS-protected e-mails in transport

Allow scanning of protected

e-mails

Exchange 2010 RMS IntegrationSeamless IT Infrastructure Integration

Enables e-discovery via journal decryptionEnables anti-malware and other scenarios (such as adding a disclaimer) at hub transport via transport decryption and re-encryption

Exchange 2010 RMS IntegrationSeamless IT Infrastructure Integration: Journal Decryption

Journal Report Decryption Agent• Attaches clear-text copies of RMS-protected e-mails and attachments to journal mailbox• Requires superuser privileges•Feature is off by default

Archive/Journal

Exchange Journal Decryptiondemo

Enables Hub Transport Agents to scan/modify RMS-protected e-mailsPipeline Decryption Agent

Uses superuser privileges to decrypt e-mailsDecrypts e-mail and attachments

Encryption Agent re-encrypts messagesOption to NDR messages that cannot be decryptedAll AD RMS integration agents are implemented as internal agents

Exchange 2010 RMS IntegrationSeamless IT Infrastructure Integration: Transport Pipeline Decryption

Exchange Transport Decryption and Re-Encryption

demo

•Consume and Publish RMS-protected e-mails in OWA

•Search RMS-protected e-mails in OWA

Streamline end-user experience

•Through Transport rules

•Through Outlook protection rules

•Through Unified messaging (voicemails)

Enable automatic protection

•In-the-clear archival of RMS-protected e-mails

•Ability to scan and modify RMS-protected e-mails in transport

Integrate seamlessly with IT

infrastructure

Exchange 2010 RMS Integration

Exchange RMS integration features require AD RMS Server Role in WS2008 R2 or WS2008 SP2 + KB973247 hotfix

AD RMS Bulk Protection ToolCustomer Ask

•Recover RMS-protected documents

•Help in e-discovery efforts

Bulk decryption

tool

AD RMS Bulk Protection ToolDetails

Command line toolBulk decryption

E-Discovery of content for litigation/audit purposesBulk encryption

Safeguard existing sensitive informationCan be integrated with WS2008 R2 File Classification Infrastructure (FCI) to classify and automatically RMS-protect files on the file server

AD RMS Bulk Protection ToolDetails

Supported file formatsOffice 2003 and above (Word, Excel, PowerPoint)XPSExtensible to other file formats via IRM protector implementationBulk decryption also available for items within Outlook PSTs (requires Outlook 2007)

Supported on XP/WS2003 and aboveRequires RMS Client v1 SP2 and .NET Framework 2.0 on XP and WS2003

4

5

User creates a file “marketing.docx” on Windows server 2008 R2 file server

File Classification Infrastructure (FCI) classifies file as sensitive based on content analysis (keyword/RegEx) and/or folder location (e.g., Business Impact = High)

Automated File Management Task invokes AD RMS Bulk Protection Tool to automatically RMS-protect the file (restrict access to Full-Time Employees only)

Full Time Employee can access “marketing.docx”

A malicious user getting access to the file through an un-intentional leak is not able to access file content

FCI Classify

2

c

Mgmt Task: AD RMS Protect

3

c

1

AD RMS Bulk Protection ToolWith WS2008 R2 FCI

AD RMS Bulk Protection Toolwith WS2008 R2 FCI

demo

Partner Solution: RSA DLPAutomatic Protection For Datacenters and Endpoints

Integrated solution to discover and automatically RMS-protection sensitive data on endpoints and the datacenterRequirements

RSA DLP 6.5 and above (RSA DLP Datacenter and RSA DLP Endpoint Discover products)AD RMS Server Role in WS2008 and above

1. AD RMS admin creates AD RMS templates for data protection

2. RSA DLP admin selects/ creates policies to find sensitive data and protect it using AD RMS

3. RSA DLP discovers and classifies sensitive files, and applies AD RMS protection based on policy

Microsoft AD RMS

RSA DLP

4. Users request files. AD RMS provides identity-based access

R&D department

Marketing department

Others

Endpoints:Laptops/Desktops

File Shares SharePoint

R&D Department

Marketing Department Others

View, Edit, Print View No Access

Intellectual Property (IP)template

Find ‘IP’ documents

Apply ‘IP’ AD RMS templateIP Policy

Partner Solution: RSA DLPHow The Integration Works

Windows Server 2008AD RMS server role (v2)AD RMS Trust

AD FS federation supportImproved installation and mgmt AD RMS template distribution (Vista SP1 and above)Admin reportsDifferent admin roles

ClientAD RMS client integrated in Windows Vista and WS2008

Windows Server 2003Out-of-band installer for RMS Server (v1, v1 SP1, v1 SP2)AD RMS Trust

TUD, WLID

ClientOut-of-band installer for RMS Client (v1, v1 SP1, v1 SP2) on Windows XP and WS2003

Microsoft SolutionsOffice 2003 (Outlook, Word, Excel, PowerPoint)Internet Explorer Add-On (RMA)

Microsoft SolutionsWindows Mobile 6 integrationOffice 2007 (+InfoPath)XPS ViewerSharePoint 2007 (Doc libraries)Exchange 2007 SP1 (Prelicensing)

Windows Server 2008 R2AD RMS server role (v3)AD RMS Trust

Publishing org (internal) group support for federated users

Improved installation and mgmt through PowerShellAdditional admin reports

ClientAD RMS client integrated in Windows 7 and WS2008 R2

Microsoft SolutionsExchange 2010AD RMS Bulk Protection ToolFCI integration

Partner SolutionsPDF and other file formats & Blackberry support – Gigatrust, Liquid MachinesCAD file format - Dassault SystemsClassification - Titus LabsSecure Content Mgmt - Workshare

Partner SolutionsRSA DLPPDF solution - FoxitSecure Content Mgmt – OpenText

* Each consecutive release on this slide includes features from the prior release

More Information

AD RMS TechNet TechCenter [Link] and Documentation Roadmap [Link]Exchange 2010 and AD RMS Integration [Link]AD RMS Bulk Protection Tool Download [Link]WS2008 R2 FCI Website [Link]RSA DLP Website [Link]MSIT Deployment

AD RMS Deployment [Link]FCI and AD RMS Bulk Protection Tool Deployment [Link]RSA DLP and AD RMS Deployment [Link]

BlogsAD RMS Product Team Blog [Link]Jason Tyler Blog [Link](Jason is a Senior Support Escalation Engineer for AD RMS)

Q&A

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.