Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about...
-
Upload
patricia-marsh -
Category
Documents
-
view
214 -
download
0
Transcript of Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about...
virtual techdaysINDIA │ 18-20 august 2010
Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties
Venkatesh Swaminathan│ Solution Specialist, Microsoft
• Overview of Active Directory Rights Management Services (AD RMS)
• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation
Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
virtual techdaysINDIA │ 18-20 august 2010
S E S S I O N A G E N D A
PROTECT everywhere ACCESS anywhere
SIMPLIFY security,MANAGE compliance
Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized
use of confidential information
INTEGRATE and EXTEND security
Secure Collaboration
• Secure, seamless access
• Protect sensitive information in documents
• Best-in-class anti-malware
• Enterprise-wide visibility
• Easier partner management
• Deep Microsoft SharePoint and Office integration
• Standards-based interoperability across organizations and cloud
Session Objectives
• Overview of Active Directory Rights Management Services (AD RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS
– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
AD Rights Management Services
Persistent Protection +Encryption Policy: • Access Permissions
• Use Right Permissions
Provides identity-based protection for sensitive dataControls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery
How does RMS work?
Information Author The Recipient
RMS Server
SQL Server Active Directory
2 3
4
5
2. Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file
3. Author distributes file
4. Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license”
5. Application renders file and enforces rights
1. Author receives a client licensor certificate the first time they rights-protect information
1
Active Directory Rights Management Services• AD RMS is a server role in Windows Server 2008 and 2008 R2• The AD RMS client supports Windows XP- Windows 7• Microsoft IRM enabled applications include:
• Office 2003- 2010• Exchange Server 2007 & 2010• SharePoint 2007 & 2010
– Sharing protected content is disabled by default• ADRMS requires additional configuration to share content
outside of the protection domain• Provides control to the IT administrator to determine
sharing relationships
Session Objectives • Overview of Active Directory Rights Management Services (AD RMS)• AD RMS concepts and deployment within the Enterprise• Enable secure collaboration using AD RMS
– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation
Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
Basic AD RMS Deployment
Corporate Network
RMS Cluster
RAC CLC
RAC CLC UL
1
2
3
4
5
6
7
PL
The Internet
Session Objectives • Overview of Active Directory Rights Management Services (AD
RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS
– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
Enable sharing of IRM Protected Content
• Allow users to securely collaborate– Enable users to share sensitive information in a seamless manner.– Sharing securely should not interfere with collaboration.
• Enterprises can retain control of their data– Enterprises can create policies determining who has access to content– Enterprises can manage partnerships between organizations
• AD RMS supports several mechanisms to enable sharing of IRM protected Content– www.safeguardingyourinfo.com– Trusted User Domains– Integration with Active Directory Federation Services– Integration with the Microsoft Federation Gateway
Session Objectives • Overview of Active Directory Rights Management Services (AD RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS
– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
Session Objectives • Overview of Active Directory Rights Management Services (AD RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS
– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
AD RMS Trusted User Domains• AD RMS Trusted User Domains (TUD)
– An AD RMS domain refers to the scope of an AD RMS certification cluster: the Active Directory forest
– Not to be confused with an Active Directory domain– Allow Trust to be established between AD RMS domains. This is
completely independent from AD forest or domain trust• Scenario:
– Enables sharing of AD RMS protected content within enterprises that have with multiple forests where users accounts are located.
• AD RMS Trusted User Domains are recommended for sharing content within the Enterprise
AD RMS Trusted User Domains• Two entities (forests within a company) have their own AD
RMS installation• By default, AD RMS will not license content to users from
other AD RMS installations• TUD enables users from one AD RMS domain to acquire a
license from a server in another domain– An AD RMS licensing server will issue a use license
to a RAC issued by another trusted AD RMS cluster.• RAC validation can occur after importing a trusted Server
Licensor Certificate• Authentication to the licensing service must be addressed
AD RMS Trusted User DomainsAD RMSForest B
John in Forest A sends RM content to Monica in Forest B
Monica in Forest B sends PL and RAC with request for UL from Forest B
AD RMS Forest A
How AD RMS Trusted User Domains WorkAD RMS
Forest B 1) Export TUD from Forest 2
2) Import TUD from Forest 2
3) John in Forest A sends RM content to Monica in Forest B
5) Server uses imported SLC to verify Monica’s RAC and returns UL
4) Monica in Forest B sends PL and RAC with request for UL
AD RMS Forest A
Session Objectives • Overview of Active Directory Rights Management Services (AD RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS
– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
AD RMS Integration with Active Directory Federation Services (ADFS)
• AD RMS native scope is the AD forest– Can be extended to other forests via directory federation
• ADFS is a standards-based directory federation system– Natively supported by AD RMS
• Scenarios:– Extending AD RMS usage to External Parties• No AD RMS is required in the external party• AD and AD FS required
• AD RMS/ADFS is recommended for sharing IRM content outside of the Enterprise when using Office clients(Outlook, Excel, Word etc…) and SharePoint
New AD RMS Features in Windows Server 2008 R2
• Group Expansion – Allows organizations to collaborate with groups of people
instead of identifying external users individually– Groups are defined in the publishing organization’s
directory– ADRMS will access the local Active Directory to look up
the group membership• 3rd Party Federation Support– Enables AD RMS to work with non-ADFS Security Token
Services– Uses Forms Based Authentication
1. Assume author is already bootstrapped2. Author sends protected mail to recipient at
Fabrikam3. Recipient contacts RMS server to get
bootstrapped4. WebSSO agent intercepts request5. RMS client is redirected to FS-R for home
realm discovery6. RMS client is redirected to FS-A for
authentication7. RMS client is redirected back to FS-R for
authentication8. RMS client makes request to RMS server for
bootstrapping9. WebSSO agent intercepts request, checks
authentication, and sends request to RMS server
10. RMS server returns bootstrapping certificates to recipient
11. RMS server returns use license to recipient
12. Recipient accesses protected content
Contoso FabrikamAD
RMS
AD
FS-AFS-R
1
RAC CLC
PL
2
WebSSO
4
3
56
78
9
RAC CLC
10
UL
11
12
AD RMS Integration with AD FSScenario
AD RMS Integration with AD FSTips for enabling AD FS integration with AD RMS– Both organizations must have ADFS installed and
deployed– Grant Security Audit Privileges to the AD RMS
Service Account– Add an Extranet URL – Ensure SSL has been enabled for the AD RMS cluster– Install the ADFS Sub-role for AD RMS
• Provide the uri to the ADFS server during this step– Enable the feature via the ADRMS MMC Console\– Remember Home Realm discovery registry key must
be deployed to clients.
Session Objectives • Overview of Active Directory Rights Management Services (AD
RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS
– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway
• Questions
AD RMS Integration with the Microsoft Federation Gateway
• Microsoft Federation Gateway (MFG)– Identity service that runs in the cloud (over the Internet and beyond your
corporate network domain)– Allow users from one federated organization to be trusted by another federated
organization.• Scenarios:
– Extends AD RMS usage to External Parties for Exchange 2010 Sp1 IRM features• No AD RMS is required in the external party• Enables IRM in OWA, Transport Decryption, Journal Decryption for B2B
Scenarios
• Requires AD RMS Windows Server 2008 R2 Sp1
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Fabrikam may also have their own RMS deployment
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Contoso enrolls their RMS cluster with MFG
1
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Fabrikam federates their Exchange 2010 server with MFG
2
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Jane sends message to Marcus. Message gets automatically protected
3 Jane could have protected the message at OWA/OLK
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Fabrikam makes a SAML token request to MFG for their federated identity
5
T
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Fabrikam makes a Certify call to Contoso
6 Fabrikam will cache the RAC to use in future requests
RAC
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Fabrikam makes a SAML token request to MFG for their federated identity
8
T
All proxy addresses of the federated Identity are included in the Token
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Fabrikam makes a Use License call to Contoso, presenting the RAC and MFG token
9
The Use License call is batched and a single MFG token is presented for all recipients
UL
AD RMS Integration with MFG
Contoso Fabrikam
MFG
Jane
Marcus
Exchange 2010
Marcus views the RMS message in OWA, and can reply to Jane
The Use License will be used to decrypt the message for OWA, Transport Decryption, Journal Report Decryption
AD RMS Integration with MFG• Tips for enabling MFG integration within RMS– Install Windows Server 2008 R2 Sp1 on all AD RMS
front end machines –Remember to back-up the database prior to
upgrade– Add MFG support via the AD RMS MMC console
–Creates new IIS virtual directories and updates configuration of AD RMS
– Register the AD RMS cluster with the MFG–Requires RMS to be deployed with SSL– SSL Certificate use to authenticate with the MFG
– Enable the Feature