Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about...

virtual techdaysINDIA │ 18-20 august 2010

Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS) Protected Content to External Parties

Venkatesh Swaminathan│ Solution Specialist, Microsoft

• Overview of Active Directory Rights Management Services (AD RMS)

• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation

Services – ADRMS Integration with the Microsoft Federation Gateway

• Questions

virtual techdaysINDIA │ 18-20 august 2010

S E S S I O N A G E N D A

http://www.safeguardingyourinfo.com/

PROTECT everywhere ACCESS anywhere

SIMPLIFY security,MANAGE compliance

Enable more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized

use of confidential information

INTEGRATE and EXTEND security

Secure Collaboration

• Secure, seamless access

• Protect sensitive information in documents

• Best-in-class anti-malware

• Enterprise-wide visibility

• Easier partner management

• Deep Microsoft SharePoint and Office integration

• Standards-based interoperability across organizations and cloud

Session Objectives

• Overview of Active Directory Rights Management Services (AD RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS

– www.safeguardingyourinfo.com– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation Services – ADRMS Integration with the Microsoft Federation Gateway

• Questions

AD Rights Management Services

Persistent Protection +Encryption Policy: • Access Permissions

• Use Right Permissions

Provides identity-based protection for sensitive dataControls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

How does RMS work?

Information Author The Recipient

RMS Server

SQL Server Active Directory

2 3

4

5

2. Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file

3. Author distributes file

4. Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license”

5. Application renders file and enforces rights

1. Author receives a client licensor certificate the first time they rights-protect information

1

Active Directory Rights Management Services• AD RMS is a server role in Windows Server 2008 and 2008 R2• The AD RMS client supports Windows XP- Windows 7• Microsoft IRM enabled applications include:

• Office 2003- 2010• Exchange Server 2007 & 2010• SharePoint 2007 & 2010

– Sharing protected content is disabled by default• ADRMS requires additional configuration to share content

outside of the protection domain• Provides control to the IT administrator to determine

sharing relationships

Session Objectives • Overview of Active Directory Rights Management Services (AD RMS)• AD RMS concepts and deployment within the Enterprise• Enable secure collaboration using AD RMS

– AD RMS Trusted User Domains– AD RMS Integration with Active Directory Federation

Services – ADRMS Integration with the Microsoft Federation Gateway

• Questions

Basic AD RMS Deployment

Corporate Network

RMS Cluster

RAC CLC

RAC CLC UL

1

2

3

4

5

6

7

PL

The Internet

Session Objectives • Overview of Active Directory Rights Management Services (AD

RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS


• Questions

Sharing Sensitive Content – The Default Today

Enable sharing of IRM Protected Content

• Allow users to securely collaborate– Enable users to share sensitive information in a seamless manner.– Sharing securely should not interfere with collaboration.

• Enterprises can retain control of their data– Enterprises can create policies determining who has access to content– Enterprises can manage partnerships between organizations

• AD RMS supports several mechanisms to enable sharing of IRM protected Content– www.safeguardingyourinfo.com– Trusted User Domains– Integration with Active Directory Federation Services– Integration with the Microsoft Federation Gateway


Session Objectives • Overview of Active Directory Rights Management Services (AD RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS


• Questions




• Questions

AD RMS Trusted User Domains• AD RMS Trusted User Domains (TUD)

– An AD RMS domain refers to the scope of an AD RMS certification cluster: the Active Directory forest

– Not to be confused with an Active Directory domain– Allow Trust to be established between AD RMS domains. This is

completely independent from AD forest or domain trust• Scenario:

– Enables sharing of AD RMS protected content within enterprises that have with multiple forests where users accounts are located.

• AD RMS Trusted User Domains are recommended for sharing content within the Enterprise

AD RMS Trusted User Domains• Two entities (forests within a company) have their own AD

RMS installation• By default, AD RMS will not license content to users from

other AD RMS installations• TUD enables users from one AD RMS domain to acquire a

license from a server in another domain– An AD RMS licensing server will issue a use license

to a RAC issued by another trusted AD RMS cluster.• RAC validation can occur after importing a trusted Server

Licensor Certificate• Authentication to the licensing service must be addressed

AD RMS Trusted User DomainsAD RMSForest B

John in Forest A sends RM content to Monica in Forest B

Monica in Forest B sends PL and RAC with request for UL from Forest B

AD RMS Forest A

How AD RMS Trusted User Domains WorkAD RMS

Forest B 1) Export TUD from Forest 2

2) Import TUD from Forest 2

3) John in Forest A sends RM content to Monica in Forest B

5) Server uses imported SLC to verify Monica’s RAC and returns UL

4) Monica in Forest B sends PL and RAC with request for UL

AD RMS Forest A



• Questions

AD RMS Integration with Active Directory Federation Services (ADFS)

• AD RMS native scope is the AD forest– Can be extended to other forests via directory federation

• ADFS is a standards-based directory federation system– Natively supported by AD RMS

• Scenarios:– Extending AD RMS usage to External Parties• No AD RMS is required in the external party• AD and AD FS required

• AD RMS/ADFS is recommended for sharing IRM content outside of the Enterprise when using Office clients(Outlook, Excel, Word etc…) and SharePoint

New AD RMS Features in Windows Server 2008 R2

• Group Expansion – Allows organizations to collaborate with groups of people

instead of identifying external users individually– Groups are defined in the publishing organization’s

directory– ADRMS will access the local Active Directory to look up

the group membership• 3rd Party Federation Support– Enables AD RMS to work with non-ADFS Security Token

Services– Uses Forms Based Authentication

1. Assume author is already bootstrapped2. Author sends protected mail to recipient at

Fabrikam3. Recipient contacts RMS server to get

bootstrapped4. WebSSO agent intercepts request5. RMS client is redirected to FS-R for home

realm discovery6. RMS client is redirected to FS-A for

authentication7. RMS client is redirected back to FS-R for

authentication8. RMS client makes request to RMS server for

bootstrapping9. WebSSO agent intercepts request, checks

authentication, and sends request to RMS server

10. RMS server returns bootstrapping certificates to recipient

11. RMS server returns use license to recipient

12. Recipient accesses protected content

Contoso FabrikamAD

RMS

AD

FS-AFS-R

1

RAC CLC

PL

2

WebSSO

4

3

56

78

9

RAC CLC

10

UL

11

12

AD RMS Integration with AD FSScenario

AD RMS Integration with AD FSTips for enabling AD FS integration with AD RMS– Both organizations must have ADFS installed and

deployed– Grant Security Audit Privileges to the AD RMS

Service Account– Add an Extranet URL – Ensure SSL has been enabled for the AD RMS cluster– Install the ADFS Sub-role for AD RMS

• Provide the uri to the ADFS server during this step– Enable the feature via the ADRMS MMC Console\– Remember Home Realm discovery registry key must

be deployed to clients.

Session Objectives • Overview of Active Directory Rights Management Services (AD

RMS)• AD RMS within an Enterprise environment• Enable secure collaboration using AD RMS


• Questions

AD RMS Integration with the Microsoft Federation Gateway

• Microsoft Federation Gateway (MFG)– Identity service that runs in the cloud (over the Internet and beyond your

corporate network domain)– Allow users from one federated organization to be trusted by another federated

organization.• Scenarios:

– Extends AD RMS usage to External Parties for Exchange 2010 Sp1 IRM features• No AD RMS is required in the external party• Enables IRM in OWA, Transport Decryption, Journal Decryption for B2B

Scenarios

• Requires AD RMS Windows Server 2008 R2 Sp1

AD RMS Integration with MFG

Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Fabrikam may also have their own RMS deployment


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Contoso enrolls their RMS cluster with MFG

1


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Fabrikam federates their Exchange 2010 server with MFG

2


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Jane sends message to Marcus. Message gets automatically protected

3 Jane could have protected the message at OWA/OLK


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Fabrikam makes a SAML token request to MFG for their federated identity

5

T


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Fabrikam makes a Certify call to Contoso

6 Fabrikam will cache the RAC to use in future requests

RAC


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Fabrikam makes a SAML token request to MFG for their federated identity

8

T

All proxy addresses of the federated Identity are included in the Token


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Fabrikam makes a Use License call to Contoso, presenting the RAC and MFG token

9

The Use License call is batched and a single MFG token is presented for all recipients

UL


Contoso Fabrikam

MFG

Jane

Marcus

Exchange 2010

Marcus views the RMS message in OWA, and can reply to Jane

The Use License will be used to decrypt the message for OWA, Transport Decryption, Journal Report Decryption

AD RMS Integration with MFG• Tips for enabling MFG integration within RMS– Install Windows Server 2008 R2 Sp1 on all AD RMS

front end machines –Remember to back-up the database prior to

upgrade– Add MFG support via the AD RMS MMC console

–Creates new IIS virtual directories and updates configuration of AD RMS

– Register the AD RMS cluster with the MFG–Requires RMS to be deployed with SSL– SSL Certificate use to authenticate with the MFG

– Enable the Feature

Questions?

Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about...

Documents

Transcript of Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about...