Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | charleen-french |
View: | 215 times |
Download: | 0 times |
Using Active Directory Rights Management Services and Microsoft Exchange to Protect Sensitive E-mail Communication
Amit FulaySenior Lead Program ManagerMicrosoftSIA 324
$40
US military secrets were found in USB sticks on sale outside US airbase
http://news.bbc.co.uk/2/hi/technology/4946512.stm
85%
28%IDC 2009 Report
Session Objectives
Email as the primary leak vectorUnderstand AD RMSUnderstand Exchange 2010 – RMS Integration FeaturesUnderstand how to deploy them togetherDemos
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Highly Secure & Interoperable Platform
IdentityIntegrate and extend
security across the enterprise
Protect everywhere,access anywhere
Simplify the security experience,manage compliance
Block
from:
EnableCost Value
Siloed Seamless
to:
Session Objectives
Email as the primary leak vector
Understand AD RMS
Understand Exchange 2010 – RMS Integration Features
Understand how to deploy them together
Demos
Email Information Leakageis Broadly ReachingFinancial Services
Equity Research, M&AGLB, NASD 2711
Healthcare & Life ServicesResearch, Clinical TrialsHIPAA
Manufacturing & High Technology Collaborative Design, DataProtection in Outsourcing
Government RFP Process, Classified InformationNational Security
Horizontal ScenariosSensitive e-mailsExecutive communicationsFinancial dataPrice listsHR InformationLegal information Corporate Governance: Sarbanes Oxley (US)
Legal, Regulatory and Financial impactsCost of digital leakage per year is measured in $BillionsIncreasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines, and more
Damage to Image and CredibilityDamage to public image and credibility with customersFinancial impact on companyLeaked e-mails or memos can be embarrassing
Loss of Competitive AdvantageDisclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalizationLoss of research, analytical data, and other intellectual capital
Email Information Leakageis Costly On Multiple Fronts
Session Objectives
Email as the primary leak vector
Understand AD RMS
Understand Exchange 2010 – RMS Integration Features
Understand how to deploy them together
Demos
Traditional Solutions Protect Initial Access …
Access Control List Perimeter
No
Yes
Firewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…but not ongoing usage
What is Rights Management Services?Better safeguard sensitive information
Protect against unauthorized viewing, editing, copying, printing, or forwarding of informationLimit file access to only authorized usersAudit trail tracks usage of protected files
Persistent protection Protects your sensitive information no matter where it goesUses technology to enforce organizational policies Authors define how recipients can use their information
Flexible and customizable technologyRMS integrates with familiar applications and is easy to useUsers assign “Full Control” rights to a trusted groupISVs build custom solutions via SDKs
System Architecture
SQL
OS Platform
Security Processor
Client API
Application HTTP/SOAP
RMS Server HTTP/SOAP
Admin MMC Snap-in
RMS Client(Built into Windows Vista
and Windows 7)
RMS Server(WS08 /08 R2 server role)
RMS Administration
AD
WS2008
Admin Scripting API
MMC 3.0 Host
2
1. Assume author and recipient are already bootstrapped with a RAC and CLC
2. Author creates mail
3. Author protects mail using RAC and CLC
4. Author sends mail to recipient
5. Recipient gets use license from RMS
6. Recipient can access content
Information WorkflowPublishing and consumption
1
RAC CLCRAC CLC6
UL4
5
PL
3
AD SQL RMS
Author
Recipient
System Workflow
1. Deployment2. User certification3. Publishing information4. Licensing5. Information
consumption1. RMS Client2. SPC
1
To server:1. SPC2. Authentication
To client:1. RAC2. CLC
2
1. Symmetric key2. Protect
information3. PL3
To server:1. RAC2. PL
To client:1. UL
4
1. Authorize UL2. Decrypt
information
5
RMS System Workflow
What’s on the user’s PC?
Client LicensorCertificate
Rights Account Certificate
RMSClient
“Lock Box”
MachinePrivate Key
obfuscated
UserPrivate Key(encrypted by
machinepublic key)
UserPublic Key Server
Public Key
MachineCertificate
MachinePublic Key
Per machine keys guaranteeing that content cannot be exploited by just moving content or certificates to another machine
Credentials to consume rights-protected content
Credentials to publish rights-protected content offline
Public key for this machine; necessary in order to acquire a RAC (Rights Account Certificate)
RMS-enabled Applications
Example: Rights-Protected Doc
Rights Info (w/ email addresses)
Content Key (random AES-128)
Encrypted withserver public key
PL(Publish license)
File content(Text, Pictures, metadata, etc.)
UL(Use License)
Content Key
Rights(for a particular user)
Encrypted with the user public key
Created when content (file) is protected Only added to file after
server licenses a user to open it
Encrypted withcontent key
Encrypted withserver public key
Encrypted withuser public key
NOTE: Outlook E-mail EULs are stored in the local user profile directory
External CollaborationTrusted User Domains Special AD Accounts
Trust Windows Live IDHosted Service
Identity Federation
External Collaboration via AD FSScenario
Fabrikam is a supplier to ContosoThey have set up a federated trust relationship using AD FS (access to SharePoint libraries, Intranet sites, etc.)Contoso deploys RMSContoso is able to protect content it shares with FabrikamContoso RMS server issues use licenses to Fabrikam employees
Newcontent
1. Assume author is already bootstrapped
2. Author sends protected mail to recipient at Fabrikam
3. Recipient contacts RMS server to get bootstrapped
4. WebSSO agent intercepts request5. RMS client is redirected to FS-R for
home realm discovery6. RMS client is redirected to FS-A for
authentication7. RMS client is redirected back to FS-
R for authentication8. RMS client makes request to RMS
server for bootstrapping9. WebSSO agent intercepts request,
checks authentication, and sends request to RMS server
10.RMS server returns bootstrapping certificates to recipient
11.RMS server returns use license to recipient
12.Recipient accesses protected content
Contoso FabrikamAD
RMS
AD
FS-AFS-R
1RAC CLC
PL
2
WebSSO
4
35
6
78
9
RAC CLC
10
UL
11
12
External Collaboration via AD FS
Vista/WS2008 Investments
Easy deploymentExternal collaboration (through AD FS federation)Policy distribution (Vista SP1 + WS2008)Native 64-bit clientXPS integration
Win 7/WS2008 R2 Investments
External collaborationSupport extended to include 3rd-party identity providersInternal group support (i.e., groups on the federation side that include external users)
DeploymentThrough PowerShell
AdministrationThrough PowerShellNew reports
Session Objectives Email as the primary leak vector
Understand AD RMS
Understand Exchange 2010 – RMS Integration Features
Understand how to deploy them together
Demos
Exhange 2010 Investments
Optimize for Software + Services
• Manage Inbox Overload
• Enhance Unified Messaging
• Anywhere Access and Collaboration
Streamline Communications
• Deployment Flexibility
• High Availability• Simplified Administration
Increase Operational
Flexibility
• Protect Communications
• Compliance and Archiving
• Reporting and Alerts
Deliver Greater Visibility & Control
RMS Integration Overview
•Transport Rules•Protected Unified Messaging•Outlook Protection RulesAutomatic
Content Based Privacy
•IRM in OWA•Search IRM mails in OWAStreamline End
User Experience
•Journal Decryption•Transport Pipeline DecryptionEnable IT
Infrastructure
Automatic Content-Based PrivacyEliminate reliance on end-user
Enforcement Tools are required.Content Protection should be automated.
Automatic Content-Based PrivacyEliminate reliance on end-user
Protect messages in transit via Transport Rules actionProtect messages by default at Outlook ClientPrivate voice message automatically protected by Unified Messaging (UM)Delegate policy determination to Compliance Officer role via RBAC
Transport Rule Protection
Automatic Content-Based Privacy Transport Rule ProtectionExchange Server 2010 provides a single point in the organization to control the protection of e-mail messages
Automatic Content-Based Privacy:• Transport Rule action to apply RMS template to e-mail message• Transport Rules support regex scanning of attachments in Exchange 2010• Internet Confidential and Do Not Forward Policies available out of box
Transport Rule Protection
Rules Agent stamps X-Org Header to message with value set to RMS template GUIDEncryption Agent applies RMS protection to message and attachments on onRouted Transport Agent EventOffice 2003, 2007, 14 and XPS docs supported as attachmentsAll encryption/decryption API located in XSO layer
Transport Rule Protection
Active Directory
AD RMS Exchange 2010Enterprise
2) Bootstrap ( RAC, CLC )3) Acquire Template Informaiton
1) Se
rvice
Looku
p
4) Publish5) Encrypt
RMS Integration in UM
RMS Integration in UM
UM Administrator can allow incoming voice mail messages to be marked as “private”Private voice mail is protected using “Do Not Forward”, preventing forwarding or copying contentUses the Encryption/Decryption XSO API to rights protect Private Voice mail supported by Unified Messaging in Outlook 14 and OWA
Outlook Protection Rules
Small scale rules engine delivered in Outlook 2010 add-inPrevents host/Admin from accessing sensitive mailRules
Predicates: Sender’s department, recipient’s identity, recipient’s scoperetrieved by add-in from CAS through EWSoptional/mandatory, applied offline/online
Step 1: User creates a new message in Outlook
Step 2: User adds the R&D distribution list to the To line
Step 3: Outlook detects a sensitive DL and automatically protects as confidential
Step 4: Administrator can define a policy as required, disabling the Permission button
RMS Integration Overview
•Transport Rules•Protected Unified Messaging•Outlook Protection RulesAutomatic
Content Based Privacy
•IRM in OWA•Search IRM mails in OWAStreamline End
User Experience
•Journal Decryption•Transport Pipeline DecryptionEnable IT
Infrastructure
Streamline End User ExperiencePrevent RMS Protection from Getting In IW's Way
Prelicensing enables offline and mobile access to RMS protected messagesCreate and compose RMS protected messages in OLK and OWAConduct full-text search on RMS protected messages in OWA
RMS Integration in OWA
RMS Integration in OWA
RMS Integration in OWA
Create/Consume RMS protected messages natively, just like OutlookNo client download or installation requiredSupports
Firefox, Safari, Macintosh and WindowsConversation view, Preview paneFull-text search on RMS protected messages
RMS Integration in OWA
CAS uses Super User Privileges to decryptEnd User License (EUL) to determine which rights to enforce
Single EUL shared across all CAS servers to give multiple machines a common RMS identityRights enforcement concerns in the browser mitigated by disabling feature at mailbox policy level
RMS Integration Overview
•Transport Rules•Protected Unified Messaging•Outlook Protection RulesAutomatic
Content Based Privacy
•IRM in OWA•Search IRM mails in OWAStreamline End
User Experience
•Journal Decryption•Transport Pipeline DecryptionEnable IT
Infrastructure
Enable IT InfrastructureRMS protection should not break IT infrastructure
Simplified Exchange-RMS Integration via installation scripts and health check taskEnable e-discovery via Journal Report DecryptionVirus and spam filtering of RMS protected messages enabled at Hub Transport
Journal Report Decryption
Journal Report Decryption Agent• Attaches clear-text copies of RMS protected messages and attachments to journal mailbox• Requires super-user privileges, off by default• Stamps x-Org header to prevent future decrypt attempts
Archive/Journal
Journal Report Decryption
Transport Pipeline Decryption
Enables Hub Transport Agents scan/modify RMS protected messagesPipeline Decryption Agent
uses Super-User privileges to decryptdecrypts message and attachments protected with same Publishing License
Encryption Agent re-encrypts messages, forks and NDRs with original PL
Transport Pipeline Decryption
Option to NDR messages that can’t be decryptedLow performance impact
message decrypted at 1st Hub of each forestMessage property to determine whether clear-text message was decrypted by pipeline decryptionAgents not prevented from copying decrypted content
RMS Integration Agents
All RMS Integration Agents implemented as Transport agents
-
Hub Transport•Pipeline Decryption
Agent
Decrypt RMS message from SMTP
End of Data
•Transport Rules Agent•Journal Report
Decryption Agent•Encryption Agent •PreLicense Agent •Journal Agent
On Routed
•Pipeline RMS Decryption Agent
Decrypt AD RMS message from Pipeline
OnSubmitted
Session Objectives
Email as the primary leak vector
Understand AD RMS
Understand Exchange 2010 – RMS Integration Features
Understand how to deploy them together
Demos
Deployment
Pre-requisitesExchange 2010 Windows Server 2008 R2
Configure AD RMS server role on WS08R2MBX and CAS servers must have Exchange 2010
Exchange Configuration
Exchange Server must be part of RMS “Super-user” group.Enable corresponding Transport Agents
For e.g. to enable Transport Rules agent, use Exchange Management Shell
Set- IRMConfiguration –EncryptionEnabled $true
RMS Configuration
1. Register a Service Connection Point in AD2. Add permissions for Exchange to access AD
RMS3. Setup an RMS Super User Group
Transport Rules, IRM in OWA, Journal Decryption
demo
Key Takeaway
Exchange 2010 and AD RMS can help your organization safeguard sensitive email communication
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.