Windows Server 2008 R2

Active Directory Rights

Management Services Deep
Abhijat Kanade
Dive
Senior Program Manager
Microsoft Corporation
Session Code: SIA304

Agenda
Information Leakage Problem
AD RMS History
Whats New in CY09

With
Demos

AD RMS Server Role in Windows Server

2008 R2
Exchange 2010 integration
AD RMS Bulk Protection Tool
RSA DLP 6.5+ integration

Q&A

Business Ready Security

Pro
tec
ti

Identity

Protect everywhere,
access anywhere

s
ce
Ac

on

Help securely enable business by managing risk and empowering

people

Management

Integrate and extend

security
across the enterprise

Highly Secure & Interoperable

Platform

Simplify the security experience,

manage compliance
from:

to:

Block Enable
Cost Value
Siloed Seamless

The Information Workplace

The Information Workplace

Home

USB Drive

Independent
Consultant

Mobile Devices

Partner
Organization

Companies face growing risks of

Information Leakage
Is Costly On Multiple Fronts

Legal, Regulatory, and Financial impacts

Cost of digital leakage per year is measured in $Billions
Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB
1386
Non-compliance with regulations or loss of data can lead to significant
legal fees

Damage to Image and Credibility

Damage to public image and credibility with customers
Financial impact on company
Leaked e-mails or memos can be embarrassing

Loss of Competitive Advantage

Disclosure of strategic plans, M&A info potentially lead to loss of
revenue, market capitalization
Loss of research, analytical data, and other intellectual capital

Data must be protected, but must remain

Location Based Solutions

Protect Initial Access

Firewall Perimeter
Access Control
List Perimeter

Authorize
d
Users

Authorize
d
Users

Location Based Solutions

Protect Initial Access But Do Not Protect Usage

Firewall Perimeter
Access Control
List Perimeter

Authorize
d
Users

Unauthorize
d
Users

Authorize
d
Users

Info
rm
Lea ation
kag
e

Unauthorize
d
Users

AD RMS Is A Content-Based
Solution

Protects the Information Itself No Matter How It Is

Shared
And Where It Goes
Policy
Policy
Policy

Policy

Active Directory Rights Management

Services
Persistent
Encryption

Policy

Access Permissions (Who)

Use Right Permissions
(What)

AD RMS Workflow
Publishing and Consumption

1. Assume author and recipient are

AD
RMS

SQL

AD
DS

already bootstrapped with a RAC

and CLC

2. Author creates mail

3. Author protects mail using RAC

and CLC

4. Author sends mail to recipient

5
5

5. Recipient gets use license from

RMS

Auth
or

Recipie
nt

6. Recipient can access content

4
4
UL
3
3
1
1

RAC CLC

2
2

PL

6
6

RAC CLC

Windows Server 2003

Out-of-band installer for
RMS Server (v1, v1 SP1,
v1 SP2)
AD RMS Trust
TUD, WLID

Client
Out-of-band installer for
RMS Client (v1, v1 SP1, v1
SP2) on Windows XP and
WS2003

Microsoft Solutions
Office 2003 (Outlook,
Word, Excel, PowerPoint)
Internet Explorer Add-On
(RMA)

Windows Server 2008

AD RMS server role (v2)
AD RMS Trust
AD FS federation support
Improved installation and
mgmt
AD RMS template distribution
(Vista SP1 and above)
Admin reports
Different admin roles

Client
AD RMS client integrated in
Windows Vista and WS2008

Microsoft Solutions
Windows Mobile 6 integration
Office 2007 (+InfoPath)
XPS Viewer
SharePoint 2007 (Doc libraries)
Exchange 2007 SP1
(Prelicensing)

Windows Server 2008

R2
AD RMS server role (v3)
AD RMS Trust
Publishing org (internal)
group support for
federated users
Improved installation and
mgmt through PowerShell
Additional admin reports

Client
AD RMS client integrated in
Windows 7 and WS2008 R2

Microsoft Solutions
Exchange 2010
AD RMS Bulk Protection
Tool
WS2008 R2 FCI integration

Partner Solutions

Partner Solutions
PDF and other file formats & Blackberry support Gigatrust,
Liquid Machines
CAD file format - Dassault Systems
Classification - Titus Labs
Secure Content Mgmt - Workshare

RSA DLP
PDF solution - Foxit
Secure Content Mgmt
OpenText

* Each consecutive release on this slide includes features from the prior re

Consisten
cy

Ensure identical
deployments
Automate common tasks

Flexibility

For managing the server

Local and remote access

Customer Ask #1

Deployment and Administration

AD RMS Server Role in

WS2008 R2

AD RMS Server Role in

WS2008 R2

PowerShell
for deployment
Deployment
and support
Administration
and admin

Deployment cmdlets available out-of-the

box
Admin cmdlets available after the AD
RMS server role has been deployed

Additional admin reports (system

health)

demo

AD RMS Administration

 Publishing organization
maintains full control of
content
Groups defined by publishing
organization
Enable secure external
collaboration
Consistent end user experience
when working with internal and
external users

Control
access
Simplify
collaborati
on
Customer Ask #2

AD RMS Server Role in

WS2008 R2

AD RMS Server Role in

WS2008 R2

WS2008
introduced
federation support
Secure
External
Collaboration
via AD FS Need to individually
identify external users when
protecting information
WS2008 R2 supports protecting to
publishing org (internal) groups that
include external users No need to
individually identify external users

External Collaboration via ADFS

Assume author is already

bootstrapped
2. Alice sends protected mail to
projectX@contoso.com of which
Bob at Fabrikam is a member
3. Recipient contacts RMS Server to
get bootstrapped
4. WebSSO agent intercepts request
5. RMS Client is redirected to FS-R for
home realm discovery
6. RMS Client is redirected to FS-A for
authentication
7. RMS Client is redirected back to FSR for authentication
8. RMS Client makes request to RMS
Server for bootstrapping
9. RMS Server returns certificates to
recipient
10.RMS Client makes request to RMS
Server for use license
11.RMS Server retrieves Bobs group
membership from AD and
compares to PL
12.RMS Server returns use license to
1.

AD

AD
Fabrikam
Fabrikam

Contoso
Contoso

Bob

projec
projec
tX
tX

11

ADFS
FS-R

ADFS
FS-A
WebSSO
4

6
5
3

RMS

10

Alic
e

Bob
2
PL
9

1
RAC CLC

13

RAC CLC

12

UL

Exchange 2010 RMS

Integration
Themes

Streamline
end-user
experience

Enable
automatic
protection

Integrate
seamlessly
with IT
infrastructure

Seamless
protection

Ensure identical end user

experience for
unprotected and RMSprotected e-mails

OWA
support

View and reply to RMSprotected e-mails in OWA

without an additional addon

Customer Ask #1

Exchange 2010 RMS

Integration

Exchange 2010 RMS

Integration

Prelicensing
support
enables offline
Streamline
End-user
Experience

and mobile access to RMS-protected emails introduced in Exchange 2007

SP1
Consume and publish RMS-protected
e-mails in OWA Internet Explorer,
Firefox, Safari
Conduct full-text search on RMSprotected e-mails in OWA

demo

RMS-Protected E-mails in OWA

Exchange 2010 RMS

Integration

Client End-user
Access Experience:
Server (CAS)
uses
Streamline
RMS Integration
In
OWA: Details
Superuser privileges to decrypt
Prelicensed use license (UL) used to
determine rights to enforce
Rights enforcement concerns in the
browser mitigated by enabling the
feature for a specific set of users (at
mailbox policy level)

Exchange 2010 RMS

Integration
Customer Ask #2

Based on content and

context analysis

Enable
automatic
protection

Exchange 2010 RMS

Integration

Automatically
Automatic
Protectionprotect e-mails in transit
via Exchange transport rules
Automatically protect e-mails in
Outlook 2010 (through an add-in)
Automatically protect private
voicemails through Exchange Unified
Messaging (UM)

Exchange 2010 RMS

Integration

Automatic Protection: Through Transport Rules

Transport Rule action to apply AD RMS

template to e-mail message
Based on content and context analysis
Content analysis: Keywords and
RegEx scanning of e-mails and
attachments
Context examples: From, To

demo

Exchange Transport Rules

Based
Automatic RMS-Protection

Exchange 2010 RMS

Integration

Rules agent
stamps
x-org
header
Automatic
Protection:
Through
Transport
Rules:in eDetails
mail with RMS template GUID
Encryption agent applies RMS
template to e-mail and attachments
on onRouted Transport Agent event
Office 2003 and above file formats
(Word, Excel, PowerPoint) and XPS
attachments also get automatically
protected
Extensible to other file formats through

Exchange 2010 RMS

Integration

Outlook
2010 add-in
rules
Automatic
Protection:
Through(small-scale
Outlook Protection
Rules
engine)
Mitigates concerns of Exchange admin
or host accessing sensitive mail
Rules
Context only: Senders department,
recipients identity, recipients scope
(internal/external)
Retrieved by add-in from CAS through
Exchange Web Services (EWS) API

demo

Outlook 2010 Add-In Protection

Rules

Exchange 2010 RMS

Integration

UM admin
can allow
incoming
Automatic
Protection:
Through
Unified Messaging

voicemails to be marked as private

Private voicemails can be protected
using Do Not Forward RMS
template preventing forwarding and
copying of voicemail content
Private voicemails supported in OWA
and Outlook 2010

Uses the Encryption/Decryption XSO API to

demo

Exchange Unified Messaging

Protected Voicemails

RMS-protected based on sender marking voicemail as

private or through administrative policy

Enable
e-discovery

Support in-the-clear archival of

RMS-protected e-mails

Allow
scanning of
protected
e-mails

Ability to scan RMS-protected emails in transport

Ability to modify RMS-protected
e-mails in transport

Customer Ask #3

Exchange 2010 RMS

Integration

Exchange 2010 RMS

Integration

Enables
e-discoveryIntegration
via journal
Seamless
IT Infrastructure

decryption
Enables anti-malware and other
scenarios (such as adding a
disclaimer) at hub transport via
transport decryption and re-encryption

Exchange 2010 RMS

Integration

Seamless
Journal
ReportIT Infrastructure
Decryption
Decryption
Agent

Integration: Journal

Attaches clear-text copies of

RMS-protected e-mails and
attachments to journal
mailbox
Requires superuser
privileges
Feature is off by default

Archive/Journal

demo

Exchange Journal Decryption

Exchange 2010 RMS

Integration

Seamless IT Infrastructure Integration: Transport

Enables
Hub
Transport
Agents
to
Pipeline Decryption

scan/modify RMS-protected e-mails

Pipeline Decryption Agent

Uses superuser privileges to decrypt emails

Decrypts e-mail and attachments

Encryption Agent re-encrypts messages

Option to NDR messages that cannot be
decrypted
All AD RMS integration agents are

demo

Exchange Transport Decryption

and Re-Encryption

Exchange RMS integration features require AD RMS

Server Role in WS2008 R2 or WS2008 SP2 + KB973247
Streamline
end-user
experience

Consume and Publish RMS-protected emails in OWA

Search RMS-protected e-mails in OWA

Enable
automatic
protection

Through Transport rules

Through Outlook protection rules
Through Unified messaging (voicemails)

Integrate
seamlessly
with IT
infrastructure

In-the-clear archival of RMS-protected emails

Ability to scan and modify RMS-protected
e-mails in transport

Exchange 2010 RMS

Integration

 Recover RMS-protected
documents
Help in e-discovery efforts

Bulk
decryptio
n tool
Customer Ask

AD RMS Bulk Protection Tool

AD RMS Bulk Protection Tool

Details

Command line tool

Bulk decryption
E-Discovery of content for litigation/audit
purposes

Bulk encryption
Safeguard existing sensitive information
Can be integrated with WS2008 R2 File
Classification Infrastructure (FCI) to
classify and automatically RMS-protect
files on the file server

AD RMS Bulk Protection Tool

Details

Supported file formats

Office 2003 and above (Word, Excel,
PowerPoint)
XPS
Extensible to other file formats via IRM
protector implementation
Bulk decryption also available for items
within Outlook PSTs (requires Outlook
2007)

Supported on XP/WS2003 and above

Requires RMS Client v1 SP2 and .NET

AD RMS Bulk Protection Tool

With WS2008 R2 FCI

2
2

3
3

4
4

1
1
c
FCI
FCI
Classify
Classify

Mgmt
Mgmt Task:
Task:
AD
AD RMS
RMS
Protect
Protect

5
5

c
User creates a file
marketing.docx on
Windows server 2008
R2 file server

File Classification
Infrastructure (FCI)
classifies file as
sensitive based on
content analysis
(keyword/RegEx)
and/or folder location
(e.g., Business Impact
= High)

Full Time Employee can

access
marketing.docx

Automated File
Management Task
invokes AD RMS Bulk
Protection Tool to
automatically RMSprotect the file (restrict
access to Full-Time
Employees only)

A malicious user getting

access to the file
through an unintentional leak is not
able to access file
content

demo

AD RMS Bulk Protection Tool

with WS2008 R2 FCI

Partner Solution: RSA DLP

Automatic Protection For Datacenters and
Endpoints

Integrated solution to discover and

automatically RMS-protection sensitive
data on endpoints and the datacenter
Requirements
RSA DLP 6.5 and above (RSA DLP
Datacenter and RSA DLP Endpoint
Discover products)
AD RMS Server Role in WS2008 and
above

Partner Solution: RSA DLP

How The Integration Works
1. AD RMS admin
creates AD RMS
templates for data
protection
2. RSA DLP admin
selects/ creates
policies to find
sensitive data and
protect it using AD
RMS
3. RSA DLP discovers
and classifies
sensitive files, and
applies AD RMS
protection based on
policy
4. Users request files.
AD RMS provides
identity-based access

Microsoft
Microsoft AD
AD
RMS
RMS

RSA DLP

R&D
R&D
Department
Department

Marketing
Marketing
Department
Department

Others
Others

View,
View, Edit,
Edit,
Print
Print

View
View

No
No Access
Access

Find
Find IP
IP documents
documents
Apply
Apply IP
IP AD
AD RMS
RMS
template
template

IP
Policy

R&D department

Marketing department

Endpoints:
Laptops/Desktops
File Shares

SharePoint
Othe
rs

Intellectua
l Property
(IP)
template

Windows Server 2003

Out-of-band installer for
RMS Server (v1, v1 SP1,
v1 SP2)
AD RMS Trust
TUD, WLID

Client
Out-of-band installer for
RMS Client (v1, v1 SP1, v1
SP2) on Windows XP and
WS2003

Microsoft Solutions
Office 2003 (Outlook,
Word, Excel, PowerPoint)
Internet Explorer Add-On
(RMA)

Windows Server 2008

AD RMS server role (v2)
AD RMS Trust
AD FS federation support
Improved installation and
mgmt
AD RMS template distribution
(Vista SP1 and above)
Admin reports
Different admin roles

Client
AD RMS client integrated in
Windows Vista and WS2008

Microsoft Solutions
Windows Mobile 6 integration
Office 2007 (+InfoPath)
XPS Viewer
SharePoint 2007 (Doc libraries)
Exchange 2007 SP1
(Prelicensing)

Windows Server 2008

R2
AD RMS server role (v3)
AD RMS Trust
Publishing org (internal)
group support for
federated users
Improved installation and
mgmt through PowerShell
Additional admin reports

Client
AD RMS client integrated in
Windows 7 and WS2008 R2

Microsoft Solutions
Exchange 2010
AD RMS Bulk Protection
Tool
FCI integration

Partner Solutions

Partner Solutions
PDF and other file formats & Blackberry support Gigatrust,
Liquid Machines
CAD file format - Dassault Systems
Classification - Titus Labs
Secure Content Mgmt - Workshare

RSA DLP
PDF solution - Foxit
Secure Content Mgmt
OpenText

* Each consecutive release on this slide includes features from the prior re

More Information
AD RMS TechNet TechCenter [Link] and Documentation
Roadmap [Link]
Exchange 2010 and AD RMS Integration [Link]
AD RMS Bulk Protection Tool Download [Link]
WS2008 R2 FCI Website [Link]
RSA DLP Website [Link]
MSIT Deployment
AD RMS Deployment [Link]
FCI and AD RMS Bulk Protection Tool Deployment [Link]
RSA DLP and AD RMS Deployment [Link]

Blogs
AD RMS Product Team Blog [Link]
Jason Tyler Blog [Link]
(Jason is a Senior Support Escalation Engineer for AD RMS)

Q&A

Resources
www.microsoft.com/teched

www.microsoft.com/learning

Sessions On-Demand &

Community

Microsoft Certification & Training

Resources

http://microsoft.com/techne
t

http://microsoft.com/ms
dn

Resources for IT Professionals

Resources for Developers

Complete an
evaluation on
CommNet and enter
to win an Xbox 360
Elite!

 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S.
and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.