Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk.

Published byRandolph Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk."— Presentation transcript:

1

2

3

4

5 What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk

6 ClassificationAccess controlAuditing Rights Management Services protection Dynamic Access Control 6 Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks

7 ClassificationAccess controlAuditing Rights Management Services protection Files inherit classification tags from parent folder File owners tag files manually Files are tagged automatically Files are tagged by applications Central access policies are based on classification Access conditions for user claims, device claims, and file tags are based on expressions Assistance is available for denial of access Central audit policies can be applied across multiple file servers Audits for user claims, device claims, and file tags are based on expressions Audits can be staged to simulate policy changes in a real environment Automatic Rights Management Services (RMS) protection is available for Microsoft Office documents Protection is in near-real– time when a file is tagged RMS protection extends to files not created in Microsoft Office Dynamic Access Control 7

8

9 Identify and classify information 9 Create or modify file Determine classification Save classification In-box content classifier Third-party classification plug-in Location Manual Contextual Application

10 Resource claims build on users and groups 10 User redmond\jsmith / S-1-5-21-12345-12345-12345 Groups MktgFTE / S-1-5-21-23456-23456-23456-23456-23456 RemoteAccess / S-1-5-21-34567-34567-34567-34567 High-PII / S-1-5-21-45678-45678-45678-45678 Viewed using “whoami /claims” from the command line Derived from property values and issued as part of the token received at logon Consumed during authorization events Claims “Department” Dept_4329617375String“Mktg” “Country” Country_54927768String“US”

11 User claims User.Department = Finance User.Clearance = High Access policy For access to financial information that has high business impact, a user must be a finance department employee with a high security clearance, and must use a managed device registered with the finance department. Device claims Device.Department = Finance Device.Managed = True Resource properties Resource.Department = Finance Resource.Impact = High Active Directory Domain Services Expression-based access rules 11 File server

12

13 Active Directory Domain Services Characteristics Composed of central access rules Applied to file servers through Group Policy objects Supplement (i.e. do not replace) native file and folder access control lists from New Technology File System (NTFS) Central access policies 13 Corporate file servers Personally identifiable information policy Finance policy User folders Finance folders Organizational policies High business impact Personally identifiable information High business impact policy Finance department policies High business impact Personally identifiable information Finance

14 Active Directory Domain Services Create claim definitions Create file property definitions Create central access policy Group Policy Send central access policies to file servers File Server Apply access policy to the shared folder Identify information User’s computer User tries to access information Central access policy workflow 14 Active Directory Domain Services User File server Allow or deny Claim definitions Audit policy File property definitions

15 Organization-wide authorization Departmental authorization Specific data management Need-to-know Getting started with access policies 15

16 Access-denied assistance 16 On a computer running the Windows 8 operating system, Windows retrieves access information from the File Server Resource Manager and displays a message with access remediation options. If remediation options include a link for requesting access, the user can request access to the file. Alternatively, users can request access help through email. After the user satisfies access requirements, the user’s claims are updated and the user can access the file. File server 1 2 3 User Active Directory Domain Services

17

18 Security auditing 18 18 Active Directory Domain Services Create claim types Create resource properties Group Policy Create global audit policy File Server Select and apply resource properties to the shared folders User’s computer User tries to access information Active Directory Domain Services User File server Allow or deny Claim definitions Audit policy File property definitions

19 Audit everyone who does not have a high security clearance and who tries to access a document that has a high impact on business Audit all vendors when they try to access documents related to projects that they are not working on Audit policy examples 19 Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

20

21 Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller. A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured. On the file server, a rule automatically applies RMS protection to any file classified as high-impact. The RMS template and encryption are applied to the file on the file server and the file is encrypted. Classification-based encryption process 21 1 2 3 File server RMS server Classification engine 4 User Active Directory Domain Services

22

23

24 ClassificationAccess controlAuditing Rights Management Services protection Dynamic Access Control: Benefits 24 Identifies data Classifies files automatically and manually Controls access to files Provides central access policies for an organization-wide safety net Audits access to files Provides central audit policies for compliance reporting and forensic analysis Applies RMS encryption Reduces information leaks

25

26 Easily resolve end-user permission issues Centrally manage access control from Active Directory Pre-stage and simulate the effect of changes to access policy Automatically identify and classify data based on content Central access policies File access audit Integration with Active Directory Rights Management Services File Classification Infrastructure Policy-driven access to data with Dynamic Access Control 26

Download ppt "What is the problem we are trying to solve? Users want to work anywhere on any device IT needs to retain control and manage risk."

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.

AD for Windows 2012 Deeper Dive - Dynamic Access Control and Domain Controller Cloning JONATHAN CORE – DOMAIN CONTROLLER CLONING KEITH BREWER – DYNAMIC.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;

? ? AreaPropertiesValues Information Privacy Personally Identifiable InformationHigh; Moderate; Low; Public; Not PII Protected Health InformationHigh;
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware decision.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.

? ? 63K confirmed security incidents for 2013 w/ 1,367 confirmed data breaches. Over 40% targeted at server assets. 73% of enterprise IT hardware.
Understanding Active Directory

Understanding Active Directory
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Upgrading the Platform - How to Get There!

Upgrading the Platform - How to Get There!

Similar presentations

Ads by Google