Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of Access and Information Protection

Published byErika Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "Overview of Access and Information Protection"— Presentation transcript:

1 Overview of Access and Information Protection
Presentation: 60 minutes Lab: 30 minutes After completing this module, students will be able to: Describe Access and Information Protection (AIP) solutions in business. Describe Access and Information Protection solutions in the Windows Server 2012 operating system. Describe Microsoft Forefront Identity Manager (FIM) 2010. Required materials To teach this module, you need the Microsoft Office PowerPoint file 10969A_01.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 1 Overview of Access and Information Protection

2 Module Overview Overview of FIM 2010 R2 10969A
1: Overview of Access and Information Protection Overview of FIM 2010 R2 This is an introductory module. The main purpose is to introduce students to the concepts of identity management, and related technologies and products. Try to teach this module as a discussion and a reminder.

3 Discussion: How Do You Manage Identities in Your Organization?
Lesson 1: Introduction to Access and Information Protection Solutions in Business 1: Overview of Access and Information Protection Discussion: How Do You Manage Identities in Your Organization? Although most of this information should be familiar to students, it is important to set the stage for the role of Active Directory Domain Services (AD DS) and to clarify the terminology, components, and processes associated with AIP.

4 10969A What Is Identity? 1: Overview of Access and Information Protection Identity. Set of data that uniquely describes a person or an object-sometimes referred to as subject or entity-and contains information about the subject's relationships to other entities: Identities are saved in an identity store known as a directory database In AD DS, identities are called security principals In AD DS, identities are represented uniquely by the SID Identities are used mainly to access the resource Define identity. Before you do that, ask students to tell you their definition of identity. After you define identity, discuss identity stores with a focus on AD DS. However, make sure that you mention other examples of identity stores, such as Active Directory Lightweight Directory Services (AD LDS), Novell directory store, Oracle eDirectory, etc.

5 What Is Authentication?
1: Overview of Access and Information Protection Authentication is the process that verifies a user’s identity through: Credentials. At least two components are required Two types of authentication: Local (interactive) Log on, Authentication for logon to the local computer Remote (network) Log on, Authentication for access to resources on another computer Stand-alone authentication, users are authorized by local SAM Joining the computer to the domain Define the authentication process. Use some real life examples to support and discuss the different types of authentication, such as local and remote. Also, discuss authentication on a local computer and describe what it means to join to the domain.

6 10969A What Is Authorization? 1: Overview of Access and Information Protection Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource Three components are required for authorization: Resource Access request Security token Windows Server 2012 also introduces DAC as a new form of authorization Define authorization. Discuss how the process works and use a shared folder as an example. Briefly mention Dynamic Access Control (DAC), but do not go into details.

7 Overview of AD DS and Access and Information Protection
1: Overview of Access and Information Protection An AIP infrastructure should: Store information about users, groups, computers and other identities Authenticate an identity, Kerberos authentication used in an Active Directory domain provides SSO, and users authenticate only once Control access Provide an audit trail Discuss the main concepts of Access and Information Protection management.

8 The Business Case for Access and Information Protection Control
1: Overview of Access and Information Protection AIP offers the following solutions: Reduce the information access workload Increase operational security Enable secure cross-organization collaboration Protect intellectual property This topic should address the challenges that students likely will face in their environments. Try to involve students at the beginning of the topic to understand some of the challenges around AIP. For example: Are students spending a lot of time troubleshooting access issues? Are students finding it difficult to collaborate with partners because they do not have an AIP solution in place? How are students sending confidential information to others in their company (or to partners)? How much confidential data is stored in user mailboxes?

9 AIP Management Solutions
1: Overview of Access and Information Protection Features of AIP management solutions include: Maintaining multiple identity stores in an organization Determining the current and authoritative identity information Provisioning and deprovisioning user accounts Authenticating and authorizing users Securing shared information Securing collaboration between partners and vendors Securing access and distribution of sensitive data This is an important topic. You should identify the main benefits of having an AIP management solution. Explain these main points and prepare to discuss them right after this topic.

10 Discussion: How Do You Manage Identities in Your Organization?
1: Overview of Access and Information Protection What AIP technologies are you currently running in your organization? What business enhancements do your AIP technologies provide? What risks does your business currently face that AIP could help to mitigate? How can AIP solutions simplify IT operations? How do AIP solutions change how people access enterprise resources? Question What AIP technologies are you currently running in your organization? Answer It starts with the receptionist, who serves as an AIP component to identify visitors, determine access requirements, and grant access. What business enhancements do your AIP technologies provide? Possible enhancements include tighter security, the ability to meet compliance requirements, and a reduction in operational overhead by simplifying the management of multiple authentication repositories. What risks does your business currently face that AIP could help to mitigate? Possible risks include the inability to identify who has access to what, inefficient employee termination processes, and authentication repositories with mismatched information. How can AIP solutions simplify IT operations? AIP solutions simplify IT operations through centralizing access management and providing flexible technologies to manage various systems. (More notes on the next slide)

11 1: Overview of Access and Information Protection
Question How do AIP solutions change how people access enterprise resources? Answer AIP solutions can provide people with SSO experience, which allows them to access resources in same way from multiple devices.

12 Lesson 2: Overview of AIP Solutions in Windows Server 2012
1: Overview of Access and Information Protection Overview of Workplace Join

13 Identity Management in Windows Server 2012
1: Overview of Access and Information Protection Windows Server 2012 provides several roles and functionalities for AIP management: AD CS AD RMS AD FS AD LDS DAC Workplace Join Windows Server 2012 R2 Server roles work together to provide full AIP functionality

14 Certificates can be issued in various ways
Overview of AD CS 1: Overview of Access and Information Protection AD CS provides services for creating, managing, and distributing digital certificates Digital certificates are distributed to users and computers and are used to secure communications Certificates can be issued in various ways Introduce Active Directory Certificate Services (AD CS).

15 10969A Overview of AD RMS 1: Overview of Access and Information Protection Major functional uses of AD RMS include the following: Provides business-level encryption of information Enables information protection while in use Allows for simple mapping of business classifications Provides offline use without requiring network access by users for particular amounts of time Provides full auditing of access to documents and enables business users make changes to usage rights Discuss the key points related to Information Rights Management. Ask students how they protect information within their current environment. Likely, they will answer access control lists and permissions, and if they do, ask them what would happen if an employee s a confidential document to someone outside of the company. Provide examples of the protection provided by Active Directory Rights Management Services (AD RMS). For example, an employee wants to send an to the entire company with highlights of the quarterly results but does not want that information to be forwarded, copied, or printed. AD RMS works with rights management–enabled applications such as Microsoft Office and Windows Internet Explorer, and it includes a set of core application programming interfaces (APIs) that developers can use to write code for their own rights management–enabled applications or to add rights management–functionality to existing applications. Mention that students can use AD RMS with Active Directory Federation Services (AD FS). AD RMS relies on a Secure Sockets Layer (SSL) certificate, which can help students associate some of the roles together. More details on tying roles together are discussed later in this course.

16 AD FS can be summarized as follows:
Overview of AD FS 1: Overview of Access and Information Protection AD FS can be summarized as follows: AD FS is an identity access solution AD FS provides browser-based SSO AD FS can interact with other SAML 2.0, WS*providers AD FS enhancements in Windows Server include: DAC integration Improved installation experience Enhanced Windows PowerShell cmdlets Workplace Join Multifactor authentication Multifactor access control Discuss the key points related to federated identity and the benefits of using it as outlined in the student workbook. Ask students to provide examples of where they can use AD FS within their environments. Point out that in a business-to-business scenario, both organizations stay autonomous in the management of their respective users and resources. Mention that AD FS is more tightly integrated with Microsoft Office SharePoint Services—web single sign- on (SSO) authentication—and also with the AD RMS component of Windows Server 2012—content access management between partners—as mentioned in the student workbook. At the end, briefly discuss new features in Windows Server 2012 and Windows Server 2012 R2.

17 Provides directory service for applications
Overview of AD LDS 1: Overview of Access and Information Protection AD LDS: Provides directory service for applications Allows data synchronization with AD DS Allows storage of application data Can run on Windows-based desktop operating system Ask students to provide examples of instances where they can use AD LDS within their environments. Their answers might include web portal applications, customer relationship management systems, Human Resources (HR) databases, or the Microsoft Exchange Server Edge Transport server role. Mention that if an organization has AD DS and multiple instances of AD LDS, then FIM might help maintain and consolidate the directories. This is introduced in the next lesson. Explain to students that AD LDS is basically a simplified version of AD DS that supports many of the features of AD DS, such as multimaster replication, application directory partitions, Lightweight Directory Access Protocol over SSL access, and the Active Directory Service Interfaces API. Also, explain that it does not store Windows security principals such as domain user and computer accounts, domains, global catalogs, or Group Policy. That is, AD LDS gives you all the benefits of having a directory but none of the features for managing resources on a network.

18 Overview of Windows Azure Active Directory
1: Overview of Access and Information Protection Windows Azure AD is a cloud-based service that provides identity management and access control capabilities for other cloud-based applications Windows Azure AD functionalities: Access control for applications Integrate with on-premises AD DS SSO for cloud-based applications Enable social connections in the enterprise Define Windows Azure Active Directory (AD) and its main features and benefits. Do not spend much time on this technology, as another module will cover it in more detail.

19 10969A Overview of DAC 1: Overview of Access and Information Protection DAC is a new security mechanism for resource access control in Windows Server 2012 DAC uses claims and properties together with expressions to control access DAC provides: Data classification Access control to files Auditing of file access Optional Rights Management Services protection integration Briefly introduce DAC. This technology will be discussed in more detail later, so do not go into detail. It is important that you describe the way DAC enhances access management.

20 Overview of Workplace Join
1: Overview of Access and Information Protection Workplace Join enhances the BYOD concept Users can operate their private devices in your AD DS Users can use their workplace joined devices to access company resources with SSO experiences DRS uses Windows Server 2012 R2 for this technology Workplace Join is supported only on Windows Server 2012 R2, Windows 8.1, and iOS-based devices only Describe Workplace Join technology. Be sure to explain the main difference between domain-joined and workplace-joined devices. Emphasize that this is specific to Windows Server 2012 R2, Windows 8.1, and iOS-based devices.

21 Lesson 3: Overview of FIM 2010 R2
10969A Lesson 3: Overview of FIM 2010 R2 1: Overview of Access and Information Protection Discussion: Business Scenarios for FIM Usage Most students probably will not have much knowledge about FIM. Make sure that you do not go into too much technical detail, as that is not the purpose of this lesson. Try to focus more on explaining the main functionalities and define some good business examples where using FIM is appropriate.

22 What Is FIM? Metadirectory services and user (de)provisioning
1: Overview of Access and Information Protection Certificate and smart card management Password management Automated provisioning Directory synchronization Metadirectory services and user (de)provisioning Define FIM and discuss the main FIM components and functionalities.

23 FIM Directory Synchronization
1: Overview of Access and Information Protection Metaverse Connected Data Source Employee User Connector Space person FIM Service HR Management Agent AD Management Agent This topic focuses on one of the main FIM functionalities, identity synchronization. Define and explain the main components that are involved in that process. FIM Management Agent

24 Managing Identities with FIM
1: Overview of Access and Information Protection User Provisioning User Management SharePoint-based portal Automated, codeless user provisioning and deprovisioning Self-service management Group Management Rich group management capabilities Offline group membership approvals Manual, manager-based, and criteria-based group membership Discuss some of the past difficulties associated with automated user provisioning, particularly the custom code and development requirements that many administrators were not comfortable using. Now, codeless provisioning can simplify a typical corporate process. A common scenario is the hiring process for a new employee. HR creates the new employee in the HR database, FIM synchronizes the HR database with AD DS, and the new employee is provisioned in AD DS. Ask students how much time they spend on the following user management tasks: Resetting user passwords Unlocking user accounts Updating user information in AD DS, such as phone numbers, office locations, and so on Group management in FIM focuses on self-service. Ask students how much time and effort IT puts into the following group management tasks: Adding members Removing members Creating new groups Verifying membership information (for example, is John in Group123?) Ask students if they use dynamic distribution groups. Have students envision how things might improve if the majority of group management was offloaded to users by using a self-service portal and the FIM Outlook add-in feature. Remember, this is about providing employees tools to be more efficient, while enabling administrators to work on more interesting tasks and projects.

25 Managing Certificates and Smart Cards with FIM
1: Overview of Access and Information Protection FIM CM provides full management for certificates and smart cards, and FIM CM lets you manage tasks such as : Enrollment Renewal Unblocking Disabling Suspending Updating Discuss the capabilities of FIM CM components. Emphasize that FIM CM does not have public key infrastructure (PKI) functionalities within itself, but it serves as an extension to the existing PKI and provides the ability to manage certificates and smart cards with workflows and role-based access control.

26 Discussion: Business Scenarios for FIM Usage
1: Overview of Access and Information Protection Do you use any identity management solution? Do you have the need for identity management? In which scenarios are common identities not appropriate? What are some real world examples of using identity management? Discuss with students some most common business scenarios for identity management. Use questions from the slide to open the discussion, but also allow students to ask their own questions. Provide some real life examples of identity management. For example, you can use a scenario where HR is using a third- party application to manage employees. That application can connect to AD DS to provision user data by using FIM. After a user provisions in AD DS from FIM, another workflow can begin for a smart card. When some of the user data changes—for example, last name change—HR employees do the change in the HR application, and the change synchronizes to AD DS again by using FIM. Question Do you use any identity management solution? Answer Answers may vary. Do you have the need for identity management? In which scenarios are common identities not appropriate? If you have applications or systems where you specifically want to have separate identities from your main directory. What are some real world examples of using identity management? A real world example would be, if you have a heterogeneous system with Microsoft and non-Microsoft directory services implemented, and you want to centralize user provisioning and deprovisioning in a way that when user is created in AD DS, it is automatically provisioned into other systems.

27 Exercise 2: Propose a Solution
Lab: Choosing an Appropriate Access and Information Protection Management Solution 1: Overview of Access and Information Protection Exercise 2: Propose a Solution This is paper/discussion-based lab. Give students some time to read and analyze the scenario, and then start a discussion. Exercise 1: Analyze the Lab Scenario and Identify Business Requirements You must analyze the provided requirements from A. Datum’s management listed in the lab scenario. Exercise 2: Propose a Solution After you have analyzed and identified the business requirements, you have to propose the appropriate products and technologies that can address A. Datum’s issues and requirements. Logon Information: There are no virtual machines in this lab Estimated Time: 30 minutes

28 10969A Lab Scenario 1: Overview of Access and Information Protection You are working as a system administrator for A. Datum Corporation. As part of your job, you need to understand how to use AD DS to secure the company’s data and infrastructure. Management wants to ensure the protection of A. Datum’s IT infrastructure by using the most secure method of authentication and authorization. Currently, A. Datum uses passwords to protect its accounts, but that has proven to be unsecure in some cases. Management also requests that you prevent unauthorized personnel from being able to read Microsoft Office documents. Specifically, they want to make business-critical documents inaccessible if the documents leave the company in any way, such as in , or on a USB flash drive. It is critical that only authorized personnel can access these documents. Also, management would like to consider digital signatures on documents. A. Datum recently has partnered with Contoso, Ltd. Contoso needs access to A. Datum’s web applications, but wants to ensure that users can continue to use their current AD DS user accounts. The web team at A. Datum has explained that they can make web applications claims aware.

29 Lab Scenario (continued)
1: Overview of Access and Information Protection A. Datum has expressed concern for developer efficiency. Developers currently utilize a development instance of AD DS and have noted that they are often waiting for IT but instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them to separate identity logic from their current applications. Developers also are using iOS-based devices for testing and development, and they need to have the ability to access company resources securely from these devices. HR maintains its own database that contains much of the same information that exists in AD DS. However, some of the information in the HR database conflicts with the information in the AD DS database; it should synchronize so that the information is consistent throughout each database. Management requests that you determine the Windows Server roles and available AIP solutions to address the organization’s current issues.

30 There are no review questions for this lab.
Lab Review 1: Overview of Access and Information Protection There are no review questions for this lab.  There are no review questions for this lab.

31 Module Review and Takeaways
1: Overview of Access and Information Protection Best Practice Review Questions Question What are the five server roles that support AIP solutions? Answer These roles include AD DS, AD CS, AD FS, AD RMS and AD LDS. What technology can help you to simplify and automate user provisioning? FIM components. What server role and technology are required to implement and manage smart cards? You need to have AD CS and FIM 2010 R2 Best Practice: Clearly define your business requirements. Identify which roles and solutions will best meet business needs. Thoroughly test the proposed solution before implementing any AIP solutions.

Download ppt "Overview of Access and Information Protection"

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Implementing and Administering AD FS

Implementing and Administering AD FS
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Understanding Active Directory

Understanding Active Directory
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.

Microsoft ® Official Course Module 12 Monitoring, Managing, and Recovering AD DS.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google