Microsoft® Official Course

Module 1Overview of Access and Information Protection

Module Overview

Introduction to Access and Information Protection Solutions in Business

Overview of AIP Solutions in Windows Server 2012•Overview of FIM 2010 R2

Lesson 1: Introduction to Access and Information Protection Solutions in Business

What Is Identity?

What Is Authentication?

What Is Authorization?

Overview of AD DS and Access and Information Protection

The Business Case for Access and Information Protection Control

AIP Management Solutions•Discussion: How Do You Manage Identities in Your Organization?

What Is Identity?

Identity. Set of data that uniquely describes a person or an object-sometimes referred to as subject or entity-and contains information about the subject's relationships to other entities:• Identities are saved in an identity store known as a directory database

• In AD DS, identities are called security principals

• In AD DS, identities are represented uniquely by the SID

• Identities are used mainly to access the resource

What Is Authentication?

Authentication is the process that verifies a user’s identity through:• Credentials. At least two components are required• Two types of authentication:

• Local (interactive) Log on, Authentication for logon to the local computer

• Remote (network) Log on, Authentication for access to resources on another computer

• Stand-alone authentication, users are authorized by local SAM• Joining the computer to the domain

What Is Authorization?

Authorization is the process that determines whether to grant or deny a user a requested level of access to a resource

Three components are required for authorization:•Resource•Access request•Security token

Windows Server 2012 also introduces DAC as a new form of authorization

Overview of AD DS and Access and Information Protection

An AIP infrastructure should:•Store information about users, groups, computers and other identities•Authenticate an identity, Kerberos authentication used in an Active Directory domain provides SSO, and users authenticate only once•Control access•Provide an audit trail

The Business Case for Access and Information Protection Control

AIP offers the following solutions:• Reduce the information access workload• Increase operational security• Enable secure cross-organization collaboration• Protect intellectual property

AIP Management Solutions

Features of AIP management solutions include:• Maintaining multiple identity stores in an organization• Determining the current and authoritative identity information• Provisioning and deprovisioning user accounts• Authenticating and authorizing users• Securing shared information• Securing collaboration between partners and vendors• Securing access and distribution of sensitive data

Discussion: How Do You Manage Identities in Your Organization?

•What AIP technologies are you currently running in your organization?•What business enhancements do your AIP technologies provide? •What risks does your business currently face that AIP could help to mitigate? •How can AIP solutions simplify IT operations? •How do AIP solutions change how people access enterprise resources?

Lesson 2: Overview of AIP Solutions in Windows Server 2012

Identity Management in Windows Server 2012

Overview of AD CS

Overview of AD RMS

Overview of AD FS

Overview of AD LDS

Overview of Windows Azure Active Directory

Overview of DAC•Overview of Workplace Join

Identity Management in Windows Server 2012

Windows Server 2012 provides several roles and functionalities for AIP management:

• AD CS

• AD RMS

• AD FS

• AD LDS

• DAC

• Workplace Join

• Windows Server 2012 R2

Server roles work together to provide full AIP functionality

Overview of AD CS

•AD CS provides services for creating, managing, and distributing digital certificates•Digital certificates are distributed to users and computers and are used to secure communications•Certificates can be issued in various ways

Overview of AD RMS

Major functional uses of AD RMS include the following:

• Provides business-level encryption of information

• Enables information protection while in use

• Allows for simple mapping of business classifications

• Provides offline use without requiring network access by users for particular amounts of time

• Provides full auditing of access to documents and enables business users make changes to usage rights

Overview of AD FS

AD FS can be summarized as follows:• AD FS is an identity access solution

• AD FS provides browser-based SSO

• AD FS can interact with other SAML 2.0, WS*providers

AD FS enhancements in Windows Server 2012 include:• DAC integration

• Improved installation experience

• Enhanced Windows PowerShell cmdlets

• Workplace Join

• Multifactor authentication

• Multifactor access control

Overview of AD LDS

AD LDS:•Provides directory service for applications•Allows data synchronization with AD DS Allows storage of application data•Can run on Windows-based desktop operating system

Overview of Windows Azure Active Directory

Windows Azure AD is a cloud-based service that provides identity management and access control capabilities for other cloud-based applications

Windows Azure AD functionalities:• Access control for applications • Integrate with on-premises AD DS• SSO for cloud-based applications• Enable social connections in the enterprise

Overview of DAC

•DAC is a new security mechanism for resource access control in Windows Server 2012•DAC uses claims and properties together with expressions to control access•DAC provides:

• Data classification• Access control to files• Auditing of file access• Optional Rights Management Services protection integration

Overview of Workplace Join

•Workplace Join enhances the BYOD concept•Users can operate their private devices in your AD DS•Users can use their workplace joined devices to access company resources with SSO experiences•DRS uses Windows Server 2012 R2 for this technology•Workplace Join is supported only on Windows Server 2012 R2, Windows 8.1, and iOS-based devices only

Lesson 3: Overview of FIM 2010 R2

What Is FIM?

FIM Directory Synchronization

Managing Identities with FIM

Managing Certificates and Smart Cards with FIM•Discussion: Business Scenarios for FIM Usage

What Is FIM?

Certificate and smart card management

Password management

Automated provisioningDirectory synchronization

Metadirectory services and user (de)provisioning

FIM Directory Synchronization

Metaverse

Connected Data Source

Employee User Connected Data Source

Connector Space

ConnectorSpace

person

FIM Service

HR Management Agent AD Management Agent

FIM Management Agent

Managing Identities with FIM

•User Provisioning•User Management

• SharePoint-based portal• Automated, codeless user provisioning and deprovisioning• Self-service management

•Group Management• Rich group management capabilities• Offline group membership approvals• Manual, manager-based, and criteria-based group membership

Managing Certificates and Smart Cards with FIM

FIM CM provides full management for certificates and smart cards, and FIM CM lets you manage tasks such as :• Enrollment• Renewal• Unblocking• Disabling• Suspending• Updating

Discussion: Business Scenarios for FIM Usage

•Do you use any identity management solution?•Do you have the need for identity management?• In which scenarios are common identities not appropriate?•What are some real world examples of using identity management?

Lab: Choosing an Appropriate Access and Information Protection Management Solution

Exercise 1: Analyze the Lab Scenario and Identify Business Requirements•Exercise 2: Propose a Solution

Logon Information:

There are no virtual machines in this lab

Estimated Time: 30 minutes

Lab Scenario

You are working as a system administrator for A. Datum Corporation. As part of your job, you need to understand how to use AD DS to secure the company’s data and infrastructure. Management wants to ensure the protection of A. Datum’s IT infrastructure by using the most secure method of authentication and authorization. Currently, A. Datum uses passwords to protect its accounts, but that has proven to be unsecure in some cases.

Management also requests that you prevent unauthorized personnel from being able to read Microsoft Office documents. Specifically, they want to make business-critical documents inaccessible if the documents leave the company in any way, such as in email, or on a USB flash drive. It is critical that only authorized personnel can access these documents. Also, management would like to consider digital signatures on documents.

A. Datum recently has partnered with Contoso, Ltd. Contoso needs access to A. Datum’s web applications, but wants to ensure that users can continue to use their current AD DS user accounts. The web team at A. Datum has explained that they can make web applications claims aware.

Lab Scenario (continued)

A. Datum has expressed concern for developer efficiency. Developers currently utilize a development instance of AD DS and have noted that they are often waiting for IT but instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them to separate identity logic from their current applications. Developers also are using iOS-based devices for testing and development, and they need to have the ability to access company resources securely from these devices.

HR maintains its own database that contains much of the same information that exists in AD DS.

However, some of the information in the HR database conflicts with the information in the AD DS database; it should synchronize so that the information is consistent throughout each database.

Management requests that you determine the Windows Server roles and available AIP solutions to address the organization’s current issues.

Lab Review

•There are no review questions for this lab.

Module Review and Takeaways

Review Questions•Best Practice