Jay Ferron CEHi, CWSP, CISM, CISSP, CVEi. MCITP, MCT, MVP, NSA IAM Jay@ferron.com Blog.mir.net
Tools to use How do we make our job easer? What tools are there at low or no cost? What do you use today? What Issues to do need to solve? This is a discussion of how we can help each other, and share ideas.
Tools to test Network GFI LanGuard Network auditing: Analyze your network centrally Vulnerability assessment: Discover security threats early Patch management: Fix vulnerabilities before an attack
Nessus The versatile Nessus vulnerability scanner provides patch, configuration, and compliance auditing; mobile, malware, and botnet discovery; sensitive data identification; and many other features
CSET 5.0 The Cyber Security Evaluation Tool (CSET ) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) by cybersecurity experts and with assistance from the National Institute of Standards and Technology (NIST). This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
https://www.infragard.org/ InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.
What Is IRM? Major functional uses of IRM: Provides business-level encryption of information Enables information protection while in use Allows for simple mapping of business classifications Provides offline use without users needing network access for particular amounts of time Provides full auditing of access to documents and changes that business users make to usage rights
Database Server AD RMS Cluster AD DS 7 1 Publishing 6 8 Consuming 2 3 4 5 9 Information Author Information Recipient
AD RMS Deployment Scenarios AD RMS deployment scenarios: AD RMS in a single forest AD RMS licensing-only cluster in a single forest AD RMS in multiple forests AD RMS in an extranet AD RMS AD FS AD RMS with AD FS
AD RMS Components AD RMS Cluster Types IIS AD RMS Licensing- Only Cluster AD DS AD RMS Client AD RMS Client SQL Server Configuration Data Logging SQL Server AD RMS Client AD RMS Client Root cluster Licensing-Only cluster
Options for Configuring AD RMS Clusters The two types of clusters in Windows Server 2012: Root-certification cluster Licensing-only cluster Root-certification cluster: The first server that you install always becomes the root certification cluster It handles all certification and licensing requests for the domain Simple cluster: The simplest form of a cluster is one AD RMS server Complex cluster: You can configure multiple servers as a cluster behind a single, shared URL You can create licensing-only clusters, in addition to the root- certification cluster
Guidelines for Designing AD RMS Clusters When designing AD RMS clusters, follow these guidelines: Use single-server cluster Add servers in a cluster behind a single URL Use root-certification cluster, with additional AD RMS servers added Create licensing-only cluster
Configuring High Availability for AD RMS Services High availability for AD RMS services: Use a DNS CNAME for the RMS services URI Configure NLB for two or more AD RMS servers Ensure AD RMS database is configured for High Availability Microsoft SQL Server Failover Clustering Log Shipping Database Mirroring AlwaysOn Consider sizing carefully
Planning AD RMS Management AD RMS administrative roles: AD RMS Enterprise Administrators AD RMS Template Administrators AD RMS Auditor
Implementing an AD RMS Backup and Recovery Strategy AD RMS Backup and Recovery Identify the AD RMS components that you should back up Make a backup strategy for each component Choose a restore scenario (database or full AD RMS) Consider the ServiceConnectionPoint object Test your backup and restore strategies
ecommissioning and Removing AD MS Decommissioning and Removing AD RMS: Decommission AD RMS before you remove the AD RMS role from a server Remember that decommisioned server can decrypt all protected content Plan the time of the decommision period Keep in mind that you cannot return a decommisioned server to its previous state Ensure that you should have an current AD RMS backup
Planning the AD RMS Super Users Group Super Users group planning The AD RMS Super Users group is a special group that has full control over all content that AD RMS manages You can use the Super Users group to recover data By default, the Super Users group is not enabled If you enable the group, specify a universal group to be the AD RMS Super Users group An Exchange server can belong to the Super Users Members of the Super Users group have full owner rights in all use licenses
Planning for AD RMS Client Applications AD RMS can integrate with: Exchange Server 2007 and newer Office SharePoint Server 2007 and newer Integration Between Exchange Server and AD RMS provides: Protection with transport rules Enables journal report decryption Enables IRM Search Enables IRM Outlook Web Application Integration between SharePoint and AD RMS: Helps protect documents on a SharePoint site Provides strong cryptography for AD RMS
Options for Enabling Application Access for AD RMS Clients Options for enabling application access Supported AD RMS-enabled Office applications XPS: XML Paper Specification Office Viewers, XPS Viewers and Rights Management Add-on Liquid Motion add RMS to Other Applications
Integrating AD RMS with Windows Live ID Recipients of IRM documents can use Windows Live ID to read AD RMS protected content: You need to establish a trust policy between AD RMS and Windows Live ID The user must have a Windows Live ID account Anonymous access to the AD RMS IIS licensing service is required This service is not guaranteed to be permanent The recipient can only consume content, not protect it
Integrating AD RMS with AD FS Integrating AD RMS with AD FS Deploy and install AD FS properly both organizations Add and configure AD RMS as a claims-aware application Grant Security Audit Privileges to the AD RMS Service Account Add an extranet URL Install and enable the IFS role service for AD RMS Assign home realm to AD FS-R computers via registry changes
What Is DAC? DAC is new in Windows Server 2012 and provides organizations with: Data identity Access control Auditing access Rights Management protection Classifies files automatically and manually Provides central access policies for an organizationwide safety net Provides central audit policies for compliance reporting and forensic analysis Reduces information leaks
Overview of Dynamic Access Control Configuration Process Dynamic Access Control configuration process: Process to map a business request to a central access policy Understand and translate business intent Express access policy in Windows Server 2012 constructs Determine the user groups, resource properties and claim types Create File Shares on File Servers Determine the servers where this policy should be applied to
Integrating AD RMS and DAC DAC applies encryption by using AD RMS DAC protects documents even if inadvertently saved, sent, or processed incorrectly DAC extends AD RMS to the file server
How AD RMS Integrates with DAC 1 AD DS Controller 4 User 2 File Server 3 AD RMS Cluster Classification Engine
Blog.mir.net Free Training FREE Training Camp Microsoft Virtualization for VMWare Professionals Microsoft Deployment Toolkit 2013 Free on-demand Jump Start training System Center 2012 R2 Free on-demand Jump Start Training Se Free migration to Windows 7 course on MVA Server 2012 r2
Questions Contact me for a copy of this deck Jay@ferron.com