Microsoft Official Course

Module 1
Overview of Access and
Information Protection
Module Overview

• Introduction to Access and Information Protection

Solutions in Business
• Overview of AIP Solutions in Windows Server 2012
• Overview of FIM 2010 R2
Lesson 1: Introduction to Access and Information
Protection Solutions in Business

• What Is Identity?
• What Is Authentication?
• What Is Authorization?
• Overview of AD DS and Access and Information
Protection
• The Business Case for Access and Information
Protection Control
• AIP Management Solutions
• Discussion: How Do You Manage Identities in Your
Organization?
What Is Identity?

Identity. Set of data that uniquely describes a

person or an object-sometimes referred to as
subject or entity-and contains information about
the subject's relationships to other entities:
• Identities are saved in an identity store known as a
directory database
• In AD DS, identities are called security principals
• In AD DS, identities are represented uniquely by the SID
• Identities are used mainly to access the resource
What Is Authentication?

Authentication is the process that verifies a user’s

identity through:
• Credentials. At least two components are required
• Two types of authentication:
• Local (interactive) Log on, Authentication for logon to the local
computer
• Remote (network) Log on, Authentication for access to resources
on another computer
• Stand-alone authentication, users are authorized by
local SAM
• Joining the computer to the domain
What Is Authorization?

Authorization is the process that determines whether

to grant or deny a user a requested level of access to a
resource
Three components are required for authorization:
• Resource
• Access request
• Security token
Windows Server 2012 also introduces DAC as a new
form of authorization
Overview of AD DS and Access and Information
Protection

An AIP infrastructure should:

• Store information about users, groups, computers
and other identities
• Authenticate an identity, Kerberos authentication
used in an Active Directory domain provides SSO, and
users authenticate only once
• Control access
• Provide an audit trail
The Business Case for Access and Information
Protection Control

AIP offers the following solutions:

• Reduce the information access workload
• Increase operational security
• Enable secure cross-organization collaboration
• Protect intellectual property
AIP Management Solutions

Features of AIP management solutions include:

• Maintaining multiple identity stores in an organization
• Determining the current and authoritative identity
information
• Provisioning and deprovisioning user accounts
• Authenticating and authorizing users
• Securing shared information
• Securing collaboration between partners and vendors
• Securing access and distribution of sensitive data
Discussion: How Do You Manage Identities in
Your Organization?

• What AIP technologies are you currently running

in your organization?
• What business enhancements do your AIP
technologies provide?
• What risks does your business currently face that
AIP could help to mitigate?
• How can AIP solutions simplify IT operations?
• How do AIP solutions change how people access
enterprise resources?
Lesson 2: Overview of AIP Solutions in
Windows Server 2012

• Identity Management in Windows Server 2012

• Overview of AD CS
• Overview of AD RMS
• Overview of AD FS
• Overview of AD LDS
• Overview of Windows Azure Active Directory
• Overview of DAC
• Overview of Workplace Join
Identity Management in Windows Server 2012

Windows Server 2012 provides several roles and

functionalities for AIP management:
• AD CS
• AD RMS
• AD FS
• AD LDS
• DAC
• Workplace Join
• Windows Server 2012 R2

Server roles work together to provide full AIP

functionality
Overview of AD CS

• AD CS provides services for creating, managing,

and distributing digital certificates
• Digital certificates are distributed to users and
computers and are used to secure
communications
• Certificates can be issued in various ways
Overview of AD RMS

Major functional uses of AD RMS include the following:

• Provides business-level encryption of information
• Enables information protection while in use
• Allows for simple mapping of business classifications
• Provides offline use without requiring network access by
users for particular amounts of time
• Provides full auditing of access to documents and enables
business users make changes to usage rights
Overview of AD FS

AD FS can be summarized as follows:

• AD FS is an identity access solution
• AD FS provides browser-based SSO
• AD FS can interact with other SAML 2.0, WS*providers
AD FS enhancements in Windows Server 2012
include:
• DAC integration
• Improved installation experience
• Enhanced Windows PowerShell cmdlets
• Workplace Join
• Multifactor authentication
• Multifactor access control
Overview of AD LDS

AD LDS:
• Provides directory service for applications
• Allows data synchronization with AD DS Allows
storage of application data
• Can run on Windows-based desktop operating
system
Overview of Windows Azure Active Directory

Windows Azure AD is a cloud-based service that

provides identity management and access control
capabilities for other cloud-based applications
Windows Azure AD functionalities:
• Access control for applications
• Integrate with on-premises AD DS
• SSO for cloud-based applications
• Enable social connections in the enterprise
Overview of DAC

• DAC is a new security mechanism for resource

access control in Windows Server 2012
• DAC uses claims and properties together with
expressions to control access
• DAC provides:
• Data classification
• Access control to files
• Auditing of file access
• Optional Rights Management Services protection
integration
Overview of Workplace Join

• Workplace Join enhances the BYOD concept

• Users can operate their private devices in your
AD DS
• Users can use their workplace joined devices to
access company resources with SSO experiences
• DRS uses Windows Server 2012 R2 for this
technology
• Workplace Join is supported only on Windows
Server 2012 R2, Windows 8.1, and iOS-based
devices only
Lesson 3: Overview of FIM 2010 R2

• What Is FIM?
• FIM Directory Synchronization
• Managing Identities with FIM
• Managing Certificates and Smart Cards with FIM
• Discussion: Business Scenarios for FIM Usage
What Is FIM?

Metadirectory services and user (de)provisioning Certificate and smart card management

Password management

Directory synchronization Automated provisioning

FIM Directory Synchronization

HR Management Agent AD Management Agent

Metaverse
person
Connected Employee Connector Connector User Connected
Data Source Space Space Data Source

FIM Management Agent

FIM Service
Managing Identities with FIM

• User Provisioning
• User Management
• SharePoint-based portal
• Automated, codeless user provisioning and
deprovisioning
• Self-service management

• Group Management
• Rich group management capabilities
• Offline group membership approvals
• Manual, manager-based, and criteria-based group
membership
Managing Certificates and Smart Cards with FIM

FIM CM provides full management for certificates

and smart cards, and FIM CM lets you manage tasks
such as :
• Enrollment
• Renewal
• Unblocking
• Disabling
• Suspending
• Updating
Discussion: Business Scenarios for FIM Usage

• Do you use any identity management solution?

• Do you have the need for identity management?
• In which scenarios are common identities not
appropriate?
• What are some real world examples of using
identity management?
Lab: Choosing an Appropriate Access and
Information Protection Management Solution

• Exercise 1: Analyze the Lab Scenario and Identify

Business Requirements
• Exercise 2: Propose a Solution

Logon Information:
There are no virtual machines in this lab

Estimated Time: 30 minutes

Lab Scenario

You are working as a system administrator for A. Datum Corporation. As

part of your job, you need to understand how to use AD DS to secure the
company’s data and infrastructure. Management wants to ensure the
protection of A. Datum’s IT infrastructure by using the most secure method
of authentication and authorization. Currently, A. Datum uses passwords to
protect its accounts, but that has proven to be unsecure in some cases.

Management also requests that you prevent unauthorized personnel from

being able to read Microsoft Office documents. Specifically, they want to make
business-critical documents inaccessible if the documents leave the company
in any way, such as in email, or on a USB flash drive. It is critical that only
authorized personnel can access these documents. Also, management would
like to consider digital signatures on documents.

A. Datum recently has partnered with Contoso, Ltd. Contoso needs access
to A. Datum’s web applications, but wants to ensure that users can continue
to use their current AD DS user accounts. The web team at A. Datum has
explained that they can make web applications claims aware.
Lab Scenario (continued)

A. Datum has expressed concern for developer efficiency. Developers currently

utilize a development instance of AD DS and have noted that they are often
waiting for IT but instead need the ability to manage their own directory services
for development. In addition, developers need a technology to help them to
separate identity logic from their current applications. Developers also are using
iOS-based devices for testing and development, and they need to have the
ability to access company resources securely from these devices.
HR maintains its own database that contains much of the same information that
exists in AD DS.
However, some of the information in the HR database conflicts with the
information in the AD DS database; it should synchronize so that the information
is consistent throughout each database.
Management requests that you determine the Windows Server roles and
available AIP solutions to address the organization’s current issues.
Lab Review

• There are no review questions for this lab.

Module Review and Takeaways

• Review Questions
• Best Practice