module 7: access & information protection with windows server 2012 r2
DESCRIPTION
Module 7: Access & Information Protection with Windows Server 2012 R2. Rick Claus Microsoft Sr. Technical Evangelist Adam Hall Technical Product Manager. Jump Start Target Agenda. Access & Information Protection with Windows Server 2012 R2. Talk with our Experts in Chat tool. #WS2012R2JS. - PowerPoint PPT PresentationTRANSCRIPT
Windows Server 2012 R2 JumpStart: What’s New in Windows Server 2012 R2 PreviewModule 7: Access & Information Protection with Windows Server 2012 R2
Rick ClausMicrosoft Sr. Technical EvangelistAdam HallTechnical Product Manager
Jump Start Target Agenda
Day 1
Introducing Windows Server 2012 R2
Server Virtualization in Windows Server 2012 R2
Cloud Optimized Networking in Windows Server 2012 R2
Storage in Windows Server 2012 R2
Day 2
Server Management & Automation with Windows Server 2012 R2
VDI with Windows Server 2012 R2
Access & Information Protection with Windows Server 2012 R2
Web Application & Platform with Windows Server 2012 R2
Access & Information Protection with Windows Server 2012 R2
DOWNLOAD Windows Server 2012 R2 Preview
aka.ms/ws2012r2
#WS2012R2JS
DOWNLOAD System Center
2012 R2 Preview
aka.ms/sc2012r2Hands-On Labs
Talk with our Experts in Chat tool.
http://www.microsoftvirtualacademy.comSystem Center 2012 R2 Jumpstart
July 15th - http://aka.ms/SCR2JS
The explosion of devices is eroding the standards-based approach to corporate IT.
Devices
Deploying and managing applications across platforms is difficult.
Apps
Today’s challenges
4
DataUsers need to be productive while maintaining compliance and reducing risk.
Users expect to be able to work in any location and have access to all their work resources.
Users
Devices
AppsUsers
People-centric IT
5
Empower usersAllow users to work on the devices of their choice and provide consistent access to corporate resources.
Unify your environmentDeliver a unified application and device management on-premises and in the cloud.Protect your dataHelp protect corporate information and manage risk.Management. Access.
Protection.
Data
Access & Information Protection
6
Protect your dataCentralize corporate information for compliance and data protection Policy based access control to applications and data
√
Unify your environmentCommon identity to access resources on-premises and in the cloud
Empower usersSimplified registration and enrollment for BYO DevicesAutomatically connect to internal resources when neededAccess to company resources consistent across devices
7
Challenges SolutionsUsers want to use the device of their choice and have access to both their personal and work related applications, data and resourcesUsers want an easy way to be able to access their corporate applications from anywhereIT want to empower users to work this way but also need to control access to sensitive information and remain in compliance with regulatory policies
Users can register their devices which makes them known to IT who can then use device authentication as part of providing access to corporate resourcesUsers can enroll their devices which provides them with the Company Portal for consistent access to applications, data and to manage their devicesIT can publish access to corporate resources with conditional access based on the users identity, the device they are using and their location
Empower users
Enabling IT to empower users
8
IT can publish access to resources with the Web Application Proxy based on device awareness and the users identityIT can provide seamless corporate access with DirectAccess and automatic VPN connections.
Users can work from anywhere on their device with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join
Users can enroll devices for access to the Company Portal for easy access to corporate applications
IT can publish Desktop Virtualization (VDI) for access to centralized resources
Remote Access
Web Application Proxy
RD Gateway
Web Apps
Files
LOB Apps
Session host VDI
Registering and Enrolling Devices
9
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
Web Application Proxy ADFS
10
Publish access to resources with the Web Application Proxy
Users can access corporate applications and data wherever they are IT can use the Web
Application Proxy to authenticate users and devices with multi-factor authentication
Use conditional access for granular control over how and where the application can be accessed
Active Directory provides the central repository of user identity as well as the device registration information
Web Application
Proxy
Developers can leverage Windows Azure Mobile Services to integrate and enhance their apps
Devices
Apps & Data
ADFS
Active Directory
Reverse proxy pass throughe.g. NTLM & Basic based
apps
Published applications
Restful OAuth apps
Office Forms Based Access
Claims & Kerberos web apps
AD Integrated
11
Users can sync their work data to their devices. Users can register their devices to be able to sync data when IT enforces conditional access
IT can publish access directly through a reverse proxy, or conditional access can be enforced via device registration through the Web Application Proxy
IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management
IT can selectively wipe the corporate data from Windows 8.1 clients
Devices
Apps & Data
Make corporate data available to users with Work Folders
Reverse Proxy
Web Application Proxy
Active Directory discoverability provides users Work Folders location
File ServicesDomain joined
devices
Access Policy
Active Directory
12
Effective working with Remote Access
Can originate admin connection from
intranet
Connection tointranet is always
active
Cannot originate admin connection from intranet
VPN
DirectAccess
With DirectAccess, a users PC is automatically connected whenever an Internet connection is present.
Traditional VPNs are user- initiated and provide on-demand connectivity to corporate resources.
An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources.
FirewallWeb Apps
Session host
LOB Apps
Files
VDI
Unify your environment
13
Challenges SolutionsProviding users with a common identity when they are accessing resources that are located both on-premises in corporate environment, and in cloud-based platforms.Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.
Users have a single sign-on experience when accessing all resources regardless of location.Users and IT can leverage their common identity for access to external resources through federation.IT can consistently manage identities across on-premises and cloud-based identity domains.
Expanded domain join capabilitiesNot Joined
Workplace Joined
Domain Joined
User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information.
Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information
Domain joined computers are under the full control of IT and can be provided with complete access to corporate information
Browser session single sign-onSeamless 2-Factor Auth for web appsEnterprise apps single sign-on
Desktop Single Sign-On
Active Directory for the cloud
Run Active Directory at scale with support for virtualization and rapid deployment through domain controller cloning.
Developers can integrate applications for single sign-on across on-premises and cloud-based applications.
Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Services to reduce infrastructure on-premises.
Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management
Activate clients running Office on at least Windows 8 or Windows Server 2012 automatically using existing Active Directory infrastructure.
15
Active Directory
Files
LOB AppsWeb Apps
Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365 and 3rd party applications
Managing cloud identities
IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directory and Windows Azure Active Directory
Users are more productive by having a single sign-on to all their resources
IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud based identity.
Developers can build applications that leverage the common identity model
16
Dirsync keeps user attributes in sync across directories.
DirSync
ADFS
Active Directory
Web Apps LOB
Apps
Files
Increasing the value in Active Directory Federation Services
17
Active Directory
Web Application Proxy
(includes ADFS Proxy)
Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication
Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location
Organizations can federate with partners and other organizations for seamless access to shared resources
Organizations can connect to SaaS applications running in Windows Azure, Office 365 and 3rd party providers
Enhancements to ADFS include simplified deployment and management
ADFS
ADFSPublished
applications
Restful OAuth apps
Office Forms Based Access
Claims & Kerberos web apps
FirewallResources in other businesses or
identity realms
Corporate identity management
Allow users to manage their identity with an easy to use portal, tightly integrated with Office.
Self-service group and distribution list management, including dynamic membership calculation in these groups and distribution lists, is based on the user’s attributes.
Users can reset their passwords via Windows logon, significantly reducing help desk burden and costs.
Sync users identity across directories, including Active Directory, Oracle, SQL Server, IBM DS, and LDAP.
Manage the complete life cycle of certificates and smart cards through integration with Active Directory.
18
Active Directory
User provisioning, de-provisioning, and role updates
FIM
Workflow
Built-in workflow for identity management
Automatically synchronize all user information to different directories across the enterprise
Automate the process of on-boarding new usersReal-time de-provisioning from all systems to prevent unauthorized access and information leakage
Active Directory
LDAP
Certificate Management
Protect your data
20
Challenges SolutionsAs users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device.A significant amount of corporate data can only be found locally on user devices.IT needs to be able to secure, classify and protect data based on the content it contains not just where it resides, including maintaining regulatory compliance.
Users can work on the device of their choice and be able to access all their resources regardless of location or device.IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.IT can centrally audit and report on information access.
√
Desktop Virtualizatio
n
Policy based access to corporate information
IT can publish resources using the web application proxy and create business-driven access policies with multi-factor authentication based on the content being accessed.
IT can audit user access to information based on central audit policies.
Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.
IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.
Centralized Data
21
RD Gateway
Distributed Data
Devices
LOB AppsWeb Apps
Session host
FilesVDI
Access Policy
Protecting information with multi-factor authentication
2222
1. Users attempts to login or perform an action that is subject to MFA2. When the user authenticates, the application or service performs a MFA call3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app
5. IT can configure the type and frequency of the MFA that the user must respond to
4. The response is returned to the app which then allows the user to proceed
Application authentication
e.g. Active Directory, Radius, LDAP, SQL,
Custom apps
ADFSUser
Protect data with Dynamic Access Control
Centrally manage access control and audit polices from Windows Server Active Directory.
Automatically identify and classify data based on content. Classification applies as files are created or modified.
Integration with Active Directory Rights Management Services provides automated encryption of documents.
Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents.
File classification, access policies and automated Rights Management works against client distributed data through Work Folders.
File Services
23
Active Directory
Recapping: Access & Information Protection
24
Protect your dataCentralize corporate information for compliance and data protection Policy based access control to applications and data
√
Unify your environmentCommon identity to access resources on-premises and in the cloud
Empower usersSimplified registration and enrollment for BYO DevicesAutomatically connect to internal resources when neededAccess to company resources consistent across devices
DOWNLOAD Windows Server 2012 R2 Preview
aka.ms/ws2012r2
#WS2012R2JS
DOWNLOAD System Center
2012 R2 Preview
aka.ms/sc2012r2Hands-On Labs
Talk with our Experts in Chat tool.
http://www.microsoftvirtualacademy.comSystem Center 2012 R2 Jumpstart
July 15th - http://aka.ms/SCR2JS