Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008

Configuring and
Troubleshooting Identity
and Access Solutions with
Windows Server® 2008
Active Directory®
Module 6: Configuring AD RMS
• Overview of AD RMS
• Installing and Configuring AD RMS Server Components
• Administering AD RMS
• Implementing AD RMS Trust Policies
Lesson 1: Overview of AD RMS
• How Access Management Is Enforced by Using AD RMS
• Usage Scenarios of AD RMS
• Comparing Technologies Used to Protect Information
• Identifying AD RMS Components
• AD RMS Certificates and Licenses
• Overview of AD RMS Workflow
• How Files Are Protected by Using AD RMS
How Access Management Is Enforced by Using
AD RMS
AD RMS enforces access management by :
Establishing trusted participants within the AD RMS system
Assigning persistent usage rights and conditions on how a trusted participant can
use protected information
Encrypting information and allowing access to users that have the required
components and rights to open and view the information
Types of information that can be protected includes:
Sensitive documents such as plans, proposals, reports
E-mail messages
Content stored in AD RMS-aware intranet services
Usage Scenarios for AD RMS
Usage Scenario
Application
Features
Secure Confidential
Files
Microsoft® Office:
Word®
Excel®
PowerPoint®
Set rights (View, Change, Print)
Set validity period
Do-Not-Forward/Print
E-Mail Message
Microsoft® Office
Outlook®:
Microsoft®
Exchange Server
2007 Service Pack
(SP1)
Help protect sensitive e-mail messages
from being sent to the Internet
Help protect confidential e-mail
messages from being taken outside the
company
Help protect Rights Management
Services (RMS) prelicensing agent
Help Safeguard Intranet
Content
Microsoft® Office
SharePoint®
Services
Help safeguard intranet content by
restricting access to View, Change, and
Print
Identity Federation
Support
All RMS-enabled
application
Active Directory®
Federation
Services (AD FS)
Help safeguard data across AD FS trusts
Comparing Technologies Used to
Protect Information
Feature
AD RMS
Secure/Multipurp
ose Internet Mail
Extension
(S/MIME) Signing
S/MIME
Encryption
* With some limitations
Access control
lists (ACLs)
Encryptin
g File
Systems
(EFS)
Attests to the identity of the
publisher
Differentiates permissions by
a user
Prevents unauthorized
viewing
Encrypts protected content
Offers content expiration
Controls content reading
*
Modifying, or printing by user
Extends protection beyond
initial publication
*
Identifying AD RMS Components
AD RMS
Client
AD RMS
Client
AD RMS
Root Cluster
Web Server
(IIS)
Active
Directory®
Domain
Services (AD
DS)
SQL Server™
Configuration
Data Logging
AD RMS
Licensingonly Cluster
SQL Server™
AD RMS Client
AD RMS Client
AD RMS Certificates and Licenses
Server Licensor Certificate
Gets created when the AD RMS server role is installed and configured on the first server of an
AD RMS Root Cluster
Machine Certificate
Identifies a trusted computer and contains the unique public key for that machine, on a per user
per computer basis
Rights Account Certificate
Names a trusted user identity by using the e-mail address or SID of the user on a per user basis
Client Licensor Certificate
Names a trusted user that is authorized to publish RMS-protected information without requiring
connectivity to an RMS server. This naming is based on per user on a computer
Publishing License
Sets the policy for acquiring a used license for rights-protected information
Use License
Grants an authorized user with valid RAC rights to consume rights-protected information based
on policy established in the publishing license
Overview of AD RMS Workflow
Database Server
AD RMS Cluster
Active Directory®
7
Publishing
6
1
3
8
Consuming
9
2
4
Information Author
5
Information Recipient
How Files Are Protected by Using AD RMS
Gets created
when file is
protected
Gets encrypted
with the public
key of server
Gets encrypted
with the public
key of server
Gets encrypted
with 128-bit
AES symmetric
encryption key
Publishing
License
Content Key
Rights
information
with e-mail
addresses
Use
License
Gets added to
the file after
the server
licenses a user
to open it
Rights info
with e-mail
addresses
Gets encrypted
with the public
key of user
Content Key
Gets encrypted
with the public
key of user
The content of the file such as text,
pictures, and media.
E-mail URLs are stored in the local RMS
license cache, not in e-mail messages directly.
Lesson 2: Installing and Configuring AD RMS
Server Components
• AD RMS Deployment Scenarios
• Preinstallation Considerations
• AD RMS System Requirements
• How to Install the First Server of an AD RMS Cluster
• What Is a Service Connection Point?
• Implementing an AD RMS Client
• Configuring Client Service Discovery
AD RMS Deployment Scenarios
Deploying AD RMS in a single Forest
Deploying an AD RMS Licensing-Only cluster
Deploying AD RMS in a Multi-Forest environment
Deploying AD RMS in an Extranet
Deploying AD RMS with AD FS
AD RMS
AD FS
Preinstallation Considerations
Consider the following points before deploying AD RMS:
 Install AD RMS on a member server in the same domain as the user accounts
that will participate in AD RMS.

Determine whether to use an external database or the internal database
provided by Windows Server® 2008.
 Create a specific AD RMS service account with standard user permissions.

Make the account used to install AD RMS, as the member of the Enterprise
Admins group or equivalent, if the service connection point is to be registered
during installation.
 Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a
CNAME record for the computer hosting the configuration database.
 Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority,
if secure communication to and from the AD RMS cluster is required.
AD RMS System Requirements
Hardware Requirements
Required
Recommended
•One Pentium 4 processor (3Ghz or higher)
•512 MB RAM
•40 GB free disk space
Two Pentium 4 processors (3Ghz or higher)
1024 MB RAM
80 GB free disk space
Software Requirements
Software
Requirement
Operating System
Windows Server® 2008
File System
NTFS file system is recommended
Messaging
Message Queuing
Web Services
Internet Information Services (IIS)
ASP.NET must be enabled
Active Directory® or
AD DS
Database Server
AD RMS must be installed in an Active Directory® domain. The domain
controllers should run Windows Server® 2000 with Service Pack 3, Windows
Server® 2003, or Windows Server® 2008.
All users and groups who use AD RMS to acquire licenses and publish content
must have an e-mail address configured in Active Directory®
Microsoft® SQL Server™ 2005 or equivalent, and stored procedures
Demonstration: How to Install the First Server of
an AD RMS Cluster
• To use DNS to configure a CNAME for the AD RMS cluster
• To use Server Manager to install the AD RMS server role
What Is a Service Connection Point?
A service connection point:
Provides automatic
discovery of the AD RMS
cluster URL
ADSI Edit
Configuration [SEC-DC.Adatum.com]
CN=Configuration, DC=Adatum, DC=com
Contains only one SCP per
Active Directory® forest
CN=Display Specifiers
Requires AD RMS
management console to be
registered or removed
CN=ForestUpdates
CN=Extended-Rights
CN=Services
CN=MsmqServices
Requires ADSI Edit to be
viewed and modified
CN=NetServices
CN=Public Key Services
CN=Rights Management Services
CN=SCP
CN=RRAS
CN=Windows NT
Implementing an AD RMS Client
The AD RMS client creates and manages the machine
certificate and lockbox.
The AD RMS client works with AD RMS-compatible
applications such as the 2007 Office System.
The AD RMS client is integrated with the Windows Vista®
and Windows Server® 2008 operating systems.
The AD RMS client is downloaded from the Microsoft®
Download center for earlier versions of Windows®.
The AD RMS client is deployed manually or automated
using Active Directory® Group Policy.
Configuring Client Service Discovery
AD RMS clients discover the AD RMS cluster using the following
methods:
AD DS service connection point
AD RMS client registry override
HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation
Activation (syntax: http(s):// <cluster>/_wmcs/ certification)
EnterprisePublishing (syntax: http(s):// <cluster> /_wmcs
/certification)
Lesson 3: Administering AD RMS
• AD RMS Administration Tasks
• What Is a Rights Policy Template?
• How To Create a Rights Policy Template
• Providing Rights Policy Templates for Offline Use
• What Are Exclusion Policies?
AD RMS Administration Tasks
AD RMS
Rights Policy Template
Exclusion Policies
Trust Policies
What Is a Rights Policy Template?
Specifies
users
or groups
who
Uses Online
Certificate
Status
must
have
rights toand
work with
Protocol
validation
content
protected
with
the HTTP
revocation
checking
using
template
Rights include Full Control,
View, Edit, Save, or Print,
Forward, Reply
Stores in the configuration
database or a shared folder on
the network for offline
publishing
Rights Policy
Template
Author selects Rights Policy
Template during document
creation to apply rights to the
content
Configures as a distributed or
archived template
Demonstration: How To Create a Rights
Policy Template
• To configure a distributed rights policy template
• To manage archived rights policy templates
Providing Rights Policy Templates for Offline Use
1
Create a shared folder on the server to be used to store the exported rights policy
templates.
2
Use the AD RMS console to export the templates to the folder location.
3
Deploy the exported templates to a local folder on each client.
4
Modify the client registry to specify where to find the policy templates on the client.
Example: For Office 2007
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\DRM\AdminiTemplate
Path
Type: REG_EXPAND_SZ
Recommended Value:
%allusersprofile%\Application Data\Microsoft\DRM\<templatefoldername>
What Are Exclusion Policies?
Prevent compromised principles from acquiring new use license;
however, existing licenses associated with excluded principals
are still valid.
Administrators can exclude following principles:
User IDs
Applications
Lockbox versions
Windows® versions
Lesson 4: Implementing AD RMS Trust Policies
• Methods of Defining Trust Policies
• Overview of Trusted User Domain Interaction
• Overview of Trusted Publishing Domain Interaction
• How To configure Trust Policies
• Deploying AD RMS with AD FS
Methods of Defining Trust Policies
Trust Policies help an AD RMS cluster to process licensing
requests for content that are rights-protected by another AD
RMS cluster.
Trust policies can be defined for the following:
Trusted user
domains
Trusted publishing
domains
Windows Live™ ID
Federated Trust
Overview of Trusted User Domain Interaction
Contoso
Northwind Traders
2
Contoso sends SLC
to Northwind Traders
Northwind Traders
imports Server
Licensor Certificate
(SLC)
5
3
Alice@nwtraders.msft sends RM
content to Bob@contoso.com
1
Server uses imported SLC
to verify Bob’s Rights account
certificate (RAC) and returns
UL
4
Bob@contoso.com sends PL and
RAC with request for UL from
Northwind Traders
Overview of Trusted Publishing
Domain Interaction
Contoso
Northwind Traders
2
1
Contoso imports
private key and SLC
Northwind Traders
exports private key
and SLC
5
Contoso uses imported
private key to decrypt PL and
issues UL
3
Alice@nwtraders.msft sends RM
content to Bob@contoso.com
4
Bob@contoso.com sends PL and
RAC with request for UL from
Northwind Traders
Demonstration: How To Configure Trust Policies
• To export a trusted user domain certificate
• To import a trusted user domain certificate
• To configure trusted publishing domains
Deploying AD RMS with AD FS
AD RMS
Assign an SSL certificate to the
Web site that hosts the AD RMS
cluster.
2.
Install and configure AD RMS.
3.
Grant the AD RMS service
account permissions to generate
security audits.
4.
On the AD FS resource partner,
create a claims-aware
application for the AD RMS
certification and licensing
pipelines.
5.
Configure the AD RMS extranet
cluster URL.
6.
Install the AD RMS Identity
Federation Role service.
Supplier
Manufacturer
Account Partner
1.
AD FS
Resource Partner
Lab 6: Configuring AD RMS
• Exercise1: Installing the AD RMS Server Role
• Exercise 2: Managing AD RMS rights policy templates
• Exercise 3: Configuring Trust Policies
• Exercise 4: Testing AD RMS functionality
Logon information
6426A-NYC-DC1
Virtual machine
6426A-NYC-SVR1
6426A-NYC-CL1
User name
Administrator
Domain
woodgrovebank
Password
Pa$$w0rd
Estimated time: 60 minutes