Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory® Module 6: Configuring AD RMS • Overview of AD RMS • Installing and Configuring AD RMS Server Components • Administering AD RMS • Implementing AD RMS Trust Policies Lesson 1: Overview of AD RMS • How Access Management Is Enforced by Using AD RMS • Usage Scenarios of AD RMS • Comparing Technologies Used to Protect Information • Identifying AD RMS Components • AD RMS Certificates and Licenses • Overview of AD RMS Workflow • How Files Are Protected by Using AD RMS How Access Management Is Enforced by Using AD RMS AD RMS enforces access management by : Establishing trusted participants within the AD RMS system Assigning persistent usage rights and conditions on how a trusted participant can use protected information Encrypting information and allowing access to users that have the required components and rights to open and view the information Types of information that can be protected includes: Sensitive documents such as plans, proposals, reports E-mail messages Content stored in AD RMS-aware intranet services Usage Scenarios for AD RMS Usage Scenario Application Features Secure Confidential Files Microsoft® Office: Word® Excel® PowerPoint® Set rights (View, Change, Print) Set validity period Do-Not-Forward/Print E-Mail Message Microsoft® Office Outlook®: Microsoft® Exchange Server 2007 Service Pack (SP1) Help protect sensitive e-mail messages from being sent to the Internet Help protect confidential e-mail messages from being taken outside the company Help protect Rights Management Services (RMS) prelicensing agent Help Safeguard Intranet Content Microsoft® Office SharePoint® Services Help safeguard intranet content by restricting access to View, Change, and Print Identity Federation Support All RMS-enabled application Active Directory® Federation Services (AD FS) Help safeguard data across AD FS trusts Comparing Technologies Used to Protect Information Feature AD RMS Secure/Multipurp ose Internet Mail Extension (S/MIME) Signing S/MIME Encryption * With some limitations Access control lists (ACLs) Encryptin g File Systems (EFS) Attests to the identity of the publisher Differentiates permissions by a user Prevents unauthorized viewing Encrypts protected content Offers content expiration Controls content reading * Modifying, or printing by user Extends protection beyond initial publication * Identifying AD RMS Components AD RMS Client AD RMS Client AD RMS Root Cluster Web Server (IIS) Active Directory® Domain Services (AD DS) SQL Server™ Configuration Data Logging AD RMS Licensingonly Cluster SQL Server™ AD RMS Client AD RMS Client AD RMS Certificates and Licenses Server Licensor Certificate Gets created when the AD RMS server role is installed and configured on the first server of an AD RMS Root Cluster Machine Certificate Identifies a trusted computer and contains the unique public key for that machine, on a per user per computer basis Rights Account Certificate Names a trusted user identity by using the e-mail address or SID of the user on a per user basis Client Licensor Certificate Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to an RMS server. This naming is based on per user on a computer Publishing License Sets the policy for acquiring a used license for rights-protected information Use License Grants an authorized user with valid RAC rights to consume rights-protected information based on policy established in the publishing license Overview of AD RMS Workflow Database Server AD RMS Cluster Active Directory® 7 Publishing 6 1 3 8 Consuming 9 2 4 Information Author 5 Information Recipient How Files Are Protected by Using AD RMS Gets created when file is protected Gets encrypted with the public key of server Gets encrypted with the public key of server Gets encrypted with 128-bit AES symmetric encryption key Publishing License Content Key Rights information with e-mail addresses Use License Gets added to the file after the server licenses a user to open it Rights info with e-mail addresses Gets encrypted with the public key of user Content Key Gets encrypted with the public key of user The content of the file such as text, pictures, and media. E-mail URLs are stored in the local RMS license cache, not in e-mail messages directly. Lesson 2: Installing and Configuring AD RMS Server Components • AD RMS Deployment Scenarios • Preinstallation Considerations • AD RMS System Requirements • How to Install the First Server of an AD RMS Cluster • What Is a Service Connection Point? • Implementing an AD RMS Client • Configuring Client Service Discovery AD RMS Deployment Scenarios Deploying AD RMS in a single Forest Deploying an AD RMS Licensing-Only cluster Deploying AD RMS in a Multi-Forest environment Deploying AD RMS in an Extranet Deploying AD RMS with AD FS AD RMS AD FS Preinstallation Considerations Consider the following points before deploying AD RMS: Install AD RMS on a member server in the same domain as the user accounts that will participate in AD RMS. Determine whether to use an external database or the internal database provided by Windows Server® 2008. Create a specific AD RMS service account with standard user permissions. Make the account used to install AD RMS, as the member of the Enterprise Admins group or equivalent, if the service connection point is to be registered during installation. Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a CNAME record for the computer hosting the configuration database. Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority, if secure communication to and from the AD RMS cluster is required. AD RMS System Requirements Hardware Requirements Required Recommended •One Pentium 4 processor (3Ghz or higher) •512 MB RAM •40 GB free disk space Two Pentium 4 processors (3Ghz or higher) 1024 MB RAM 80 GB free disk space Software Requirements Software Requirement Operating System Windows Server® 2008 File System NTFS file system is recommended Messaging Message Queuing Web Services Internet Information Services (IIS) ASP.NET must be enabled Active Directory® or AD DS Database Server AD RMS must be installed in an Active Directory® domain. The domain controllers should run Windows Server® 2000 with Service Pack 3, Windows Server® 2003, or Windows Server® 2008. All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory® Microsoft® SQL Server™ 2005 or equivalent, and stored procedures Demonstration: How to Install the First Server of an AD RMS Cluster • To use DNS to configure a CNAME for the AD RMS cluster • To use Server Manager to install the AD RMS server role What Is a Service Connection Point? A service connection point: Provides automatic discovery of the AD RMS cluster URL ADSI Edit Configuration [SEC-DC.Adatum.com] CN=Configuration, DC=Adatum, DC=com Contains only one SCP per Active Directory® forest CN=Display Specifiers Requires AD RMS management console to be registered or removed CN=ForestUpdates CN=Extended-Rights CN=Services CN=MsmqServices Requires ADSI Edit to be viewed and modified CN=NetServices CN=Public Key Services CN=Rights Management Services CN=SCP CN=RRAS CN=Windows NT Implementing an AD RMS Client The AD RMS client creates and manages the machine certificate and lockbox. The AD RMS client works with AD RMS-compatible applications such as the 2007 Office System. The AD RMS client is integrated with the Windows Vista® and Windows Server® 2008 operating systems. The AD RMS client is downloaded from the Microsoft® Download center for earlier versions of Windows®. The AD RMS client is deployed manually or automated using Active Directory® Group Policy. Configuring Client Service Discovery AD RMS clients discover the AD RMS cluster using the following methods: AD DS service connection point AD RMS client registry override HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation Activation (syntax: http(s):// <cluster>/_wmcs/ certification) EnterprisePublishing (syntax: http(s):// <cluster> /_wmcs /certification) Lesson 3: Administering AD RMS • AD RMS Administration Tasks • What Is a Rights Policy Template? • How To Create a Rights Policy Template • Providing Rights Policy Templates for Offline Use • What Are Exclusion Policies? AD RMS Administration Tasks AD RMS Rights Policy Template Exclusion Policies Trust Policies What Is a Rights Policy Template? Specifies users or groups who Uses Online Certificate Status must have rights toand work with Protocol validation content protected with the HTTP revocation checking using template Rights include Full Control, View, Edit, Save, or Print, Forward, Reply Stores in the configuration database or a shared folder on the network for offline publishing Rights Policy Template Author selects Rights Policy Template during document creation to apply rights to the content Configures as a distributed or archived template Demonstration: How To Create a Rights Policy Template • To configure a distributed rights policy template • To manage archived rights policy templates Providing Rights Policy Templates for Offline Use 1 Create a shared folder on the server to be used to store the exported rights policy templates. 2 Use the AD RMS console to export the templates to the folder location. 3 Deploy the exported templates to a local folder on each client. 4 Modify the client registry to specify where to find the policy templates on the client. Example: For Office 2007 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\DRM\AdminiTemplate Path Type: REG_EXPAND_SZ Recommended Value: %allusersprofile%\Application Data\Microsoft\DRM\<templatefoldername> What Are Exclusion Policies? Prevent compromised principles from acquiring new use license; however, existing licenses associated with excluded principals are still valid. Administrators can exclude following principles: User IDs Applications Lockbox versions Windows® versions Lesson 4: Implementing AD RMS Trust Policies • Methods of Defining Trust Policies • Overview of Trusted User Domain Interaction • Overview of Trusted Publishing Domain Interaction • How To configure Trust Policies • Deploying AD RMS with AD FS Methods of Defining Trust Policies Trust Policies help an AD RMS cluster to process licensing requests for content that are rights-protected by another AD RMS cluster. Trust policies can be defined for the following: Trusted user domains Trusted publishing domains Windows Live™ ID Federated Trust Overview of Trusted User Domain Interaction Contoso Northwind Traders 2 Contoso sends SLC to Northwind Traders Northwind Traders imports Server Licensor Certificate (SLC) 5 3 Alice@nwtraders.msft sends RM content to Bob@contoso.com 1 Server uses imported SLC to verify Bob’s Rights account certificate (RAC) and returns UL 4 Bob@contoso.com sends PL and RAC with request for UL from Northwind Traders Overview of Trusted Publishing Domain Interaction Contoso Northwind Traders 2 1 Contoso imports private key and SLC Northwind Traders exports private key and SLC 5 Contoso uses imported private key to decrypt PL and issues UL 3 Alice@nwtraders.msft sends RM content to Bob@contoso.com 4 Bob@contoso.com sends PL and RAC with request for UL from Northwind Traders Demonstration: How To Configure Trust Policies • To export a trusted user domain certificate • To import a trusted user domain certificate • To configure trusted publishing domains Deploying AD RMS with AD FS AD RMS Assign an SSL certificate to the Web site that hosts the AD RMS cluster. 2. Install and configure AD RMS. 3. Grant the AD RMS service account permissions to generate security audits. 4. On the AD FS resource partner, create a claims-aware application for the AD RMS certification and licensing pipelines. 5. Configure the AD RMS extranet cluster URL. 6. Install the AD RMS Identity Federation Role service. Supplier Manufacturer Account Partner 1. AD FS Resource Partner Lab 6: Configuring AD RMS • Exercise1: Installing the AD RMS Server Role • Exercise 2: Managing AD RMS rights policy templates • Exercise 3: Configuring Trust Policies • Exercise 4: Testing AD RMS functionality Logon information 6426A-NYC-DC1 Virtual machine 6426A-NYC-SVR1 6426A-NYC-CL1 User name Administrator Domain woodgrovebank Password Pa$$w0rd Estimated time: 60 minutes
© Copyright 2024