Beruflich Dokumente
Kultur Dokumente
the reach of your internal network to the outside world. However, this time, the extension applies to intellectual property. In the first days of computing, software manufacturers went to great lengths to protect their software from theft. Even today, some vendors require the use of hardware keys for their software to run. Others have resorted to a Web-based approval and validation process. For example, with the release of Windows Vista, Microsoft introduced a new licensing scheme, one option of which is a Key Management Server (KMS), to validate the licensed versions of Microsoft Windows you use. AD RMS enables you to protect your intellectual property through the integration of several features. In fact, in addition to a direct integration with Active Directory Domain Services (AD DS),AD RMS can also rely on both Active Directory Certificate Services (AD CS) and Active Directory Federation Services (AD FS). AD CS can generate the public key infrastructure (PKI) certificates that AD RMS can embed in documents. AD FS extends your AD RMS policies beyond the firewall and supports the protection of your intellectual property among your business partners.
Understanding AD RMS
As mentioned earlier, AD RMS is an updated version of the Microsoft Windows Rights Management Services available in Microsoft Windows Server 2003. With this release, Microsoft has included several new features that extend the functionality included in AD RMS. However, the scenarios you use to deploy AD RMS remain the same. AD RMS works with a special AD RMS client to protect sensitive information. Protection is provided through the AD RMS server role, which is designed to provide certificate and licensing management. Information, configuration and logging is persisted in a database. In test environments, you can rely on the Windows Internal Database (WID) included in Windows Server 2008, but in production environments, you should rely on a formal database engine such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008 running on a separate server. This will provide the ability to load balance AD RMS through the installation of multiple servers running this role. WID does not support remote connections; therefore, only one server can use it. Internet Information Services (IIS) 7.0 provides the Web services upon which AD RMS relies, and the Microsoft Message Queuing service ensures transaction coordination in distributed environments. The AD RMS client provides access to AD RMS features on the desktop. In addition, an AD DS directory provides integrated authentication and administration. AD RMS relies on AD DS to authenticate users and verify that they are allowed to use the service. The first time you install an AD RMS server, you create an AD RMS root cluster by default. A root cluster is designed to handle both certification and licensing requests. Only one root cluster can exist in an AD DS forest. You can also install licensing-only servers, which automatically form a licensing cluster. Clusters are available only if you deployed the AD RMS database on a
separate server. Each time you add a new AD RMS server with either the root or the licensing role, it is automatically integrated into the corresponding existing cluster. Microsoft recommends that you rely on the root role more than on the licensing-only role for two reasons:
Root clusters handle all AD RMS operations and are, therefore, multifunctional. Root and licensing-only clusters are independent; that is, they cannot share load balancing of the service. If you install all your servers as root servers, they automatically load balance each other.
After the infrastructure is in place, you can enable information-producing applications such as word processors, presentation tools, e-mail clients, and custom in-house applications to rely on AD RMS to provide information protection services. As users create the information, they define who will be able to read, write, modify, print, transfer, and otherwise manipulate the information. In addition, you can create policy templates that can apply a given configuration to documents as they are created. Usage rights are embedded directly within the documents you create so that the information remains protected even if it moves beyond your zone of authority. For example, if a protected document leaves your premises and arrives outside your network, it will remain protected because AD RMS settings are persistent. AD RMS offers a set of Web services, enabling you to extend it and integrate its features in your own information-producing applications. Because they are Web services, organizations can use them to integrate AD RMS features even in nonWindows environments.
AD RMS is now a server role that is integrated into Windows Server 2008. In previous releases, the features supported by AD RMS were in a package that required a separate download. In addition, the Server Manager installation provides all dependencies and required component installations as well. Also, if no remote database is indicated during installation, Server Manager will automatically install Windows Internal Database. As with most of the Windows Server 2008 server roles, AD RMS is administered through a Microsoft Management Console (MMC). Previous versions provided administration only through a Web interface. AD RMS now also includes direct integration with Active Directory Federation Services, enabling you to extend your rights management policies beyond the firewall with your partners. This means your partners do not need their own AD RMS infrastructures and can rely on yours through AD FS to access AD RMS features. In previous releases, you could rely on only Windows Live IDs to federate RMS services. With the integration of AD RMS and AD FS, you no longer need to rely on a third party to protect information.
However, to use federation, you must have an established federated trust before you install the AD RMS extension that integrates with AD FS, and you must use the latest RMS clientthe Windows Vista client or the RMS client with SP2 for versions of Windows earlier than Windows Vista.
AD RMS servers are also self-enrolled when they are created. Enrollment creates a server licensor certificate (SLC), which grants the server the right to participate in the AD RMS structure. Earlier versions required access to the Microsoft Enrollment Center through the Internet to issue and sign the SLC. AD RMS relies on a self-enrollment certificate that is included in Windows Server 2008. Because of this, you can now run AD RMS in isolated networks without requiring Internet access of any kind. Finally, AD RMS includes new administration roles so that you can delegate specific AD RMS tasks without having to grant excessive administration rights.
AD RMS Enterprise Administrators, which can manage all aspects of AD RMS. This group includes the user account used to install the role as well as the local administrators group. AD RMS Template Administrators, which supports the ability to read information about the AD RMS infrastructure as well as list, create, modify, and export rights policy templates. AD RMS Auditors, which enables members to manage logs and reports. Auditors have read-only access to AD RMS infrastructure information. AD RMS Service, which contains the AD RMS service account that is identified during the role installation.
Internal deployment
Install AD RMS on multiple servers tied to an AD DS directory. You must use a separate server to host the AD RMS database; otherwise, you will not be able to load balance the AD RMS role.
Extranet deployment
When users are mobile & dont remain within confines of your network, you must deploy AD RMS in an extranet a special perimeter network that provides internal services to authorized users. In this scenario, you will need to configure appropriate firewall exceptions and add a special extranet URL on an external-facing Web server to allow external client connections.
Multiforest deployment
When you have existing partnerships that are based on AD DS forest trusts, you must perform a multiforest deployment. In this case, you must deploy multiple AD RMS installations, one in each forest. Then, assign a Secure Sockets Layer (SSL) certificate to each Web site that hosts the AD RMS clusters in each forest. You must also extend the AD DS forest schema to include AD RMS objects. However, if you are using Microsoft Exchange Server in each forest, the extensions will already exist. Finally, your AD RMS service account, the account that runs the service, will need to be trusted in each forest.
AD RMS Certificates
Server licensor certificate (SLC)
The SLC is a self-signed certificate generated during the AD RMS setup of the first server in a root cluster. Other members of the root cluster will share this SLC. If you create a licensing-only cluster, it will generate its own SLC and share it with members of its cluster. The default duration for an SLC is 250 years.
Machine certificate
The first time an AD RMSenabled application is used, a machine certificate is created. The AD RMS client in Windows automatically manages this process with the AD RMS cluster. This certificate creates a lockbox on the computer to correlate the machine certificate with the users profile. The machine certificate contains the public key for the activated computer. The private key is contained within the lockbox on the computer.
Publishing license
The publishing license is created when the user saves content in a rights-protected mode. This license lists which users can use the content and under which conditions, as well as the rights each user has to the content. This license includes the symmetric content key for decrypting content as well as the public key of the cluster.
Use license
The use license is assigned to a user who opens rights-protected content. It is tied to the users RAC and lists the access rights the user has to the content. If the RAC is not available, the user cannot work with rights-protected content. It contains the symmetric key for decrypting content. This key is encrypted with the public key of the user.
Management Services. Do not choose the Identity Federation Support option at this time. You cannot install this option until the AD FS federation relationship has been created. Click Next. Select Create A New AD RMS Cluster option, and then click Next. As this is a single server installation, select Use Windows internal Database on this server and click Next. Click Specify. Type in the Username and password and click OK. Type in the Username and password and click OK. Click Next. Select Use AD RMS centrally managed key storage, then click Next. You can also choose to protect the AD RMS cluster key by using a cryptographic storage provider because it is a more secure protection method. You will need to select the storage provider and then install this certificate on each new AD RMS server before you can add them to the root cluster. Assign a complex password and click Next. select the Web site where you want to install the AD RMS Web services, and click Next. If you did not prepare the Web site beforehand, the name of the Web site will be Default Web Site. Select Use an SSL encrypted connection (https://) Type in the Fully Qualified Domain Name, click Validate. Once validated click Next. Select Create a self signed certificate for SSL encryption. If you did not install the certificate prior to setup, you can click Import to import the certificate now. You can also use a self-signed certificate, or, if you did not obtain the certificate prior to installation, you can select the third option, to choose encryption later. Note, however, that you will not be able to complete your installation until you obtain and install this certificate if you choose the last option. Self-signed certificates should be used for test environments only. In a production environment, use a proper SSL certificate issued from a commercial certification authority. Click Next. Type in a meaningful name and click Next. The name should enable you to quickly identify which server the certificate is for. Select Register The AD RMS Service Connection Point Now, and then click Next. Click Next to install the IIS options. Click Next. Click Install. The installation has completed you may now close all open dialogue boxes.
communication through Secure HTTP or HTTPS connections. Finally, remember to create the appropriate virtual directories to host the AD RMS data. Expand Active Directory Rights Management. Right click servername and click Properties. Click Cluster URLs. Select Extranet URLs. Type in the valid URLs, then click OK.
Specify the duration of rights account certificates. Enable certification for mobile devices. Enable certification of server services. Authenticate clients through smart cards.
Of these, the one you must absolutely set is the validation period for the RAC. Others are optional operations that depend on your rights-protection policies. Note that standard RACs are valid for 365 days by default, and temporary RACs last only 15 minutes. You might want to extend the duration of a temporary RAC, but be careful about extending the validity of a standard RAC. Click Change standard RAC validity period. Set a suitable period (Days). Then click Temporary RAC tab. Set a suitable period (Days). Then click Temporary RAC tab. Set a suitable period (Minutes). Then click OK. Set a suitable period (Minutes). Then click OK.
When you do so, the list of the specified exclusion members is included in the use license for the content. You can remove an excluded entity from an exclusion list, but remember that if you remove the entity from the list, it will no longer be added to the use licenses. Existing content, however, will already contain it because use licenses are issued only once, by default. Because of this, keep three items in mind when preparing exclusion lists:
Assign only exclusions that will be as permanent as possible. If you change your mind, wait until existing use licenses have expired before removing entities from an exclusion list. Rely on exclusion lists if the credentials of one of the supported entities, such as a user, have been compromised, and your rights protected content is at risk.
Expand Exclusion Policies. Right click Users and select Enable User Exclusion. Click Exclude User. You can exclude a user either through the e-mail address or through the public key assigned to the user. The first is for users included in your AD DS directory, and the second is for external users who might not have an account in your AD DS directory. If you exclude users in your AD DS directory, make sure you exclude a group so that it is easier to manage as time goes on. Click Browse. Locate the User or group to be excluded and click OK. Click Finish.
templates. First, you must create the template. Next, you must specify a location for the template. Locations are usually shared folders contained within your network. However, for users to rely on the template to create content, they must have access to it. Offline users will not have access to the templates unless you configure the offline folder settings for the shared folder so that the content of the folder will automatically be available locally to the user. In addition, relying on offline folders will ensure that when you modify, add, or update templates, they will automatically be updated on the client computer the next time the user connects to the network. Offline folders, however, will not work for external users who do not have access to your internal network. Expand Active Directory Rights Management and click Rights Policy Templates. Click Create Distributed Rights Policy Templates. Click Add. Choose language for template. Type in name and description for the template and click Add. Click Next. Click Add to select the user or group that will have access to the template. Selecting Anyone will enable any user to request a use license for the content. Click OK. First select the user and then assign the rights to that particular user or group in the Rights For User pane. You can also create a custom right for the user. First select the user and then assign the rights to that particular user or group in the Rights For User pane. You can also create a custom right for the user. Note that the Grant Owner (Author) Full Control right with no expiration option is selected by default. In the Rights Request URL, type the appropriate URL. Then click Next. Then click Next. On the Specify Expiration Policy page, select one of the three available options and type a value in days. If you need to ensure that content expires automatically after a number of days, select Expires After The Following Duration (Days), and type the number of days. Click Next.
1. Selecting Location Where The Revocation List Is Published (URL or UNC) and typing the value for the location of the revocation file. Keep in mind that if you use a URL and you have both internal and external users, the URL should be accessible from both network locations. 2. Selecting Refresh Interval For Revocation List (Days) and typing the number of days the revocation list will be maintained. This determines when users must update their revocation list when viewing content. 3. Selecting File Containing Public Key Corresponding To The Signed Revocation List. If required tick Require revocation and then select the appropriate option. Then click Finish. Template has been created.