Beruflich Dokumente
Kultur Dokumente
AD RMS can,
AD RMS have its own role services and related components which need to
work together in order to maintain healthy AD RMS environment. Let look in
to these components in details.
When new RMS server add to the infrastructure, based on installed roles it will
automatically make it part of relevant cluster. However, it is recommended to
use root cluster only as it will automatically load balance both certificates and
licensing requests. When it has two clusters, load balancing is handled by each
cluster separately even though it’s components of one system.
Web Server – AD RMS required web service for its operations. There for it
required IIS 7.0 or latest with following role services.
• Web Server (IIS)
• Web Server
o Common HTTP Features
Static Content
Directory Browsing
HTTP Errors
HTTP Redirection
o Performance
Static Content Compression
o Health and Diagnostics
HTTP Logging
Logging Tools
Request Monitor
Tracing
o Security
Windows Authentication
• Management Tools
o IIS Management Console
o IIS 6 Management Compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
SQL Server – AD RMS supports Windows Internal Database (WID) and
Microsoft SQL Server Database. If AD RMS Cluster going to have multiple
servers, its database must be in MS SQL server. It supports SQL server 2005
onwards. AD RMS have three databases.
Configuration Database – Configuration database includes configuration data
related to AD RMS cluster, windows users identities and AD RMS certificate
key pair which used to create cluster.
Logging Database – This contain the logging data for the AD RMS setup. By
default, it will install it in the same SQL server instance which hosts the
Configuration Database.
Directory Service Database – This database maintains cached data about
users, SID Values, Group membership and related identifiers. This data been
collected by AD RMS licensing service from LDAP queries which ran against
global catalog server. by default its refresh in every 12 hours.
By now we know the components of the AD RMS and its capabilities. In this
section, we are going to look in details to understand how all these
components work together to protect corporate data.
Before start the data protecting process, we need to have healthy AD RMS
Cluster, AD RMS Clients (Author and Recipient) and reliable connection
between those components. Once these prerequires fulfill, Data protection
process will happen in three main stages which is protect content by author,
publish protected content and access protected content by recipient. Let’s
assume Peter is trying to protect a document using AD RMS. He going to send
it to Adam and he do not want him to edit or print it. This is the first time he
going to use AD RMS. In AD RMS environment, user Peter will refer as
Information Author. On his first authentication in to AD RMS cluster, it
creates Right Account Certificate (RAC) and it will be user’s identity in AD
RMS. This is a onetime process. This certificate contains the public key and
private key of the Peter which is encrypted by his computer’s public key. When
Peter register with AD RMS cluster it also creates another certificate
called Client Licensor Certificate (CLC). This CLC includes Client Licensor
Certificate’s public key and private key which is protected by public key of
Peter. It also includes AD RMS cluster public key which is signed by AD RMS
private key.
Peter decides what data need to be protected first. Then it generates
symmetric key (random) and encrypt the data which needs to be protected. It
uses AES-256 standards to encrypt the data. When first AD RMS server added
to the cluster, it creates another certificate called Server Licensor Certificate
(SLC). This represent the identity element of the AD RMS server. This is shared
with clients so they can use to exchange confidential data in secure way. SLC
includes the public key of the AD RMS server. As the next step the system will
encrypt the symmetric key used for data encryption by using it. So, only AD
RMS cluster can open it.
After that RMS Client creates Publishing License (PL). This PL use to indicate
allowed recipients, what rights they got and what condition will apply towards
protected data. PL includes encrypted symmetric key that can used to decrypt
the protected data. All these data then encrypt with Server Licensor
Certificate’s public key. Apart from that AD RMS client also will sign encrypted
data with private key of CLS. At the end this protected data will attached to
PL. it also included the copy of symmetric key which is encrypted with CLS
public key. This confirms Peter’s authority over the protected document, so he
can decrypt the document without using another license. Once all these
encryptions and signings are done, the document is ready to send over to
Adam.
Once Adam receives the document, his Ad RMS aware application try to open
it and found it is a protected document. Similar to Peter, Adam already have
his RAC and CLS from the AD RMS Cluster. In order to open the protected
document at once does it encrypt it with does it encrypt or sign with any of
Adam’s certificates? No, it’s not. But his AD RMS client knows who need to
contact in order to sort it out for him. To open the protected document Adam
should have a Use License (UL). This is issue by the RMS cluster. So, AD RMS
client request for license also included encrypted Publishing License,
Encrypted Symmetric Key, Peter’s CLC and Public key of Adam’s RAC. The
protected document will not send over with this request to RMS Cluster. To
decrypt the protected document Adam needs the Symmetric key which used
by Peter to encrypt the document. As first step Server needs to know if Adam
is permitted to access the document, if he is permitted what sort of conditions
and rights will apply. This info is in Publishing License. It is encrypted using
public key of SLC. AD RMS server is the private key owner for it and he can
easily extract it. if Adam is not allowed in PL, it will be declined the access to
it. if its allowed it creates a list mentioning Adam’s rights to the document.
The most important part of the decryption process is to retrieve the
Symmetric Key. This is also encrypted by SLC’s public key. Once it is extract, it
will be re-encrypt using Adam’s RAC public key. it was a part of the Use
License request. This ensure, the only one can see the key is Adam’s system.
Since server got all the required information, it generates Use License
including the permission list and encrypted symmetric key. then it sends over
to Adam’s RMS client. Once it reaches Adam’s system, it can decrypt the
symmetric key using RAC’s private key. then RMS aware application will
decrypt the document and attach the rights information retrieved from the
User License. At the end, voila!!! Adam can see the content of the document.
Peter wants to send protected document to Adam. Adam should only have
read permission to the document and should not be able to modify or print.
2) In next screen, it gives option to create new AD RMS root cluster or join it to
existing AD RMS cluster. Since it is new cluster, select option Create a new AD
RMS root cluster and click Next.
3) Next Screen is to define the AD RMS database configuration. If it’s going to
use MS SQL server need to specify the Database server and the instance. Or
else it can use Windows Internal Database. Please note if WID used, it cannot
have any more AD RMS servers and cannot have AD RMS mobile extension
either. Since its demo, I am going to use WID. Once selection made,
click Next to move to next step.
Email account filed is must and if user doesn’t have email address defined, it
will not be allowed to protect the document.
4) Once its successfully retrieves the templates, go back to same option and
select Restricted Access
5) Then it will open up new window. On there for the read permissions, type
adam@rebeladmin.com to provide read only permission to user adam. Then
click OK.
6) After that save the document. In demo, I used a network share which user
adam also have access.
7) Now I log in to another window 10 computers as user adam.
8) Then brows to path where document was saved and open it using word
2013.
9) On the opening process, it asks to authenticate to the RMS to retrieve the
licenses. After that it open the document. In top of the document it says
document got limited access. When click on the “View Permission” it list down
the allowed permissions and it matches what we set in the author side.
10) Further in to testing I have log in to system as another user (Liam) and
when I access the file I gets,
This ends the configuration and testing of the AD RMS cluster. In this demo, I
explained how we can set up AD RMS cluster with minimum resource and
configuration. I only used the default configuration of AD RMS cluster and no
custom policies applied. By understand core functions allows you to customize
it to meet your organization requirements.