Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active...
-
Upload
shana-alexander -
Category
Documents
-
view
229 -
download
4
Transcript of Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active...
Configuring and Troubleshooting
Identity and Access Solutions with Windows
Server® 2008 Active Directory®
Module 6: Configuring AD RMS
• Overview of AD RMS
• Installing and Configuring AD RMS Server Components
• Administering AD RMS
• Implementing AD RMS Trust Policies
Lesson 1: Overview of AD RMS
• How Access Management Is Enforced by Using AD RMS
• Usage Scenarios of AD RMS
• Comparing Technologies Used to Protect Information
• Identifying AD RMS Components
• AD RMS Certificates and Licenses
• Overview of AD RMS Workflow
• How Files Are Protected by Using AD RMS
How Access Management Is Enforced by Using AD RMS
AD RMS enforces access management by :
Establishing trusted participants within the AD RMS system
Assigning persistent usage rights and conditions on how a trusted participant can use protected information
Encrypting information and allowing access to users that have the required components and rights to open and view the information
Types of information that can be protected includes:
Sensitive documents such as plans, proposals, reports
E-mail messages
Content stored in AD RMS-aware intranet services
Usage Scenarios for AD RMS
Usage Scenario Application Features
Secure Confidential Files
Microsoft® Office:Word®
Excel®
PowerPoint®
Set rights (View, Change, Print)
Set validity period
Do-Not-Forward/Print E-Mail Message
Microsoft® Office Outlook®:
Microsoft® Exchange Server 2007 Service Pack (SP1)
Help protect sensitive e-mail messages from being sent to the Internet
Help protect confidential e-mail messages from being taken outside the company
Help protect Rights Management Services (RMS) prelicensing agent
Help Safeguard Intranet Content
Microsoft® Office SharePoint® Services
Help safeguard intranet content by restricting access to View, Change, and Print
Identity Federation Support
All RMS-enabled application
Active Directory® Federation Services (AD FS)
Help safeguard data across AD FS trusts
Comparing Technologies Used to Protect Information
Feature AD RMS
Secure/Multipurpose Internet Mail
Extension (S/MIME) Signing
S/MIME Encryption
Access control lists (ACLs)
Encrypting File
Systems (EFS)
Attests to the identity of the publisher
Differentiates permissions by a user
Prevents unauthorized viewing
Encrypts protected content
Offers content expiration
Controls content reading *
Modifying, or printing by user
Extends protection beyond initial publication *
* With some limitations
Identifying AD RMS Components
AD RMS Client
AD RMS Client
SQL Server™ Configuration Data Logging
AD RMS Root Cluster Web Server
(IIS)Active
Directory® Domain
Services (AD DS)
AD RMS Licensing-
only Cluster
SQL Server™
AD RMS Client
AD RMS Client
AD RMS Certificates and LicensesServer Licensor Certificate
Gets created when the AD RMS server role is installed and configured on the first server of an AD RMS Root Cluster
Machine Certificate
Identifies a trusted computer and contains the unique public key for that machine, on a per user per computer basis
Rights Account Certificate
Names a trusted user identity by using the e-mail address or SID of the user on a per user basis
Client Licensor Certificate
Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to an RMS server. This naming is based on per user on a computer
Publishing License
Sets the policy for acquiring a used license for rights-protected information
Use License
Grants an authorized user with valid RAC rights to consume rights-protected information based on policy established in the publishing license
Overview of AD RMS Workflow
Information Author Information Recipient
22
33
11
44 55
6688
77
99
Database Server AD RMS Cluster Active Directory®
Publishing Consuming
How Files Are Protected by Using AD RMS
Gets encrypted with the public
key of user
Publishing License
Use License
Content KeyContent Key
Rights information with e-mail addresses
Rights information with e-mail addresses
Content KeyContent Key
Rights info with e-mail addresses
Rights info with e-mail addresses
The content of the file such as text, pictures, and media.
Gets added to the file after the server
licenses a user to open it
Gets encrypted with the public
key of user
Gets encrypted with the public key of server
Gets encrypted with 128-bit
AES symmetric encryption key
E-mail URLs are stored in the local RMS license cache, not in e-mail messages directly.
Gets encrypted with the public key of server
Gets created when file is protected
Lesson 2: Installing and Configuring AD RMS Server Components
• AD RMS Deployment Scenarios
• Preinstallation Considerations
• AD RMS System Requirements
• How to Install the First Server of an AD RMS Cluster
• What Is a Service Connection Point?
• Implementing an AD RMS Client
• Configuring Client Service Discovery
AD RMS Deployment Scenarios
Deploying AD RMS in a single Forest
Deploying an AD RMS Licensing-Only cluster
Deploying AD RMS in a Multi-Forest environment
Deploying AD RMS in an Extranet
Deploying AD RMS with AD FS
AD RMS AD FS
Preinstallation Considerations
Consider the following points before deploying AD RMS:
Determine whether to use an external database or the internal database
provided by Windows Server® 2008.
Make the account used to install AD RMS, as the member of the Enterprise
Admins group or equivalent, if the service connection point is to be registered
during installation.
Install AD RMS on a member server in the same domain as the user accounts
that will participate in AD RMS.
Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a
CNAME record for the computer hosting the configuration database.
Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority,
if secure communication to and from the AD RMS cluster is required.
Create a specific AD RMS service account with standard user permissions.
AD RMS System Requirements Hardware Requirements
Required Recommended
•One Pentium 4 processor (3Ghz or higher)
•512 MB RAM
•40 GB free disk space
Two Pentium 4 processors (3Ghz or higher)
1024 MB RAM
80 GB free disk space
Software Requirements
Software Requirement
Operating System Windows Server® 2008
File System NTFS file system is recommended
Messaging Message Queuing
Web ServicesInternet Information Services (IIS)
ASP.NET must be enabled
Active Directory® or
AD DS
AD RMS must be installed in an Active Directory® domain. The domain controllers should run Windows Server® 2000 with Service Pack 3, Windows Server® 2003, or Windows Server® 2008.
All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory®
Database Server Microsoft® SQL Server™ 2005 or equivalent, and stored procedures
Demonstration: How to Install the First Server of an AD RMS Cluster
• To use DNS to configure a CNAME for the AD RMS cluster
• To use Server Manager to install the AD RMS server role
What Is a Service Connection Point?
Provides automatic discovery of the AD RMS cluster URL
Contains only one SCP per Active Directory® forest
Requires AD RMS management console to be registered or removed
Requires ADSI Edit to be viewed and modified
A service connection point:
ADSI Edit
Configuration [SEC-DC.Adatum.com]
CN=Configuration, DC=Adatum, DC=com
CN=Display Specifiers
CN=Extended-Rights
CN=ForestUpdates
CN=Services
CN=MsmqServices
CN=NetServices
CN=Public Key Services
CN=Rights Management Services
CN=SCP
CN=RRAS
CN=Windows NT
Implementing an AD RMS Client
The AD RMS client creates and manages the machine certificate and lockbox.The AD RMS client creates and manages the machine certificate and lockbox.
The AD RMS client works with AD RMS-compatible applications such as the 2007 Office System. The AD RMS client works with AD RMS-compatible applications such as the 2007 Office System.
The AD RMS client is integrated with the Windows Vista® and Windows Server® 2008 operating systems. The AD RMS client is integrated with the Windows Vista® and Windows Server® 2008 operating systems.
The AD RMS client is downloaded from the Microsoft® Download center for earlier versions of Windows®. The AD RMS client is downloaded from the Microsoft® Download center for earlier versions of Windows®.
The AD RMS client is deployed manually or automated using Active Directory® Group Policy. The AD RMS client is deployed manually or automated using Active Directory® Group Policy.
Configuring Client Service Discovery
AD DS service connection point
AD RMS client registry override
HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation
Activation (syntax: http(s):// <cluster>/_wmcs/ certification)
EnterprisePublishing (syntax: http(s):// <cluster> /_wmcs /certification)
AD RMS clients discover the AD RMS cluster using the following methods:
Lesson 3: Administering AD RMS
• AD RMS Administration Tasks
• What Is a Rights Policy Template?
• How To Create a Rights Policy Template
• Providing Rights Policy Templates for Offline Use
• What Are Exclusion Policies?
AD RMS Administration Tasks
AD RMS
Trust PoliciesExclusion PoliciesRights Policy Template
Uses Online Certificate Status Protocol validation and revocation checking using HTTP
What Is a Rights Policy Template?
Rights include Full Control, View, Edit, Save, or Print, Forward, Reply
Stores in the configuration database or a shared folder on the network for offline publishing
Author selects Rights Policy Template during document creation to apply rights to the content
Configures as a distributed or archived template
Specifies users or groups who must have rights to work with content protected with the template
Rights Policy
Template
Demonstration: How To Create a Rights Policy Template
• To configure a distributed rights policy template
• To manage archived rights policy templates
Providing Rights Policy Templates for Offline Use
Create a shared folder on the server to be used to store the exported rights policy templates.Create a shared folder on the server to be used to store the exported rights policy templates.
11
Use the AD RMS console to export the templates to the folder location.Use the AD RMS console to export the templates to the folder location.22
Deploy the exported templates to a local folder on each client.Deploy the exported templates to a local folder on each client.
33
Modify the client registry to specify where to find the policy templates on the client.Modify the client registry to specify where to find the policy templates on the client.44
Example: For Office 2007HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\DRM\
AdminiTemplatePathType: REG_EXPAND_SZRecommended Value: %allusersprofile%\Application Data\Microsoft\DRM\<templatefoldername>
Administrators can exclude following principles:
User IDs
Applications
Lockbox versions
Windows® versions
What Are Exclusion Policies?
Prevent compromised principles from acquiring new use license; however, existing licenses associated with excluded principals are still valid.
Lesson 4: Implementing AD RMS Trust Policies
• Methods of Defining Trust Policies
• Overview of Trusted User Domain Interaction
• Overview of Trusted Publishing Domain Interaction
• How To configure Trust Policies
• Deploying AD RMS with AD FS
Methods of Defining Trust Policies
Trust policies can be defined for the following:
Trusted user domains
Trusted publishing domains
Windows Live™ ID
Federated Trust
Trust Policies help an AD RMS cluster to process licensing requests for content that are rights-protected by another AD RMS cluster.
Trust Policies help an AD RMS cluster to process licensing requests for content that are rights-protected by another AD RMS cluster.
Overview of Trusted User Domain Interaction
Contoso sends SLC to Northwind Traders Contoso sends SLC to Northwind Traders
11
[email protected] sends RM content to [email protected] [email protected] sends RM content to [email protected]
33
[email protected] sends PL and RAC with request for UL from Northwind Traders
[email protected] sends PL and RAC with request for UL from Northwind Traders
44
Server uses imported SLC to verify Bob’s Rights account certificate (RAC) and returns UL
Server uses imported SLC to verify Bob’s Rights account certificate (RAC) and returns UL
55
Northwind Traders imports Server Licensor Certificate (SLC)
Northwind Traders imports Server Licensor Certificate (SLC)
22
Northwind TradersContoso
Overview of Trusted Publishing Domain Interaction
Contoso imports private key and SLC Contoso imports private key and SLC
11
[email protected] sends RM content to [email protected] [email protected] sends RM content to [email protected]
33
[email protected] sends PL and RAC with request for UL from Northwind Traders
[email protected] sends PL and RAC with request for UL from Northwind Traders
44
Contoso uses imported private key to decrypt PL and issues UL
Contoso uses imported private key to decrypt PL and issues UL
55
Northwind Traders exports private key and SLC
Northwind Traders exports private key and SLC
22
Northwind Traders Contoso
Demonstration: How To Configure Trust Policies
• To export a trusted user domain certificate
• To import a trusted user domain certificate
• To configure trusted publishing domains
Deploying AD RMS with AD FS
1. Assign an SSL certificate to the Web site that hosts the AD RMS cluster.
2. Install and configure AD RMS.
3. Grant the AD RMS service account permissions to generate security audits.
4. On the AD FS resource partner, create a claims-aware application for the AD RMS certification and licensing pipelines.
5. Configure the AD RMS extranet cluster URL.
6. Install the AD RMS Identity Federation Role service.
AD RMS
Manufacturer
Account Partner
Supplier
Resource PartnerAD FS
Lab 6: Configuring AD RMS
• Exercise1: Installing the AD RMS Server Role
• Exercise 2: Managing AD RMS rights policy templates
• Exercise 3: Configuring Trust Policies
• Exercise 4: Testing AD RMS functionality Logon information
Virtual machine
6426A-NYC-DC1
6426A-NYC-SVR1
6426A-NYC-CL1
User name Administrator
Domain woodgrovebank
Password Pa$$w0rd
Estimated time: 60 minutes