Become an Expert in AD RMS in 75 minutes

Tejas PatelProgram ManagerMicrosoft

SIM328

Session Objectives and Takeaways

Session Objective(s): Learn the fundamentals of Information Protection with AD RMSBe able to quickly learn additional capabilities of the platformUnderstand at a low-level what’s going on during key operations with AD RMS

AD RMS is actually simple technologyOnce the fundamentals are clear, understanding advanced behaviors is straightforward

Setting the Right Expectations

Won’t be explaining hardcore details, advanced features or specific configurationsBut you will understand the FUNDAMENTALS

Pre-requisites

You know how to use IRM in OfficeYou know the basics about ADYou know how IIS and web services workYou know the fundamentals of cryptography

Symmetric and asymmetric encryptionSigningCertificates

You know the fundamentals of PKIYou are awake and able to concentrate for 75 minutes

What is AD RMS

Information protection technologyProvides persistent protection to documents

Protection travels with documentsLocation agnosticProtects against intentional or accidental leakage

Based on encryption and policyWorks together with other infrastructure

AD to provide identity and group membershipWindows to provide key protection and other capabilitiesOffice to provide UI and enforcementExchange, MOSS and others to enhance the experience

Traditional Solutions Protect Initial Access …

Access Control List Perimeter

No

Yes

Firewall Perimeter

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

…but not indirect usage

What AD RMS DoesProtects

documents and email

Encrypts data

Decrypts for authorized personnel

Can restrict other capabilities• Forward• Print• Cut/Copy/Paste

Enforces document

security after the file is opened

Central policy management via

templates

AD RMS Workflow

AD RMS Server AD RMS

Protected (Decrypted)

`

RMS Consumer

`

RMS Author

1

3.

4.

Publishing LicenseBob@abc.com: Read,PrintCathy@abc.com: ReadLawyers@abc.com:Read

Use LicenseBob@abc.com: Read,Print

RMS Protected

(Encrypted)

Consumption

Protection

2.

Machine certAndRAC

5.

Publishing LicenseAndRAC

(Author automatically receives AD RMS credentials (“rights account certificate” and “client licensor certificate”) the FIRST TIME they rights-protect information

The application works with the AD RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it

The AD RMS Author distributes file

Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the AD RMS server, which validates the user and issues a “use license.”

Application renders file and enforces rights.

Example: Rights-Protected Document Word, Excel, or PowerPoint

a

Rights Info w/ email addresses

Content KeyEncrypted with the server’s public key

Publishing License

The Content of the File(Text, Pictures, metadata, etc)

End User Licenses

Content Key(big random number)

Rights for aparticular user

Encrypted with the user’s public key

Created when file is protected

Only added to the file after server licenses a

user to open it

Encrypted with Content Key, a cryptographically

secure 128-bit AES symmetric encryption

key

Encrypted with the server’s public key

Encrypted with the user’s public key

NOTE: Outlook E-mail EULs are stored in the local

user profile directory

What’s in a RMS Certificate

AD RMS uses certificates for identity and licensesAD RMS does not use X.509 certificates!It uses XrML certs instead

Similar to X.509 but with room for policy

Identity certificate: “this is User X and his/her email is…”There are also machine and server certificates

What’s is a Publishing License

An IRM protected document has an embedded “publishing license” List of rights (like an ACL)Subjects of rights are email addresses

Groups or users

Rights are operationsViewEditCopyPrintForward…

Use Licenses

When consuming content, users acquire use licenses from the server

Use license derived from the Publishing License in the document by the serverContains a list of rights for the requesting user only

Use licenses Cannot be transferredOnly work in the original device where they were requestedCan be cached (or not)Have a lifetime

Templates

Instead of indicating a list of rights, you can indicate a template

PL then lists template GUID, not list of rightsTemplate on server contains definition of rights for different users or groupsServer evaluates template when user tries to consume contentProtecting client needs a copy of the template in order to know what’s applying

Templates are centrally managedAnd can be updatedWhen using a template you are basically delegating policy to IT

AD RMS server

Information protection Recipient

SQL Server keeps the latest templates

Template

Document protected based

on template

RM-enabled application

requests use license with latest

rights

Templates in Action

Overview of AD RMS Components

AD RMS server“Certifies” user identityLicenses AD RMS-protected information

AD RMS clientInstalled at client computerInteracts with AD RMS-enabled applications and with the server

AD RMS-enabled applications Enable consumption of AD RMS protected content Some versions of such applications allow protecting content by defining usage rightsCan be created with AD RMS SDKs

AD RMS Client

AD RMS Server

AD RMS Server Terminology

Certification server (or cluster)First AD RMS server (cluster) in the enterpriseProvides certification and licensing capabilities

Licensing server (optional)Provides licensing services onlyRelies on a certification server for certification of users

ClusterGroup of equivalent AD RMS servers sharing the same databaseNot to be confused with Windows Server Clustering Services

AD RMS Topology

AD RMS Root Server

Database

License-only Server

Database

Database

License-only Server Cluster

AD RMS Root Cluster

AD RMS Server

Active Directory

SQL

MOSS 2007

Exchange Server 2007 SP1

RMS ClientRM-enabled application

AD RMS Infrastructure Components (cont.)

AD RMS Server

Runs on Windows Server 2008/2008 R2 inside IIS

It’s a web service!Typically runs over SSL

Requires IIS with ASP.NETStatelessUses Microsoft Message Queuing

Responsible for transactions to be applied to SQL databaseProvides tolerance when connectivity is lost between ADRMS server and SQL Server

AD RMS Server

AD RMS Databases

AD RMS web services are statelessAll persistent information is stored in SQL Server

Three separate databasesConfiguration: hosts configuration data, cluster and user keysCaching: caches AD identities and group membershipLogging: stores logs of licensing operations

Most operations are performed asynchronouslyData is written to MSMQ, flushed to the DB when possibleIf DB not available, AD RMS continues to work “almost” normally

Active Directory

Provides authenticationAll accounts related to AD RMS must have an email account

Provides Service Connection Point (SCP) for service locationDetermines recipient group membership

Active Directory should be in native mode for group propagation

One AD RMS root cluster per forestAD RMS certification is limited to users in the AD forest

Active Directory

AD RMS Client Initialization in Detail

User initiates first IRM operationClient “finds” AD RMS certification URLClient authenticates against the certification URL via ADServer issues a machine and user certificates (SPC and RAC)Client is redirected to licensing URLClient acquires CLC (which enables user to protect documents)Client acquires license to consume content if requested

How Clients Find AD RMS

Clients can poll AD (AD RMS Service Connection Point) to ask where is AD RMS certification for this forestClients that try to open a document use the licensing URL in the documentYou can manually configure clients through registry valuesOnce a client finds one service, it can find the other through the ServiceLocator web service

AD RMS Software Elements

User Identity

SLC

Issuer

Pub key

Signature

Server Identity

CLCIssuer

Prv key

Signature

Pub keyEncrypted with

Encrypted with

Issuer is

•Certificate key pairs : RSA-1024•Content key: AES-128•SLC: Server Licensor Certificate•RAC: Rights Account Certificate•CLC: Client Licensor Certificate•SPC: Security Processor Certificate•PL: Publish License•UL: Use License

PLIssuer

Signature

Content key

Issuer is

Issuer is

Encrypted with

ULIssuer

Signature

Content key

Issuer is

Encrypted with

AD RMS uses XrML certificates, not X.509 certificates

AD RMS Certificates and Licenses

Machine Identity

SPCIssuer

Pub key

Prv key

Signature

Protected using bothDPAPI andRSAVault (for obfuscation)

Issuer

Prv key

Signature

Pub key

RAC

Who’s the SuperUser?And what’s he doing with my documents?

A SuperUser group can be defined and enabled in AD RMSSimply put, AD RMS will accept all license requests for users in that groupSuperUsers can thus open any document, perform any action on themThis functionality is disabled by defaultUsed by some capabilities

Bulk protection toolExchange transport scanningExchange journaling

Some Considerations

RMS must be deployed in each AD ForestA Trusted User Domain (cluster public key import) allows a cluster to understand RACs from another forest

Licensing service can’t open content from other clustersA Trusted Publishing Domain (cluster private key import) allows it to do soUsers will go to the original cluster for a license unless redirected

AD RMS can’t serve users in forests without AD RMSMicrosoft provides an AD RMS service to Windows Live ID users!AD RMS integrates with AD FS!

This extends the boundary of AD RMS to all trusted forests

Exchange Prelicensing

Special case: Exchange 2007+ sends protected content to a client

Email (and attachments) delivered with embedded use license!

How does Exchange do it?Exchange Hub Transport Servers know about protected messagesThey request a license on behalf of the user to the prelicensing serviceServer has a copy of the users RAC, can issue license without contacting the client

Understanding other Exchange Capabilities

Exchange 2010 can display protected content in OWAIIS is the client. Message rendered server-side and displayed in-browserBrowser client has full RMS capabilities

Forefront Protection for Exchange can scan protected messagesExchange 2010 uses SuperUser capability to request license for the messageForefront scans unprotected message and returns results to Exchange

Exchange can index protected messagesUses SuperUser capability

Integrating with SharePoint

SharePoint can store protected documentsBut can’t index them

SharePoint 2007 and 2010 can automatically protect documentsDocuments are protected when downloaded by users!Documents stored in unprotected formatIf re-uploaded, documents are unprotectedThis allows indexing, malware scanning, etc.

Documents protected with rights for the actual user downloading the document

This prevents “sideloading”

Summary

AD RMS is basically PKI + Document encryption + PolicyAD RMS is a web service that issues certificates and licenses to usersApplications encrypt documents and apply a policy (PL)Users consume documents by requesting a license (UL)Servers evaluate identity and rights, and issue licensesApplications enforce rightsThe rest is just logic

In Review: Session Objectives and Takeaways

Session Objective(s): Learn the fundamentals of Information Protection with AD RMSBecome able to quickly learn additional capabilities of the platformUnderstand at a low-level what’s going on during key operations with AD RMS

AD RMS is actually simple technologyOnce the fundamentals are clear, understanding advanced behaviors is straightforward

Q & A

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

AD RMS Protection flowRMS Protected Document

Client Licensor Certificate

Public Key

Private Key

Server Licensor Certificate

Public Key

SignedSigned

SignedSigned

Client Licensor Certificate

Public Key

AD RMS Licensing flowRMS Protected Document

SignedSigned

Client Licensor Certificate

Public Key

Server Licensor Certificate

Public Key

Private Key

Rights Account Certificate

Public Key

Private Key

Rights Account Certificate

Public Key

RMS Protected Document Information

Client Licensor Certificate

Public Key

SignedSigned

Use License

Use License

Unencrypted document

ClientServer

?