sim328. access control list perimeter no yes firewall perimeter authorized users unauthorized users...
TRANSCRIPT
Become an Expert in AD RMS in 75 minutes
Tejas PatelProgram ManagerMicrosoft
SIM328
Session Objectives and Takeaways
Session Objective(s): Learn the fundamentals of Information Protection with AD RMSBe able to quickly learn additional capabilities of the platformUnderstand at a low-level what’s going on during key operations with AD RMS
AD RMS is actually simple technologyOnce the fundamentals are clear, understanding advanced behaviors is straightforward
Setting the Right Expectations
Won’t be explaining hardcore details, advanced features or specific configurationsBut you will understand the FUNDAMENTALS
Pre-requisites
You know how to use IRM in OfficeYou know the basics about ADYou know how IIS and web services workYou know the fundamentals of cryptography
Symmetric and asymmetric encryptionSigningCertificates
You know the fundamentals of PKIYou are awake and able to concentrate for 75 minutes
What is AD RMS
Information protection technologyProvides persistent protection to documents
Protection travels with documentsLocation agnosticProtects against intentional or accidental leakage
Based on encryption and policyWorks together with other infrastructure
AD to provide identity and group membershipWindows to provide key protection and other capabilitiesOffice to provide UI and enforcementExchange, MOSS and others to enhance the experience
Traditional Solutions Protect Initial Access …
Access Control List Perimeter
No
Yes
Firewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…but not indirect usage
What AD RMS DoesProtects
documents and email
Encrypts data
Decrypts for authorized personnel
Can restrict other capabilities• Forward• Print• Cut/Copy/Paste
Enforces document
security after the file is opened
Central policy management via
templates
AD RMS Workflow
AD RMS Server AD RMS
Protected (Decrypted)
`
RMS Consumer
`
RMS Author
1
3.
4.
Publishing [email protected]: Read,[email protected]: [email protected]:Read
Use [email protected]: Read,Print
RMS Protected
(Encrypted)
Consumption
Protection
2.
Machine certAndRAC
5.
Publishing LicenseAndRAC
(Author automatically receives AD RMS credentials (“rights account certificate” and “client licensor certificate”) the FIRST TIME they rights-protect information
The application works with the AD RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it
The AD RMS Author distributes file
Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the AD RMS server, which validates the user and issues a “use license.”
Application renders file and enforces rights.
Example: Rights-Protected Document Word, Excel, or PowerPoint
a
Rights Info w/ email addresses
Content KeyEncrypted with the server’s public key
Publishing License
The Content of the File(Text, Pictures, metadata, etc)
End User Licenses
Content Key(big random number)
Rights for aparticular user
Encrypted with the user’s public key
Created when file is protected
Only added to the file after server licenses a
user to open it
Encrypted with Content Key, a cryptographically
secure 128-bit AES symmetric encryption
key
Encrypted with the server’s public key
Encrypted with the user’s public key
NOTE: Outlook E-mail EULs are stored in the local
user profile directory
What’s in a RMS Certificate
AD RMS uses certificates for identity and licensesAD RMS does not use X.509 certificates!It uses XrML certs instead
Similar to X.509 but with room for policy
Identity certificate: “this is User X and his/her email is…”There are also machine and server certificates
What’s is a Publishing License
An IRM protected document has an embedded “publishing license” List of rights (like an ACL)Subjects of rights are email addresses
Groups or users
Rights are operationsViewEditCopyPrintForward…
Use Licenses
When consuming content, users acquire use licenses from the server
Use license derived from the Publishing License in the document by the serverContains a list of rights for the requesting user only
Use licenses Cannot be transferredOnly work in the original device where they were requestedCan be cached (or not)Have a lifetime
Templates
Instead of indicating a list of rights, you can indicate a template
PL then lists template GUID, not list of rightsTemplate on server contains definition of rights for different users or groupsServer evaluates template when user tries to consume contentProtecting client needs a copy of the template in order to know what’s applying
Templates are centrally managedAnd can be updatedWhen using a template you are basically delegating policy to IT
AD RMS server
Information protection Recipient
SQL Server keeps the latest templates
Template
Document protected based
on template
RM-enabled application
requests use license with latest
rights
Templates in Action
Overview of AD RMS Components
AD RMS server“Certifies” user identityLicenses AD RMS-protected information
AD RMS clientInstalled at client computerInteracts with AD RMS-enabled applications and with the server
AD RMS-enabled applications Enable consumption of AD RMS protected content Some versions of such applications allow protecting content by defining usage rightsCan be created with AD RMS SDKs
AD RMS Client
AD RMS Server
AD RMS Server Terminology
Certification server (or cluster)First AD RMS server (cluster) in the enterpriseProvides certification and licensing capabilities
Licensing server (optional)Provides licensing services onlyRelies on a certification server for certification of users
ClusterGroup of equivalent AD RMS servers sharing the same databaseNot to be confused with Windows Server Clustering Services
AD RMS Topology
AD RMS Root Server
Database
License-only Server
Database
Database
License-only Server Cluster
AD RMS Root Cluster
AD RMS Server
Active Directory
SQL
MOSS 2007
Exchange Server 2007 SP1
RMS ClientRM-enabled application
AD RMS Infrastructure Components (cont.)
AD RMS Server
Runs on Windows Server 2008/2008 R2 inside IIS
It’s a web service!Typically runs over SSL
Requires IIS with ASP.NETStatelessUses Microsoft Message Queuing
Responsible for transactions to be applied to SQL databaseProvides tolerance when connectivity is lost between ADRMS server and SQL Server
AD RMS Server
AD RMS Databases
AD RMS web services are statelessAll persistent information is stored in SQL Server
Three separate databasesConfiguration: hosts configuration data, cluster and user keysCaching: caches AD identities and group membershipLogging: stores logs of licensing operations
Most operations are performed asynchronouslyData is written to MSMQ, flushed to the DB when possibleIf DB not available, AD RMS continues to work “almost” normally
Active Directory
Provides authenticationAll accounts related to AD RMS must have an email account
Provides Service Connection Point (SCP) for service locationDetermines recipient group membership
Active Directory should be in native mode for group propagation
One AD RMS root cluster per forestAD RMS certification is limited to users in the AD forest
Active Directory
AD RMS Client Initialization in Detail
User initiates first IRM operationClient “finds” AD RMS certification URLClient authenticates against the certification URL via ADServer issues a machine and user certificates (SPC and RAC)Client is redirected to licensing URLClient acquires CLC (which enables user to protect documents)Client acquires license to consume content if requested
How Clients Find AD RMS
Clients can poll AD (AD RMS Service Connection Point) to ask where is AD RMS certification for this forestClients that try to open a document use the licensing URL in the documentYou can manually configure clients through registry valuesOnce a client finds one service, it can find the other through the ServiceLocator web service
AD RMS Software Elements
User Identity
SLC
Issuer
Pub key
Signature
Server Identity
CLCIssuer
Prv key
Signature
Pub keyEncrypted with
Encrypted with
Issuer is
•Certificate key pairs : RSA-1024•Content key: AES-128•SLC: Server Licensor Certificate•RAC: Rights Account Certificate•CLC: Client Licensor Certificate•SPC: Security Processor Certificate•PL: Publish License•UL: Use License
PLIssuer
Signature
Content key
Issuer is
Issuer is
Encrypted with
ULIssuer
Signature
Content key
Issuer is
Encrypted with
AD RMS uses XrML certificates, not X.509 certificates
AD RMS Certificates and Licenses
Machine Identity
SPCIssuer
Pub key
Prv key
Signature
Protected using bothDPAPI andRSAVault (for obfuscation)
Issuer
Prv key
Signature
Pub key
RAC
Who’s the SuperUser?And what’s he doing with my documents?
A SuperUser group can be defined and enabled in AD RMSSimply put, AD RMS will accept all license requests for users in that groupSuperUsers can thus open any document, perform any action on themThis functionality is disabled by defaultUsed by some capabilities
Bulk protection toolExchange transport scanningExchange journaling
Some Considerations
RMS must be deployed in each AD ForestA Trusted User Domain (cluster public key import) allows a cluster to understand RACs from another forest
Licensing service can’t open content from other clustersA Trusted Publishing Domain (cluster private key import) allows it to do soUsers will go to the original cluster for a license unless redirected
AD RMS can’t serve users in forests without AD RMSMicrosoft provides an AD RMS service to Windows Live ID users!AD RMS integrates with AD FS!
This extends the boundary of AD RMS to all trusted forests
Exchange Prelicensing
Special case: Exchange 2007+ sends protected content to a client
Email (and attachments) delivered with embedded use license!
How does Exchange do it?Exchange Hub Transport Servers know about protected messagesThey request a license on behalf of the user to the prelicensing serviceServer has a copy of the users RAC, can issue license without contacting the client
Understanding other Exchange Capabilities
Exchange 2010 can display protected content in OWAIIS is the client. Message rendered server-side and displayed in-browserBrowser client has full RMS capabilities
Forefront Protection for Exchange can scan protected messagesExchange 2010 uses SuperUser capability to request license for the messageForefront scans unprotected message and returns results to Exchange
Exchange can index protected messagesUses SuperUser capability
Integrating with SharePoint
SharePoint can store protected documentsBut can’t index them
SharePoint 2007 and 2010 can automatically protect documentsDocuments are protected when downloaded by users!Documents stored in unprotected formatIf re-uploaded, documents are unprotectedThis allows indexing, malware scanning, etc.
Documents protected with rights for the actual user downloading the document
This prevents “sideloading”
Summary
AD RMS is basically PKI + Document encryption + PolicyAD RMS is a web service that issues certificates and licenses to usersApplications encrypt documents and apply a policy (PL)Users consume documents by requesting a license (UL)Servers evaluate identity and rights, and issue licensesApplications enforce rightsThe rest is just logic
In Review: Session Objectives and Takeaways
Session Objective(s): Learn the fundamentals of Information Protection with AD RMSBecome able to quickly learn additional capabilities of the platformUnderstand at a low-level what’s going on during key operations with AD RMS
AD RMS is actually simple technologyOnce the fundamentals are clear, understanding advanced behaviors is straightforward
Q & A
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
AD RMS Protection flowRMS Protected Document
Client Licensor Certificate
Public Key
Private Key
Server Licensor Certificate
Public Key
SignedSigned
SignedSigned
Client Licensor Certificate
Public Key
AD RMS Licensing flowRMS Protected Document
SignedSigned
Client Licensor Certificate
Public Key
Server Licensor Certificate
Public Key
Private Key
Rights Account Certificate
Public Key
Private Key
Rights Account Certificate
Public Key
RMS Protected Document Information
Client Licensor Certificate
Public Key
SignedSigned
Use License
Use License
Unencrypted document
ClientServer
?