Section 3 - Chapter 16 Flashcards
AD RMS Databases
Windows Internal Database (WID) - does not support remote connections, only one server can use the db
SQL 2005 or later running on seperate server, provides ability to load balance, supports remote connects
AD RMS Infrastructure
IIS - provides web services
Message Queueing - ensures transaction coordination in distributed environments
AD RMS Client - access from desktop
AD DS - provides integrated authentication
AD RMS Root Cluster
Installed by default on first AD RMS server
Handles certs and licensing requests
Only one root cluster per forest
Licensing Only servers for a licensing cluster
Clusters only avail if AD RMS db is on a separate server
Root and licensing only clusters independent, cannot load balance jointly
AD RMS and AD FS
Can integrate to extend rights management beyond the firewall
Must establish federation trust before install of AD RMS extension
Service Account must be trusted in each forest
AD RMS Server Enrollment
Self enrolled when created
Creates a server licensor cert (SLC)
AD RMS Administration Roles
AD RMS Enterprise Admins - manage all aspects
Ad RMS Template Admins - read info about infrastructure and list, create, modify, and export rights policy templates
AD RMS Auditors - manage logs and reports
AD RMS Service - contains service account specified on install
AD RMS Admin Group
All groups are local, create global groups and insert them within the local groups
Rights Account Certs
Issued by AD RMS server, identifies trusted entities that can create and publish rights enabled content
Can assign rights and conditions to the content it creates
AD RMS issues publishing license for content that is permanently attached
To view data, user must acces thru AD RMS enabled browser or application
AD RMS Deployments
Single-server - WID db, components local, cannot scale, use in test environments
Internal - multi servers tied to AD DS, seperate server to host db to load balance
Entranet - provides internal services to authorized users outside the network, firewall exceptions and extranet URL on external facing web server needed
Multi-Forest - when there are exisiting partnerships based on AD DS forest trust, SSL cert to each website that hosts AD RMS clusters in each forest, extend forest schema to include AD RMS objects, AD RMS service account must be trusted in each forest
Licensing-only server - assign SSL cert to website hosting AD RMS root cluster and then install the root cluster
AD RMS and AD FS deployment
SSL cert to website hosting AD RMS root cluster
Install root cluster
Prep federated trust relationship
Create claims aware app on resource partner
Assign Generate Security Audit user rights to AD RMS service account
Define extranet cluster URL in AD RMS
Install AD RMS Identity Federation Support
Upgrade RMS to AD RMS
upgrade to latest RMS SP1
backup servers and config db
make sure all enrollment is complete
upgrade to SQL server
clear RMS Message Queuing
upgrade root cluster before upgrading licensing-only server
upgrade all other servers in the RMS cluster
AD RMS and Core Server
Not Supported
AD RMS Web Services Prerequisites
IIS with ASP.Net
Message Queuing
Web Server URL
AD RMS & AD DS Domain
Windows 2000 SP3 or later
AD RMS must be installed in the same domain as its potential users
AD RMS & Domain User Accounts
Email addresses config’d in AD DS
AD RMS Service Account
Member of the Local Admins
Assigned Generate Security Audits user right
AD RMS Installation Account
Local Admin
Enterprise Admin to generate service connection points
Systems Admin on external database
Must not be on a smart card
AD RMS db instance
Create and name db instance
Start SQL Server Browser service before install
AD RMS Install Cert
SSL cert for AD RMS cluster
Self signed cert in testing environment
Trusted external 3rd party, install cert before AD RMS install
AD RMS Cluster Key Protection
Store key in AD RMS config db
AD RMS and DNS Config
Create CNAME records for the root cluster URL and the db server
AD RMS Client OS
Built In: Win 7, Vista & 2008 r2
Download RMS client for 2000, 2003 and XP
AD RMS - Server Licensor Cert (SLC)
Self signed cert generated in setup of first server in a root cluster, other members of root cluster share this cert
Licensing-only cluster generates its own cert and shares with other members of its cluster
Default duration 250 years
AD RMS - Rights Account Cert (RAC)
Issued to trusted users with email enabled AD DS accounts
Generated first time user opens rights protected content
Standard RACs identify users in relation to their computers, duration 365 days
Temporary RACs not tied to a specific computer, duration 15 minutes
RAC have public and private key
AD RMS - Client Licensor Cert (CLC)
RAC requests CLC, computer must be online
Once obtained, can apply policies offline
CLC has public and private key and AD RMS cluster’s public key
AD RMS - Machine Cert
Created first time AD RMS enable app used on a client
Creates a lockbox on computer to correlate machine cert with user’s profile
Machine cert has public key for computer, private key is in lockbox
AD RMS - Publishing License
Created when user saves content in rights protected mode
Lists users who can use content, conditions of use and rights to content
Publishing license includes symmetric content key and public key of the cluster
AD RMS - Use License
Assigned to user who opens rights protected content, tied to RAC, lists rights to content
Use license has symmetric key for decrypting, encrypted with the public key of user
AD RMS Server Editions
Standard, Enterprise or Datacenter
AD RMS Installation
Do not install on DC Installs IIS, .NET Framework, Message Queuing and RSAT Create or Join AD RMS cluster Select db config Locate server that hosts db Validate db instance Specify Service Account Config AD RMS cluster key storage Select AD RMS cluster web site Specify Cluster Address, use SSL Connection Specify cluster address (FQDN) and port Choose a Server Authentication Cert for SSL Name the Server Licensor Cert Register AD RMS Service Connection Review IIS info Select Web Server Install
AD RMS - Upgrade or Migrate
Can update, migration easier
Add new servers, decommission old
Before:
Backup config db
Export SLC
Export and Install CSP Key on each server
After:
Update CNAME record for cluster (add new, remove old)
Run AD RMS console to check cluster
Test AD RMS connectivity from client
AD RMS - Win PS
ADRmsInstall and ADRMSAdmin
Run import for modules
Import-Module Adrms
Import-Module AdRmsAdmin
AD RMS Outside the Network
Server, Properties, Cluster URL tab - enable extranet URLs
Point to IIS installation, register URLs in DNS, use SSL for http, https connections, create virtual directories to host data
AD RMS with Partners
Config proxy settings and install Federation Support
Config trust policies with other clusters
Trusted user domains - process requests for clusters in different forests, import Server Licensor Cert from other cluster into your cluster
Trusted publishing domain - issue use licenses for protected content from other cluster, import publishing clusters SLC and private key to your cluster
AD RMS Certs Validation Periods
Must config proper periods for org
AD RMS - Targeted
Config exclusion policies
AD RMS - Export Server Licensor Cert
Any server that is member of cluster, Properties, Server Cert Tab, Export Cert, select location to save .bin file to
AD RMS - Preping Certs
Mandatory:
Specify duration of rights account certs
Optional:
Enable certification for mobile devices
Enable certification for server services
Authenticate clients through smart cards
AD RMS - Specify duration of rights account cert
Any server member of cluster, Rights Account Cert Policies
Change Standard RAC Validity Period
Standard RAC Tab - Change Standard RAC Validity Period
Temporary RAC Tab - Change
AD RMS - Exclusion Policies
Can be created for: users, applications, lockbox version and Win OSs
Any server member of cluster, Exclusion Policies, Users
Enable User Exclusion link
Exclude User link
can exclude by email address or public key assigned to user
Select exclusion method - locate user account or type public key
AD RMS - Preparing Accounts and Access Rights
AD RMS includes account in db
create a store procedure in SQL server to auto remove account when deleted or a script that runs on a scheduled basis
Create a Super Users Group - users that have full access to all content to recover or modify data, usually a Universal group
Server, Security Properties, Change Super Users Settings link, Enable Super Users, Change Super User Group link, specify group
AD RMS - Policy Templates
Create Template
Specify Location
Config Offline Folder Settings
Users that have access to only pre-created content do not require access to policy templates
Server, Rights Policy Templates, Create Distributed Rights Policy Template link, Specify Name and language, add user rights, specify expiration, specify extended policy, specify revocation policy
AD RMS - Add User Rights
Select user or group for access to template
Select user and assign rights
Grant Owner (Author) Full Control Right With No Expiration (default)
Rights Request URL - gives users the ability to request additional rights by going to URL
AD RMS - Specify Extended Policy Templates
Choose Enable Users to View Protected Content Using a Browser Add-On
Require A New User License Every Time Content is Consumed (disable client-side caching)
If You Would Like To Specify Additional Information For Your AD RMS Enabled Apps - usually reserved for developers
AD RMS - Specify Revocation Policy Templates
Require Revocation check box
Specify URL where revocation is published http or https//
Refresh Interval for Revocation List (Days) - specify
File Containing Public Key Corresponding To the Signed Revocation List - specify file
AD RMS Databases
Configuration db
Logging db - Message Queuing sends events to here
Directory Services db - users and their data, accessed by LDAP
AD RMS Client Discovery
AD DS Service Connection Point
In complex multi forest deployments - registry overrides are placed directly on client computers
URLs in the issuance licenses for the content
AD RMS Service Account
Operations: accessing network resources, querying AD DS, looking up info on database
To change service account - rc server name, change service account
AD RMS Server Hierarchy
Trust Policies - trusted user domains & trusted publishing domains
Rights Policy Templates - rules and conditions applied to the content protected by using the template
Rights Account Cert Policies - change standard or temporary validity period
Exclusion Policies - user, application or lockbox exclusions
Security Policies - super users, cluster key password reset, and decommissioning (removes AD RMS from org)
Reports - statistics, health and troubleshooting reports
AD RMS Server Properties
General Tab - current cluster connection point, admin contact
Cluster URLs - Intranet & Extranet, Licensing & Certification
AD RMS Servers - servers in cluster
Server Cert - Server Licensor Cert (SLC), export cert .bin file
Proxy Settings - access to external networks
Logging - enable: logging service uses Message Queuing to send log messages to logging db
SCP - provides clients the cert URL for forest, shows current and can change
AD RMS Trusted Policies
rc Trusted Policies to add MS Federated Gateway Services
rc Trusted User Domains to import a domain or trust Windows Live ID, rc Enterprise to export this domain
Can select trusted users by all email domains or specific email domains
rc Trusted Publishing Domain to import a domain, rc Contoso DRM to export this domain
AD RMS Rights Policy Templates
rc to Manage or archive rights policy templates
rc, Properties - specify file location for stored templates and enable export
rc Template to: create, archive, copy or view rights summary
Rc, Properties - ID Info tab, User Rights tab, Expiration Policy tab, Extended Policy tab, Revocation Policy tab
AD RMS Exclusion Policies
rc Users or Applications- enable/disable user exclusion, exclude user
rc Lockbox - enable/disable exclusion
AD RMS Security Policies
rc Super Users or Decommission - enable/disable
AD RMS Certificates & Licenses
Server Licensor Cert (SLC) - represents the server cluster, used to sign other identity certs and by clients to encrypt materials for the server to decrypt
Security Processor Cert (SPC) - identifies client machines, used to encrypt elements stored locally
Rights Account Cert (RAC) - issued to user at first authentication against cert URL of cluster, used for future identification, by server to encrypt licenses sent to user and by client to sign CLC
Client Licensor Cert (CLC) - obtained during client activation, used to sign publishing licenses embedded in encrypted docs
Publishing Licenses - used to express rights over a document
Use License - expresses the rights one user has over one doc
AD RMS Cert Standard
XrML format - expresses complex lists of rights
As opposed to a X.509 format which attests one claim about one subject
AD RMS - Template User Rights
Full Control, View, Edit, Save, Export (Save As), Print, Forward, Reply, Reply All, Extract, Allow Macros, View Rights, Edit Rights
