AD RMS Overview
AD RMS Components
AD RMS Licenses
AD RMS Certificates
Information Flow
Bootstrapping
Legal, Regulatory &
Financial impacts
Damage to Image &
Credibility
Loss of
Competitive
Advantage
Cost of digital leakage per year is measured in $ billions
Increasing number and complexity of regulations,
e.g. GLBA, SOX, CA SB 1386
Non-compliance with regulations or loss of data can lead to significant legal fees,
fines and/or jail time
Damage to public image and credibility with customers
Financial impact on company
Leaked e-mails or memos can be embarrassing
Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market
capitalization
Loss of research, analytical data, and other intellectual capital
Percentage cause of data breach
Cost of Data Breach report
Ponemon Institute 2010
Estimated sources of data breach
Global State of Information Security Survey
PriceWaterhouseCoopers 2010
Information Author
USB Drive
External Users
Recipient
Mobile Devices
AD RMS Workflow
Protection
AD RMS
Server
Machine cert
And
RAC
Author automatically receives AD
RMS credentials (“rights account
certificate” and “client licensor
certificate”) the FIRST TIME they
rights-protect information (not on
subsequent attempts).
2.
Consumption
1.
Use License
Bob@abc.com: Read,Print
AD RMS
Protected
(Decrypted)
Application renders file and
enforces rights.
Publishing License
And
RAC
`
Recipient clicks file to open.
The application sends the
recipient’s credentials and the
publish license to the AD RMS
server, which validates the user
and issues a “use license.”
`
RMS Consumer
RMS Author
The application works with the AD
RMS client to create a “publishing
license”, encrypts the file, and
appends the publishing license to
it.
Publishing License
Bob@abc.com: Read,Print
Cathy@abc.com: Read
Lawyers@abc.com:Read
The AD RMS Author distributes file.
RMS
Protected
(Encrypted)
Usage rights
and conditions
Encryption
Trusted
entities
Persistent
Encryption
+
Policy
Microsoft Confidential
Scenario
Secure Collaboration
RMS
EFS
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect Yourself
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Protect Against Theft
BitLocker
SQL Server
AD RMS
 View
 Edit
 Print
Information
Author
Active
Directory
 View
 Edit
 Print
Recipient
RMS Client
RMS Server
Applications
Applications
RMS
Administration
WebSSO Agent
MMC 3.0 Host
Admin Snap-in
Client
Client Platform
Platform
SOAP/HTTP
SOAP/HTTP
Admin Platform
MOM
MOM pack
pack
WebSSO
Redirects
OS
OS Platform
Platform
Passive
Protocol
(HTTP)
ADFS
System.Data.SqlClient
Native LDAP
AD
SQL
PowerShell
PowerShell
•
When content is downloaded from a library…
− RMS protection automatically applied
− Information still searchable in SharePoint library
− SharePoint rights  IRM permissions
AD RMS
SharePoint
Recipient
AD RMS
Exchange
Information
Author
Recipient
•
When content is saved to a network file share...
− Bulk Protection Tool secures all content in certain folders
− File Classification Infrastructure (FCI) can automate
classification, RMS and move into SharePoint
AD RMS
Windows
File Server
Information
Author
SharePoint
•
DLP provides a powerful way to locate and classify
your information
− Maps AD RMS policy to DLP and therefore to content
Microsoft AD RMS
R&D
Department
Marketing
Department
Others
View, Edit, Print
View
No Access
Find ‘IP’ documents
Apply ‘IP’ AD RMS template
IP Policy
RSA DLP
R&D department
Endpoints:
Laptops/Desktops
Marketing department
File Shares
SharePoint
Others
Intellectual
Property (IP)
template
AD RMS Topology
AD RMS Root
Cluster
Database
Database
Licensing-Only Server
Database
Licensing-Only Server Cluster
Certification and Licensing
AD RMS 2008 R2 SP1 servers
SQL 2008 R2 Enterprise Cluster
SQL 2008 R2 Enterprise
Cluster
SQL 2008 R2 Enterprise
Cluster
Domain Controllers
32
34
Use 64 Bit
Almost twice as much performance using 64 bit over 32 bit
Quad core servers are usually the sweet spot in cost/performance
• Exchange pre-licensing agent acquires use licenses on delivery, not
consumption
• Pre-licensing has a default tolerance of approx. three minutes
• Significant impact to peak load
• Exchange batches requests, which gains some, though not significant, efficiency
# Users
Amount of time to
consume
(in hours)
Peak
License Requests per
min
Peak
License Requests per
sec
No prelicensing
50,000
4
209
3.5
Using prelicensing
50,000
4
16,667
278
Type
Number
Internal AD RMS Users (Regular employee)
47,000
External AD RMS Users (Temporary users, and
others)
3,000
Guest
0
Total
50,000
The Number of AD RMS Users
Type
Number
Desktop Computer
47,000
NON domain joined Computer
3,000
Type
Windows 7
Windows XP Professional
Number
47,000
3,000
The Number of AD RMS client Computers
RMS protected
document
Word, Excel, PPT
Outlook
Word, Excel, PPT
Viewer
#of Viewings per
day/per person
47,000(Internal AD 5
RMS Users)
47,000 (Internal AD 5
RMS Users)
3,000(external AD 10
RMS Users)
The Volume of the AD RMS protected document viewed
# of Viewings Total Note
per day
47,000
47,000
30,000
Hardware Recommendations
Model
DL 380G7
CPU
Server with dual Quad core CPU
Memory
8 GB of RAM
Hard Disk 3x 146GB Drives in RAID-1 configuration
NLB
Hardware Load Balancer to be supplied by Halliburton
NIC
Two Network Interfaces at 1000mbps
AD RMS Server Hardware and Components
Hardware Recommendations
Model
DL 380G7
CPU
Server with dual Quad core CPU
Memory 16 GB of RAM
Hard Disk 3x 146GB SAS Drives. SAN Storage
NLB
Hardware Load Balancer to be supplied by Halliburton
NIC
Two Network Interfaces at 1000mbps
SQL Server Hardware and Components
Item
Estimate
Number of Users
100,000
E-mails read per day per user
75
Number of e-mail messages per
day
7,500,000
Percentage of messages with AD
RMS protection
10%
AD RMS Messages
per day
750,000
per hour (10 hour day)
75,000
per minute
1250
per second
21
Average RMS load (for calculating logging DB size)
# of Users
Average emails sent individually per day per user
Number of average recipients in individual emails
Average emails sent to DLs per day per user
Number of average recipients in a DL
% of emails sent individually to be protected
% of emails sent to DLs to be protected
% of email in DLs that's read
Number of documents created/edited per user per day
Number of documents read per user per day
% of documents to be protected manually
Number of documents downloaded from protected sharepoint libraries per user per day
Exchange pre-licensing in use
12,000
20
3
1
10
5%
1%
75%
users
emails
recipients
emails
recipients
20 documents
20 documents
10%
0 documents
TRUE
Protected individual
messages licenses per
user
# of protected emails sent per day
# of protected emails read per day
12,120
37,200
Protected DL messages
licenses per user
1
0.01
3
0.1
Documents manually
protected
# of protected documents read per day (does not include attachments)
# of licenses issued per day
# of licenses issued per month
24,000
2 Attachments don't
need to be counted
as they are not
independently
licensed
61,200
1,836,000
9180000000
8964843.75
8754.73022
8.54954123
0.00834916
Bytes /mo
KB/mo
MB/mo
GB/mo
TB / mo
# Licenses on peak days
% of operations performed in peak hours
Number of peak hours per day
# peak licenses per hour
# peak licenses per second
372,300
50%
4
46,538
13
# of Users
# protected responses seen by each user on average
Exchange Pre-licensing in use?
Timespan (hours) during which users will read the original message
Minutes to pre-license all emails
Seconds available to license all messages
# of licenses to issue
Peak licenses per second
45,000 users
0 responses
TRUE
6 hours
3 minutes
180 seconds
45,000 licenses
250 licenses per second
Without Pre-licensing
Using Pre-licensing
UL
UL
UL
# of CPU cores needed
# of servers (including spare)
5
3
Assumptions:
50 licenses per second for x64
25 licenses per second for x86
http://technet.microsoft.com/en-us/library/cc747731.aspx
http://technet.microsoft.com/en-us/library/cc747585.aspx
http://technet.microsoft.com/en-us/library/cc747691.aspx
65
http://technet.microsoft.com/en-us/library/dd941589(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd941624(WS.10).aspx
66
To back up AD
RMS, back up:
Back up as
required
depending on
volume and policy
of organization
• AD RMS certification cluster configuration database
• Each AD RMS licensing cluster configuration database
• Trusted Publishing Domain
• Logging DB: daily or as the acceptable logging information loss
dictates. Frequent local backup of transaction logs
• DS Cache: whenever AD RMS version changes or servers are installed
• The logging database content should be migrated to an archival
database
If AD RMS server
fails
If SQL Server fails
and no SQL cluster
Best practice: Use
cluster name for
AD RMS cluster
• Reinstall server, add to existing cluster
• Reinstall Windows, SQL Server, restore DB backup
• If node is corrupt or damaged, reinstall AD RMS server(s) adding
them to the same cluster. Might ask for private key password
• Provides flexibility when restoring server to new host name
Reprovision the server
with original DB
• AD RMS needs to connect to the original DB and you
need to provide the Cluster Key Password
While reinstalling AD
RMS, the original
configuration database
will be detected
• Choose Join when prompted to Join or create a new
cluster
• A new logging database will be created if needed
If the root certification
cluster is being
reinstalled
• Must keep service connection point in Active Directory
for provisioning
• If SCP is not present, setup will try to create a new cluster
DB CNAME
Log Shipping
Site A
Site B
www.sapien.com
here
http://northamerica.msteched.com
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn