Contact Email: jovitan@microsoft.com – I will respond 
Session Objective(s):
Takeaways:
• Identify the AD RMS Solution Requirements
• Document the Solution Design Summary
• Identify AD-RMS solution scope and usage scenarios
• AD RMS Solution architecture recommendations
• Cluster, Policy Templates, AD, Client, Pipelines,
Extranet, Firewall, ARMS Server, Logging, AD RMS
Security, Communication Dataflow, Backup, Restore
and Disaster Recovery Recommendations
• Understand the process of building an Enterprise
ready, highly redundant and resilient AD-RMS
infrastructure for your customer.
AD RMS Overview
AD RMS Components
AD RMS Licenses
AD RMS Certificates
Information Flow
Bootstrapping
Legal, Regulatory &
Financial impacts
Damage to Image &
Credibility
Loss of
Competitive
Advantage
Cost of digital leakage per year is measured in $ billions
Increasing number and complexity of regulations,
e.g. GLBA, SOX, CA SB 1386
Non-compliance with regulations or loss of data can lead to significant legal fees,
fines and/or jail time
Damage to public image and credibility with customers
Financial impact on company
Leaked e-mails or memos can be embarrassing
Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market
capitalization
Loss of research, analytical data, and other intellectual capital
Percentage cause of data breach
Estimated sources of data breach
Likely source of incidents
Current Employee
Former Employee
Hacker
Customer
Partner/Supplier
Unknown
Cost of Data Breach report
Ponemon Institute 2010
2008
2009
2010
34%
16%
28%
8%
7%
42%
33%
19%
26%
10%
8%
39%
32%
23%
31%
12%
11%
34%
Global State of Information Security Survey
PriceWaterhouseCoopers 2010
Traditional solutions control initial access
Authorized Users
Information
Leakage
Access Control
List Perimeter
Unauthorized Users
Unauthorized Users
Firewall Perimeter
…RMS addresses ongoing information usage
Information Author
USB Drive
External Users
Recipient
Mobile Devices
AD RMS Workflow
Protection
AD RMS
Server
Machine cert
And
RAC
Author automatically receives AD
RMS credentials (“rights account
certificate” and “client licensor
certificate”) the FIRST TIME they
rights-protect information (not on
subsequent attempts).
2.
Consumption
1.
Use License
Bob@abc.com: Read,Print
AD RMS
Protected
(Decrypted)
Application renders file and
enforces rights.
Publishing License
And
RAC
`
Recipient clicks file to open.
The application sends the
recipient’s credentials and the
publish license to the AD RMS
server, which validates the user
and issues a “use license.”
`
RMS Consumer
RMS Author
The application works with the AD
RMS client to create a “publishing
license”, encrypts the file, and
appends the publishing license to
it.
Publishing License
Bob@abc.com: Read,Print
Cathy@abc.com: Read
Lawyers@abc.com:Read
The AD RMS Author distributes file.
RMS
Protected
(Encrypted)
Usage rights
and conditions
Encryption
Trusted
entities
Persistent
Encryption
+
Policy
Microsoft Confidential
Scenario
Secure Collaboration
RMS
EFS
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect Yourself
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Protect Against Theft
BitLocker
CANNOT HELP!!
AD RMS Topology
AD RMS Root
Cluster
Database
Database
Licensing-Only Server
Database
Licensing-Only Server Cluster
RMS “Root” Certification Cluster
Active Directory
•Identity list
•Service Connection
point (url)
Administration:
•Service connection point
•Policy Templates
•Logging Settings
Logging Database
RMS Web Services:
•Certification
•Publishing
•Licensing
SQL Server
•Configuration
•Logging
•Directory
IIS, ASP.NET
NLB
Certification & Licensing
RMS Licensing Cluster
Client Machines
RMS Web Services:
•Publishing
•Licensing
RMS-enabled applications
RMS Client + “Lockbox”
Licensing
IIS, ASP.NET
NLB
User Certificate + key pair
Machine Certificate + key pair
SQL
Handout 1: RMS Client “Bootstrapping”
RMS Server
Client Computer(s)
(single-server configuration)
1. Install RMS-enabled application(s)
2. Install RMS Client Software
3. User uses RMS for the first time
RMS Client Activates Machine
-Calls RMActivate.exe to generate machine key pair and signs Machine
Certificate (containing machine public key)
Protects user-specific machine private key with DPAPI
4. User authenticates
User can publish
online or consume
Request Client Licensor
Certificate
User can publish offline
Authentication
credentials
Certification:
Check user SID against AD
Generate User Key Pair
Rights Account Certificate (RAC), signed with RMS Server Public key
-User Private Key, Encrypted with the machine public key
-User Public Key
RAC
Validate RAC
Generate “Client” Key Pair
Client Licensor Certificate (CLC), signed with RMS Server Public key
-CLC Private key, encrypted with the RAC public key
-CLC Public key and copy of SLC
Handout 2: Online Publishing
RMS Publishing Server
“Publisher” / Sender
(an RMS Licensing Service)
User protects content
1. RMS-enabled application
generates AES content key,
encrypts content with it
2. Application encrypts content key
with RMS server’s public key and
sends to RMS publishing server.
• encrypted content
•encrypted AES content key
•rights information
3. Creates and signs Publishing
License (PL)
Publishing License
4. RMS-enabled application receives
and appends it to encrypted content
Publishing License
•encrypted AES key
•rights information
•url of RMS server
•encrypted AES key
•rights information
•url of RMS server
• encrypted content
AES content key
RMS Server public key
RMS Server private key
Handout 3
Offline Publishing (with CLC)
“Publisher” / Sender
User protects content (e.g.
Word doc)
1. RMS-enabled application generates AES content key,
encrypts content with it
• encrypted content
Application and RMS Client:
2. Encrypt content key with RMS server’s public key
(so server can decrypt it later for the recipient…server
Client Licensor Certificate
public key is contained in the server SLC, inside the
CLC Private key
client CLC)
CLC Public key
copy of SLC
3. Encrypt content key with CLC public key (to create
“owner” license)
4. Create publishing license, include both encrypted
copies of content key, rights information, and RMS
server url, and sign with CLC private key
5. Append Publishing License to content
•encrypted AES content key
•encrypted AES content key
Publishing License
•2 encrypted AES keys
•rights information
•url of RMS server
• encrypted content
AES content key
RMS Server public key
Handout 4
Offline Publishing & Consumption
Publishing License
•2 encrypted AES keys
•rights information
•url of RMS server
• encrypted content
1
Publisher saves content
Application and RMS client
1.
2.
3.
4.
(Assuming recipient has RMS Client
and RAC)
2
Recipient user opens content
Application and RMS Client
Generate AES key and encrypt content
1.
Encrypt AES key with the public key of the client’s CLC (for “owner”
2.
license)
Encrypt another copy of the AES key with RMS server’s public key
(so server can decrypt it later for the recipient…server public key is
contained in client CLC)
Create “Publishing License” (PL), sign with CLC private key and
append to encrypted content
Inspect PL for RMS Service url.
Send “Use License Request “ (PL + RAC) to
licensing server specified by url.
Publish License
Use License
3
RMS Server
1.
2.
3.
4.
5.
Validates recipient RAC
Inspects PL for rights
Validates user in AD
Un-encrypts content key & re-encrypts it with
recipient RAC’s public key
Returns encrypted content key in use license
4
Application renders file and
enforces rights
1.
2.
RMS Client uses RAC private key
(unavailable to user) to un-encrypt the
content key
Application enforces XrML policy detailed in
PL
Credential
Identifies
Contains
Allows…
Machine Certificate
A trusted machine
Machine
Machine and Lockbox to participate
in RMS environment
A trusted user
User
public key
(User private key is encrypted with the machine
public key)
Authorized user to consume
protected content
Client Licensor
Certificate (CLC)
A user allowed to protect content
(i.e. “publish”) on behalf of the
RMS Server, without connectivity
to the RMS Server
CLC
A user to protect content (i.e.
“publish”) on behalf of the RMS
Server, without connectivity to the
RMS Server
Publishing License
Policy (users, rights, conditions)
governing content consumption
Policy
public key
(one per user per PC)
Rights Account
Certificate (RAC)
(a. k. a. “GIC”)
(Issued by either an RMS
server or by a user via their
CLC)
Use License (Issued by
RMS licensing server)
public key
CLC private key (encrypted with RAC public key)
Copy of RMS Server Licensor Cert
information
Symmetric (AES) key used for content encryption
(encrypted with the RMS server public key)
Another copy of the content key (encrypted with
the CLC public key)
URL of licensing server
Symmetric
(AES) key used for content encryption
(encrypted with the authorized user’s RAC public
key)
An authorized principal (user) to
consume content according to
conditions in the Publishing License
Active Directory
Database Server
1. Author automatically receives RMS credentials
(“rights account certificate” and “client licensor
certificate”) the first time they rights-protect
information.
2. Author applies an RMS policy to their file. The
application works with the RMS client to create a
“publishing license”, encrypts the file, and
appends the publishing license to it.
RMS Server
4
1
3. Author distributes file.
2
Information Author
3
5
The Recipient
4. Recipient clicks file to open. The application
sends the recipient’s credentials and the publish
license to the RMS server, which validates the
user and issues a “use license.”
5. Application renders file and enforces rights.
Word, Excel, or Powerpoint 2003 Pro
Created when file is
protected
Publishing
License
Encrypted with the
server’s public key
Content Key
End User
Licenses
Rights for a
particular user
Rights Info
Encrypted with the
server’s public key
Encrypted with Content
Key, a cryptographically
secure 128-bit AES
symmetric encryption
key
Content Key
w/ email addresses
NOTE: Outlook E-mail EULs
are stored in the local user
Only
added
to the file
profile
directory
after server licenses a
user to open it
Encrypted with the
user’s public key
(big random number)
a
The Content of the File
(Text, Pictures, metadata, etc)
Encrypted with the
user’s public key
Internet
Internal
RMS clients
RMS Services
RMS enabled client,
Browser
Certification and Licensing
AD RMS 2008 R2 SP1 servers
SQL 2008 R2 Enterprise Cluster
SQL 2008 R2 Enterprise
Cluster
SQL 2008 R2 Enterprise
Cluster
Domain Controllers
37
RMS Client
RMS Server
Applications
Applications
RMS
Administration
WebSSO Agent
MMC 3.0 Host
Admin Snap-in
Client
Client Platform
Platform
SOAP/HTTP
SOAP/HTTP
Admin Platform
MOM
MOM pack
pack
WebSSO
Redirects
OS
OS Platform
Platform
Passive
Protocol
(HTTP)
ADFS
System.Data.SqlClient
Native LDAP
AD
SQL
PowerShell
PowerShell
SQL Server
AD RMS
 View
 Edit
 Print
Information
Author
Active
Directory
 View
 Edit
 Print
Recipient
•
When content is downloaded from a library…
− RMS protection automatically applied
− Information still searchable in SharePoint library
− SharePoint rights  IRM permissions
AD RMS
SharePoint
Recipient
AD RMS
Exchange
Information
Author
Recipient
•
When content is saved to a network file share...
− Bulk Protection Tool secures all content in certain folders
− File Classification Infrastructure (FCI) can automate
classification, RMS and move into SharePoint
AD RMS
Windows
File Server
Information
Author
SharePoint
•
DLP provides a powerful way to locate and classify
your information
− Maps AD RMS policy to DLP and therefore to content
Microsoft AD RMS
R&D
Department
Marketing
Department
Others
View, Edit, Print
View
No Access
Find ‘IP’ documents
Apply ‘IP’ AD RMS template
IP Policy
RSA DLP
R&D department
Endpoints:
Laptops/Desktops
Marketing department
File Shares
SharePoint
Others
Intellectual
Property (IP)
template
Microsoft Exchange Prelicensing
• Microsoft Exchange Server 2007 SP1 and later can work
with Outlook 2007 or Outlook mobile 6.1 and later to
enable Prelicensing
• When enabled, users are delivered licenses for emails and
attachments together with the documents
• Eliminates the need to be connected to acquire a license
on open
Exchange Server Prelicensing as an Enabler
In Exchange 2010 Exchange prelicensing enables:
Offline consumption of email and attachments
Antimalware scanning
OWA IRM
Automated decryption/journaling/protection
Indexing and Search
Exchange ActiveSync IRM
IRM in OWA in Exchange 2010
IRM protection in any browser!
Web Ready Document View
Additional capabilities in Exchange 2010
Search, scan, filter, and journal protected e-mail
Transport Decryption
Enables access to IRM-protected messages by Transport Agents to perform operations such as
transport rules, content filtering, and anti-spam/anti-virus.
IRM Search
Conduct full-text search on IRM-protected messages in OWA and Outlook. Enables eDiscovery or
protected messages in the Exchange Store.
Journal Report Decryption
Journal Report Decryption Agent attaches clear-text copies of IRM-protected messages and
attachments to journal mailbox
Exchange Activesync IRM
Content gets evaluated, licensed and decrypted before delivered to device
Device uses native protection and enforcement capabilities
Accidents Happen
We can’t always rely on users to protect data
Top 10 threats to Enterprise Security - IDC
“80% of all data leaks occur
because of accidents — that is
users, being unaware of data
policies, as opposed to having
malicious intent.”
Forrester, 2008
Information Protection and Control in Exchange 2010
The right tools for the right scenario
MailTips
SOFT
CONTROLS
Less restrictive
Dynamic Signatures/
Disclaimers
Moderation
More restrictive
IRM Protection
HARD
CONTROLS
Block/
Redirect
Automating Information Protection
AD RMS typically relies on the users to protect content
they consider sensitive
In some scenarios, enforcing protection over certain types
of content might be desired
Possible implementations:
•
Use Windows Server 2008 R2 and Exchange 2010 automated protection
capabilities
•
Use third party solutions to perform discovery and automated protection
Automated Protection
Reduced risk via automatic, centralized protection
Exchange Server 2010 provides a single point in the organization to
control the protection of e-mail messages called “Transport Rules.”
Automatic Content-Based Privacy:
• New transport rule action to apply RMS protection based to e-mail
message and attachments.
• Predicates support regular expression scanning of e-mail body, subject,
and attachments
• Transport rules also support detection of un-supported attachments and
attachment stripping.
Transport Protection Rules
Take the decision away from end-users
Apply RMS policies
automatically using
Transport Rules
RMS protection can
be triggered based
on sender, recipient,
or content
Apply “Do Not Forward”
or custom RMS templates
RMS protection is also applied to Office 2003, 2007,
and 2010 attachments
Outlook Protection Rules
Apply IRM protection automatically at the client
IRM protection automatically triggered based on
sender and receiver attributes
Authorized users can turn off
protection
Can be used to
prevent email
service provider
from accessing
your email
Supported attachments are
also protected
Windows Desktop Search will index
headers and subject
Integration with Exchange
in the Cloud
Integration with Exchange Online
Brings new Exchange
Server capabilities
to the cloud
Gives you greater
control over your
online environment
Makes migration and
coexistence
smoother
Co-Existence
On-Premises
Hosted Service
Cross Premise IRM
Exchange Online tenants get all IRM capabilities, except
for Prelicensing
After setup, all RMS transactions in Datacenter executed
within Datacenter
Clients continue to call web services on premise AD RMS
Exchange Online
Contoso Premise
Contoso
Tenant
Import Private Key
AD RMS
Integration with SharePoint Server
New feature introduced with SharePoint Server 2007
•
Not supported in Windows SharePoint Services
SharePoint libraries can be configured to automatically
apply protection to documents
Documents get protected automatically on download
•
Documents are stored on the database without additional
protection
Users receive rights based on the rights over the library
SharePoint IRM
How Does SharePoint IRM Work?
Documents stored in clear text in the database
•
Provides indexing and search capabilities, content listed on search based on ACLs
Documents protected each time user downloads the file
•
After a user selects a file, it is protected and provided to the client
•
Protection derived from user permissions in the library
•
SharePoint requires online access to the AD RMS infrastructure
•
If connection fails, the file won’t be provided to the client
When protected file is uploaded to the portal, the content protection is
removed
•
This feature optimizes document lifecycle into SharePoint
•
Only works for documents protected by SharePoint
How Does SharePoint Server IRM Work?
MOSS Database




MOSS Server

Document Publisher

AD RMS Server

Document Consumer
High Availability & Disaster
Recovery
65
RMS Cluster
Log DB
RMS Web Services
•Certification
•Publishing
•Licensing
NLB
Clients connect to
Active Directory
Service Connection Point for
all services
Single
AD Forest
Simple, scalable and redundant
SQL Server
•Configuration
•Logging
RMS “Root” Certification Cluster
RMS Web Services
•Certification
•Publishing
•Licensing
NLB
Clients connect to
Active Directory
Service Connection Point
for all services
Single
AD Forest
For departmental control over licensing, policy templates
SQL Server
Sub-enrolled Licensing Cluster
SQL Server
Note: Sub-enrolled Licensing
server has its own database.
•Configuration
•Logging
RMS “Root” Certification Cluster
RMS Web
Services
NLB
RMS Web Services
•Certification
•Publishing
•Licensing
•Publishing
•Licensing
NLB
Registry settings point
departmental users to
subordinate licensing cluster
HKLM\Software\
Microsoft\MSDRM\
ServiceLocation\
EnterprisePublishing
= http://<FQDN>/_wmcs/licensing
Corporate users without
registry overrides point to root
cluster for licensing
AD Service discovery
points all corporate users
to SCP for certification
Multiple Certification, Single License
RMS Certification
only
NLB
Multiple
AD Forest
RMS Certification &
Licensing
RMS Certification only
NLB
NLB
Registry override points all
users to common licensing
server
Use 64 Bit
Almost twice as much performance using 64 bit over 32 bit
Quad core servers are usually the sweet spot in cost/performance
• Exchange pre-licensing agent acquires use licenses on delivery, not
consumption
• Pre-licensing has a default tolerance of approx. three minutes
• Significant impact to peak load
• Exchange batches requests, which gains some, though not significant, efficiency
# Users
Amount of time to
consume
(in hours)
Peak
License Requests per
min
Peak
License Requests per
sec
No prelicensing
50,000
4
209
3.5
Using prelicensing
50,000
4
16,667
278
Item
Estimate
Number of Users
100,000
E-mails read per day per user
75
Number of e-mail messages per
day
7,500,000
Percentage of messages with AD
RMS protection
10%
AD RMS Messages
per day
750,000
per hour (10 hour day)
75,000
per minute
1250
per second
21
Average RMS load (for calculating logging DB size)
# of Users
Average emails sent individually per day per user
Number of average recipients in individual emails
Average emails sent to DLs per day per user
Number of average recipients in a DL
% of emails sent individually to be protected
% of emails sent to DLs to be protected
% of email in DLs that's read
Number of documents created/edited per user per day
Number of documents read per user per day
% of documents to be protected manually
Number of documents downloaded from protected sharepoint libraries per user per day
Exchange pre-licensing in use
12,000
20
3
1
10
5%
1%
75%
users
emails
recipients
emails
recipients
20 documents
20 documents
10%
0 documents
TRUE
Protected individual
messages licenses per
user
# of protected emails sent per day
# of protected emails read per day
12,120
37,200
Protected DL messages
licenses per user
1
0.01
3
0.1
Documents manually
protected
# of protected documents read per day (does not include attachments)
# of licenses issued per day
# of licenses issued per month
24,000
2 Attachments don't
need to be counted
as they are not
independently
licensed
61,200
1,836,000
9180000000
8964843.75
8754.73022
8.54954123
0.00834916
Bytes /mo
KB/mo
MB/mo
GB/mo
TB / mo
Without Pre-licensing
Using Pre-licensing
UL
UL
UL
http://technet.microsoft.com/en-us/library/cc747731.aspx
http://technet.microsoft.com/en-us/library/cc747585.aspx
http://technet.microsoft.com/en-us/library/cc747691.aspx
94
http://technet.microsoft.com/en-us/library/dd941589(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd941624(WS.10).aspx
95
To back up AD
RMS, back up:
Back up as
required
depending on
volume and policy
of organization
• AD RMS certification cluster configuration database
• Each AD RMS licensing cluster configuration database
• Trusted Publishing Domain
• Logging DB: daily or as the acceptable logging information loss
dictates. Frequent local backup of transaction logs
• DS Cache: whenever AD RMS version changes or servers are installed
• The logging database content should be migrated to an archival
database
If AD RMS server
fails
If SQL Server fails
and no SQL cluster
Best practice: Use
cluster name for
AD RMS cluster
• Reinstall server, add to existing cluster
• Reinstall Windows, SQL Server, restore DB backup
• If node is corrupt or damaged, reinstall AD RMS server(s) adding
them to the same cluster. Might ask for private key password
• Provides flexibility when restoring server to new host name
Reprovision the server
with original DB
• AD RMS needs to connect to the original DB and you
need to provide the Cluster Key Password
While reinstalling AD
RMS, the original
configuration database
will be detected
• Choose Join when prompted to Join or create a new
cluster
• A new logging database will be created if needed
If the root certification
cluster is being
reinstalled
• Must keep service connection point in Active Directory
for provisioning
• If SCP is not present, setup will try to create a new cluster
DB CNAME
Log Shipping
Site A
Site B
www.sapien.com
here
http://europe.msteched.com
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
http://europe.msteched.com/sessions