Contact Email: [email protected] – I will respond Session Objective(s): Takeaways: • Identify the AD RMS Solution Requirements • Document the Solution Design.
Download ReportTranscript Contact Email: [email protected] – I will respond Session Objective(s): Takeaways: • Identify the AD RMS Solution Requirements • Document the Solution Design.
Contact Email: [email protected] – I will respond Session Objective(s): Takeaways: • Identify the AD RMS Solution Requirements • Document the Solution Design Summary • Identify AD-RMS solution scope and usage scenarios • AD RMS Solution architecture recommendations • Cluster, Policy Templates, AD, Client, Pipelines, Extranet, Firewall, ARMS Server, Logging, AD RMS Security, Communication Dataflow, Backup, Restore and Disaster Recovery Recommendations • Understand the process of building an Enterprise ready, highly redundant and resilient AD-RMS infrastructure for your customer. AD RMS Overview AD RMS Components AD RMS Licenses AD RMS Certificates Information Flow Bootstrapping Legal, Regulatory & Financial impacts Damage to Image & Credibility Loss of Competitive Advantage Cost of digital leakage per year is measured in $ billions Increasing number and complexity of regulations, e.g. GLBA, SOX, CA SB 1386 Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time Damage to public image and credibility with customers Financial impact on company Leaked e-mails or memos can be embarrassing Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization Loss of research, analytical data, and other intellectual capital Percentage cause of data breach Estimated sources of data breach Likely source of incidents Current Employee Former Employee Hacker Customer Partner/Supplier Unknown Cost of Data Breach report Ponemon Institute 2010 2008 2009 2010 34% 16% 28% 8% 7% 42% 33% 19% 26% 10% 8% 39% 32% 23% 31% 12% 11% 34% Global State of Information Security Survey PriceWaterhouseCoopers 2010 Traditional solutions control initial access Authorized Users Information Leakage Access Control List Perimeter Unauthorized Users Unauthorized Users Firewall Perimeter …RMS addresses ongoing information usage Information Author USB Drive External Users Recipient Mobile Devices AD RMS Workflow Protection AD RMS Server Machine cert And RAC Author automatically receives AD RMS credentials (“rights account certificate” and “client licensor certificate”) the FIRST TIME they rights-protect information (not on subsequent attempts). 2. Consumption 1. Use License [email protected]: Read,Print AD RMS Protected (Decrypted) Application renders file and enforces rights. Publishing License And RAC ` Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the AD RMS server, which validates the user and issues a “use license.” ` RMS Consumer RMS Author The application works with the AD RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it. Publishing License [email protected]: Read,Print [email protected]: Read [email protected]:Read The AD RMS Author distributes file. RMS Protected (Encrypted) Usage rights and conditions Encryption Trusted entities Persistent Encryption + Policy Microsoft Confidential Scenario Secure Collaboration RMS EFS Protect my information outside my direct control Set fine-grained usage policy on my information Collaborate with others on protected information Protect Yourself Protect my information to my smartcard Untrusted admin of a file share Protect information from other users on shared machine Lost or stolen laptop Physically insecure branch office server Local single-user file & folder protection Protect Against Theft BitLocker CANNOT HELP!! AD RMS Topology AD RMS Root Cluster Database Database Licensing-Only Server Database Licensing-Only Server Cluster RMS “Root” Certification Cluster Active Directory •Identity list •Service Connection point (url) Administration: •Service connection point •Policy Templates •Logging Settings Logging Database RMS Web Services: •Certification •Publishing •Licensing SQL Server •Configuration •Logging •Directory IIS, ASP.NET NLB Certification & Licensing RMS Licensing Cluster Client Machines RMS Web Services: •Publishing •Licensing RMS-enabled applications RMS Client + “Lockbox” Licensing IIS, ASP.NET NLB User Certificate + key pair Machine Certificate + key pair SQL Handout 1: RMS Client “Bootstrapping” RMS Server Client Computer(s) (single-server configuration) 1. Install RMS-enabled application(s) 2. Install RMS Client Software 3. User uses RMS for the first time RMS Client Activates Machine -Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key) Protects user-specific machine private key with DPAPI 4. User authenticates User can publish online or consume Request Client Licensor Certificate User can publish offline Authentication credentials Certification: Check user SID against AD Generate User Key Pair Rights Account Certificate (RAC), signed with RMS Server Public key -User Private Key, Encrypted with the machine public key -User Public Key RAC Validate RAC Generate “Client” Key Pair Client Licensor Certificate (CLC), signed with RMS Server Public key -CLC Private key, encrypted with the RAC public key -CLC Public key and copy of SLC Handout 2: Online Publishing RMS Publishing Server “Publisher” / Sender (an RMS Licensing Service) User protects content 1. RMS-enabled application generates AES content key, encrypts content with it 2. Application encrypts content key with RMS server’s public key and sends to RMS publishing server. • encrypted content •encrypted AES content key •rights information 3. Creates and signs Publishing License (PL) Publishing License 4. RMS-enabled application receives and appends it to encrypted content Publishing License •encrypted AES key •rights information •url of RMS server •encrypted AES key •rights information •url of RMS server • encrypted content AES content key RMS Server public key RMS Server private key Handout 3 Offline Publishing (with CLC) “Publisher” / Sender User protects content (e.g. Word doc) 1. RMS-enabled application generates AES content key, encrypts content with it • encrypted content Application and RMS Client: 2. Encrypt content key with RMS server’s public key (so server can decrypt it later for the recipient…server Client Licensor Certificate public key is contained in the server SLC, inside the CLC Private key client CLC) CLC Public key copy of SLC 3. Encrypt content key with CLC public key (to create “owner” license) 4. Create publishing license, include both encrypted copies of content key, rights information, and RMS server url, and sign with CLC private key 5. Append Publishing License to content •encrypted AES content key •encrypted AES content key Publishing License •2 encrypted AES keys •rights information •url of RMS server • encrypted content AES content key RMS Server public key Handout 4 Offline Publishing & Consumption Publishing License •2 encrypted AES keys •rights information •url of RMS server • encrypted content 1 Publisher saves content Application and RMS client 1. 2. 3. 4. (Assuming recipient has RMS Client and RAC) 2 Recipient user opens content Application and RMS Client Generate AES key and encrypt content 1. Encrypt AES key with the public key of the client’s CLC (for “owner” 2. license) Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC) Create “Publishing License” (PL), sign with CLC private key and append to encrypted content Inspect PL for RMS Service url. Send “Use License Request “ (PL + RAC) to licensing server specified by url. Publish License Use License 3 RMS Server 1. 2. 3. 4. 5. Validates recipient RAC Inspects PL for rights Validates user in AD Un-encrypts content key & re-encrypts it with recipient RAC’s public key Returns encrypted content key in use license 4 Application renders file and enforces rights 1. 2. RMS Client uses RAC private key (unavailable to user) to un-encrypt the content key Application enforces XrML policy detailed in PL Credential Identifies Contains Allows… Machine Certificate A trusted machine Machine Machine and Lockbox to participate in RMS environment A trusted user User public key (User private key is encrypted with the machine public key) Authorized user to consume protected content Client Licensor Certificate (CLC) A user allowed to protect content (i.e. “publish”) on behalf of the RMS Server, without connectivity to the RMS Server CLC A user to protect content (i.e. “publish”) on behalf of the RMS Server, without connectivity to the RMS Server Publishing License Policy (users, rights, conditions) governing content consumption Policy public key (one per user per PC) Rights Account Certificate (RAC) (a. k. a. “GIC”) (Issued by either an RMS server or by a user via their CLC) Use License (Issued by RMS licensing server) public key CLC private key (encrypted with RAC public key) Copy of RMS Server Licensor Cert information Symmetric (AES) key used for content encryption (encrypted with the RMS server public key) Another copy of the content key (encrypted with the CLC public key) URL of licensing server Symmetric (AES) key used for content encryption (encrypted with the authorized user’s RAC public key) An authorized principal (user) to consume content according to conditions in the Publishing License Active Directory Database Server 1. Author automatically receives RMS credentials (“rights account certificate” and “client licensor certificate”) the first time they rights-protect information. 2. Author applies an RMS policy to their file. The application works with the RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it. RMS Server 4 1 3. Author distributes file. 2 Information Author 3 5 The Recipient 4. Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the RMS server, which validates the user and issues a “use license.” 5. Application renders file and enforces rights. Word, Excel, or Powerpoint 2003 Pro Created when file is protected Publishing License Encrypted with the server’s public key Content Key End User Licenses Rights for a particular user Rights Info Encrypted with the server’s public key Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key Content Key w/ email addresses NOTE: Outlook E-mail EULs are stored in the local user Only added to the file profile directory after server licenses a user to open it Encrypted with the user’s public key (big random number) a The Content of the File (Text, Pictures, metadata, etc) Encrypted with the user’s public key Internet Internal RMS clients RMS Services RMS enabled client, Browser Certification and Licensing AD RMS 2008 R2 SP1 servers SQL 2008 R2 Enterprise Cluster SQL 2008 R2 Enterprise Cluster SQL 2008 R2 Enterprise Cluster Domain Controllers 37 RMS Client RMS Server Applications Applications RMS Administration WebSSO Agent MMC 3.0 Host Admin Snap-in Client Client Platform Platform SOAP/HTTP SOAP/HTTP Admin Platform MOM MOM pack pack WebSSO Redirects OS OS Platform Platform Passive Protocol (HTTP) ADFS System.Data.SqlClient Native LDAP AD SQL PowerShell PowerShell SQL Server AD RMS View Edit Print Information Author Active Directory View Edit Print Recipient • When content is downloaded from a library… − RMS protection automatically applied − Information still searchable in SharePoint library − SharePoint rights IRM permissions AD RMS SharePoint Recipient AD RMS Exchange Information Author Recipient • When content is saved to a network file share... − Bulk Protection Tool secures all content in certain folders − File Classification Infrastructure (FCI) can automate classification, RMS and move into SharePoint AD RMS Windows File Server Information Author SharePoint • DLP provides a powerful way to locate and classify your information − Maps AD RMS policy to DLP and therefore to content Microsoft AD RMS R&D Department Marketing Department Others View, Edit, Print View No Access Find ‘IP’ documents Apply ‘IP’ AD RMS template IP Policy RSA DLP R&D department Endpoints: Laptops/Desktops Marketing department File Shares SharePoint Others Intellectual Property (IP) template Microsoft Exchange Prelicensing • Microsoft Exchange Server 2007 SP1 and later can work with Outlook 2007 or Outlook mobile 6.1 and later to enable Prelicensing • When enabled, users are delivered licenses for emails and attachments together with the documents • Eliminates the need to be connected to acquire a license on open Exchange Server Prelicensing as an Enabler In Exchange 2010 Exchange prelicensing enables: Offline consumption of email and attachments Antimalware scanning OWA IRM Automated decryption/journaling/protection Indexing and Search Exchange ActiveSync IRM IRM in OWA in Exchange 2010 IRM protection in any browser! Web Ready Document View Additional capabilities in Exchange 2010 Search, scan, filter, and journal protected e-mail Transport Decryption Enables access to IRM-protected messages by Transport Agents to perform operations such as transport rules, content filtering, and anti-spam/anti-virus. IRM Search Conduct full-text search on IRM-protected messages in OWA and Outlook. Enables eDiscovery or protected messages in the Exchange Store. Journal Report Decryption Journal Report Decryption Agent attaches clear-text copies of IRM-protected messages and attachments to journal mailbox Exchange Activesync IRM Content gets evaluated, licensed and decrypted before delivered to device Device uses native protection and enforcement capabilities Accidents Happen We can’t always rely on users to protect data Top 10 threats to Enterprise Security - IDC “80% of all data leaks occur because of accidents — that is users, being unaware of data policies, as opposed to having malicious intent.” Forrester, 2008 Information Protection and Control in Exchange 2010 The right tools for the right scenario MailTips SOFT CONTROLS Less restrictive Dynamic Signatures/ Disclaimers Moderation More restrictive IRM Protection HARD CONTROLS Block/ Redirect Automating Information Protection AD RMS typically relies on the users to protect content they consider sensitive In some scenarios, enforcing protection over certain types of content might be desired Possible implementations: • Use Windows Server 2008 R2 and Exchange 2010 automated protection capabilities • Use third party solutions to perform discovery and automated protection Automated Protection Reduced risk via automatic, centralized protection Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages called “Transport Rules.” Automatic Content-Based Privacy: • New transport rule action to apply RMS protection based to e-mail message and attachments. • Predicates support regular expression scanning of e-mail body, subject, and attachments • Transport rules also support detection of un-supported attachments and attachment stripping. Transport Protection Rules Take the decision away from end-users Apply RMS policies automatically using Transport Rules RMS protection can be triggered based on sender, recipient, or content Apply “Do Not Forward” or custom RMS templates RMS protection is also applied to Office 2003, 2007, and 2010 attachments Outlook Protection Rules Apply IRM protection automatically at the client IRM protection automatically triggered based on sender and receiver attributes Authorized users can turn off protection Can be used to prevent email service provider from accessing your email Supported attachments are also protected Windows Desktop Search will index headers and subject Integration with Exchange in the Cloud Integration with Exchange Online Brings new Exchange Server capabilities to the cloud Gives you greater control over your online environment Makes migration and coexistence smoother Co-Existence On-Premises Hosted Service Cross Premise IRM Exchange Online tenants get all IRM capabilities, except for Prelicensing After setup, all RMS transactions in Datacenter executed within Datacenter Clients continue to call web services on premise AD RMS Exchange Online Contoso Premise Contoso Tenant Import Private Key AD RMS Integration with SharePoint Server New feature introduced with SharePoint Server 2007 • Not supported in Windows SharePoint Services SharePoint libraries can be configured to automatically apply protection to documents Documents get protected automatically on download • Documents are stored on the database without additional protection Users receive rights based on the rights over the library SharePoint IRM How Does SharePoint IRM Work? Documents stored in clear text in the database • Provides indexing and search capabilities, content listed on search based on ACLs Documents protected each time user downloads the file • After a user selects a file, it is protected and provided to the client • Protection derived from user permissions in the library • SharePoint requires online access to the AD RMS infrastructure • If connection fails, the file won’t be provided to the client When protected file is uploaded to the portal, the content protection is removed • This feature optimizes document lifecycle into SharePoint • Only works for documents protected by SharePoint How Does SharePoint Server IRM Work? MOSS Database MOSS Server Document Publisher AD RMS Server Document Consumer High Availability & Disaster Recovery 65 RMS Cluster Log DB RMS Web Services •Certification •Publishing •Licensing NLB Clients connect to Active Directory Service Connection Point for all services Single AD Forest Simple, scalable and redundant SQL Server •Configuration •Logging RMS “Root” Certification Cluster RMS Web Services •Certification •Publishing •Licensing NLB Clients connect to Active Directory Service Connection Point for all services Single AD Forest For departmental control over licensing, policy templates SQL Server Sub-enrolled Licensing Cluster SQL Server Note: Sub-enrolled Licensing server has its own database. •Configuration •Logging RMS “Root” Certification Cluster RMS Web Services NLB RMS Web Services •Certification •Publishing •Licensing •Publishing •Licensing NLB Registry settings point departmental users to subordinate licensing cluster HKLM\Software\ Microsoft\MSDRM\ ServiceLocation\ EnterprisePublishing = http://<FQDN>/_wmcs/licensing Corporate users without registry overrides point to root cluster for licensing AD Service discovery points all corporate users to SCP for certification Multiple Certification, Single License RMS Certification only NLB Multiple AD Forest RMS Certification & Licensing RMS Certification only NLB NLB Registry override points all users to common licensing server Use 64 Bit Almost twice as much performance using 64 bit over 32 bit Quad core servers are usually the sweet spot in cost/performance • Exchange pre-licensing agent acquires use licenses on delivery, not consumption • Pre-licensing has a default tolerance of approx. three minutes • Significant impact to peak load • Exchange batches requests, which gains some, though not significant, efficiency # Users Amount of time to consume (in hours) Peak License Requests per min Peak License Requests per sec No prelicensing 50,000 4 209 3.5 Using prelicensing 50,000 4 16,667 278 Item Estimate Number of Users 100,000 E-mails read per day per user 75 Number of e-mail messages per day 7,500,000 Percentage of messages with AD RMS protection 10% AD RMS Messages per day 750,000 per hour (10 hour day) 75,000 per minute 1250 per second 21 Average RMS load (for calculating logging DB size) # of Users Average emails sent individually per day per user Number of average recipients in individual emails Average emails sent to DLs per day per user Number of average recipients in a DL % of emails sent individually to be protected % of emails sent to DLs to be protected % of email in DLs that's read Number of documents created/edited per user per day Number of documents read per user per day % of documents to be protected manually Number of documents downloaded from protected sharepoint libraries per user per day Exchange pre-licensing in use 12,000 20 3 1 10 5% 1% 75% users emails recipients emails recipients 20 documents 20 documents 10% 0 documents TRUE Protected individual messages licenses per user # of protected emails sent per day # of protected emails read per day 12,120 37,200 Protected DL messages licenses per user 1 0.01 3 0.1 Documents manually protected # of protected documents read per day (does not include attachments) # of licenses issued per day # of licenses issued per month 24,000 2 Attachments don't need to be counted as they are not independently licensed 61,200 1,836,000 9180000000 8964843.75 8754.73022 8.54954123 0.00834916 Bytes /mo KB/mo MB/mo GB/mo TB / mo Without Pre-licensing Using Pre-licensing UL UL UL http://technet.microsoft.com/en-us/library/cc747731.aspx http://technet.microsoft.com/en-us/library/cc747585.aspx http://technet.microsoft.com/en-us/library/cc747691.aspx 94 http://technet.microsoft.com/en-us/library/dd941589(WS.10).aspx http://technet.microsoft.com/en-us/library/dd941624(WS.10).aspx 95 To back up AD RMS, back up: Back up as required depending on volume and policy of organization • AD RMS certification cluster configuration database • Each AD RMS licensing cluster configuration database • Trusted Publishing Domain • Logging DB: daily or as the acceptable logging information loss dictates. Frequent local backup of transaction logs • DS Cache: whenever AD RMS version changes or servers are installed • The logging database content should be migrated to an archival database If AD RMS server fails If SQL Server fails and no SQL cluster Best practice: Use cluster name for AD RMS cluster • Reinstall server, add to existing cluster • Reinstall Windows, SQL Server, restore DB backup • If node is corrupt or damaged, reinstall AD RMS server(s) adding them to the same cluster. Might ask for private key password • Provides flexibility when restoring server to new host name Reprovision the server with original DB • AD RMS needs to connect to the original DB and you need to provide the Cluster Key Password While reinstalling AD RMS, the original configuration database will be detected • Choose Join when prompted to Join or create a new cluster • A new logging database will be created if needed If the root certification cluster is being reinstalled • Must keep service connection point in Active Directory for provisioning • If SCP is not present, setup will try to create a new cluster DB CNAME Log Shipping Site A Site B www.sapien.com here http://europe.msteched.com www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://europe.msteched.com/sessions