Anda di halaman 1dari 30

Module 11

Implementing and administering


AD RMS
Module Overview

Overview of AD RMS
Deploying and managing an AD RMS
infrastructure
Configuring AD RMS content protection
Lesson 1: Overview of AD RMS

What is AD RMS?
Usage scenarios for AD RMS
Overview of AD RMS components
AD RMS certificates and licenses
How AD RMS works
What is Azure RMS?
Comparing AD RMS, Azure RMS, and Azure RMS
for Office 365
What is AD RMS?

An Information protection technology that:


Reduces data leakage by design
Integrates with certain Microsoft products and
Windows Server operating systems
Helps protects data when in transit, at rest and
in essentially any location
Usage scenarios for AD RMS

The primary use for AD RMS is to control the


distribution of sensitive information, and typical
usage scenarios include:
Helping to prevent access to confidential
documents, regardless of their location
Using action-based permissions based on AD DS
accounts
Helping to prevent confidential emails from leaving
an organization
Overview of AD RMS components
The AD RMS cluster:
Is created when you deploy the first AD RMS server
The AD RMS server:
Licenses AD RMS-protected content
Certifies the identity of trusted users and devices

The AD RMS client:


Built in to Windows Vista , Windows 7 and later
Interacts with AD RMS-enabled apps
AD RMS-enabled apps:
Allows for the publication and consumption of AD RMS protected
content
Includes Office, Exchange Server, and SharePoint Server
Have the ability to be created through the AD RMS SDK
AD RMS certificates and licenses

AD RMS certificates and licenses include:


Server licensor certificates
AD RMS machine certificates
RACs
Client licensor certificates
PLs
End-user licenses
How AD RMS works
7. The server issues a use
license

5. The
6. The app or browser
symmetric
AD RMS server requests a use license from
key is
the server Recipient
encrypted to
the servers 8. The server decrypts
public key the symmetric key by
using its private key
2. The
server App
issues a
client
licensor
certificate 9. The server re-
1. The author 4. The app encrypts the symmetric
configures rights encrypts the file key by using the
protection with a symmetric recipient's public key
Author key and adds the encrypted
3. The author defines a File session key to the use
collection of usage rights license
and conditions
What is Azure RMS?

Azure RMS is RMS protection from the cloud


Azure RMS is available in Office 365 Enterprise E3,
Office 365 ProPlus and as a separate service
Azure RMS provides:
IRM integration with Office Professional
Exchange Online IRM integration
SharePoint Online IRM integration
Windows Server FCI integration
The RMS sharing application integrates with
File Explorer
Comparing AD RMS, Azure RMS, and Azure RMS
for Office 365
Feature AD RMS Azure RMS Azure RMS for
Office 365
IRM for on-premises Yes Yes Yes
Exchange Server and
SharePoint Server
IRM for Exchange Online No Yes Yes
and SharePoint Online
The ability to share with any No Yes Yes
organization without
further configuration
Default templates No Yes Yes
The ability to protect any Yes Yes Yes
file type
RMS protected document No Yes No
tracking
Mobile device support Yes Yes Yes
Lesson 2: Deploying and managing an AD RMS
infrastructure

AD RMS deployment scenarios


Configuring the AD RMS cluster
Demonstration: Installing the first server of an
AD RMS cluster
AD RMS client requirements
Implementing an AD RMS backup and recovery
strategy
Decommissioning and removing AD RMS
Monitoring AD RMS
Implementing external sharing
AD RMS deployment scenarios

Deployment scenarios for AD RMS:


Deployed in a single forest
Deployed in multiple forests
Used on an extranet
Integrated with AD FS
Deployed in Azure as an Azure RMS service
Configuring the AD RMS cluster
AD RMS configuration includes configuring the
following components:
New or existing cluster
Configuration database
Service account
Cryptographic mode
Cluster key storage
Cluster key password
Cluster website
Cluster address
Licensor certificate
Service connection point registration
Demonstration: Installing the first server of an
AD RMS cluster

In this demonstration, you will see how to:


Configure a service account
Prepare DNS
Install the AD RMS role
Configure AD RMS
AD RMS client requirements

The client is included in Windows Vista or


newer
The client is included in Windows Server 2008
and newer
The client is available for download for
Windows XP operating systems and Mac OS X
The AD RMS-enabled applications include
Office 2007 and newer
Exchange Server 2007 and newer support
AD RMS
The AD RMS client needs an RMS CAL
Implementing an AD RMS backup and recovery
strategy

Back up the private key and the certificates


Ensure that the AD RMS database is backed up
regularly
Export templates to back them up
Run the AD RMS server as a VM, and perform a
full server backup
Decommissioning and removing AD RMS

Decommission an AD RMS cluster prior to


removing it:
Decommission to provide a key that decrypts
previously published AD RMS content
Leave the server in a decommissioned state until all the
AD RMS-protected content is migrated
Export the server licensor certificate prior to
uninstalling the AD RMS role
Monitoring AD RMS

AD RMS provides built-in monitoring and


reporting capabilities
Microsoft Report Viewer is needed for reporting
The available reports are:
Statistics
Health
Troubleshooting
Operations Manager can monitor AD RMS with
an existing management pack
Implementing external sharing

Trusted user domains exchange protected content


between two organizations
Trusted publishing domains consolidate the AD RMS
architecture
Federated trusts enable users from partner organizations
to access and use a local AD RMS infrastructure
Microsoft accounts enable standalone users to access
AD RMS content
The Azure authentication system enables an AD RMS
cluster to work with partner organizations without
requiring a direct federation trust
Lesson 3: Configuring AD RMS content protection

What are rights policy templates?


Demonstration: Creating a rights policy template
Providing rights policy templates for offline use
What are exclusion policies?
Demonstration: Creating an exclusion policy
for an app
AD RMS Super Users group
What are rights policy templates?

Rights policy templates:


Allow authors to apply standard forms of protection
across an organization
Exist in different apps, which allow different forms of
rights
Allow you to configure rights related to viewing,
editing, and printing documents
Allow you to configure content expiration rights
Allow you to configure content revocation
Demonstration: Creating a rights policy template

In this demonstration, you will see how to create a


rights policy template that allows users to view a
document but not to perform other actions
Providing rights policy templates for offline use

1. Enable the AD RMS Rights Policy Template


Management (Automated) scheduled task
2. Edit the registry key to specify the template
shared folder location
3. Publish templates to a shared folder
What are exclusion policies?

Exclusion policies enable you to:


Block specific users from accessing
AD RMS-protected content by blocking their
RACs
Block specific apps from creating or
consuming AD RMSprotected content
Block specific versions of AD RMS clients
Demonstration: Creating an exclusion policy for
an app

In this demonstration, you will see how to exclude


the PowerPoint app from AD RMS
AD RMS Super Users group

The Super Users group members are granted full owner


rights in all use licenses that are issued by the AD RMS
cluster on which the Super Users group is configured
The Super Users group:
Is not configured by default
Can be used as a data recovery mechanism for
AD RMS-protected content:
Can recover content that has expired
Can recover content if the template is deleted
Can recover content without requiring author credentials
Must be an Active Directory group with an assigned
email address
Lab: Implementing an AD RMS infrastructure

Exercise 1: Installing and configuring AD RMS


Exercise 2: Configuring AD RMS templates
Exercise 3: Using AD RMS on clients
Logon Information
Virtual machines: 20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd

Estimated Time: 60 minutes


Lab Scenario

A. Datum Corporation performs highly confidential research, so


their security team wants to implement additional security for
some of the documents that the Research department creates.
The security team is concerned that anyone with read access to
the documents can modify and distribute them in any way that
they choose. The security team wants to provide an extra level
of protection that stays with a document even if it moves
around the network or outside of the network.
As a senior network administrator at A. Datum Corporation, you
must plan and implement an AD RMS solution that will help to
provide the level of protection that the security team requested.
The AD RMS solution must provide many options that can be
adapted for a wide variety of business and security
requirements.
Lab Review

What steps can you take to help ensure that you


can use IRM services with the AD RMS role?
Module Review and Takeaways

Review Questions
Best Practice

Anda mungkin juga menyukai