1 / 25

Microsoft® Windows® Rights Management Services (RMS)

Microsoft® Windows® Rights Management Services (RMS) . Deployment and Usage, Step-by-Step. Discussion Topics. Stage 0: Preparing for an RMS Deployment Stage 1: Server Deployment Stage 2: Client Deployment Stage 3: Using Information Rights Management Additional Technical details.

yamka
Download Presentation

Microsoft® Windows® Rights Management Services (RMS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step

  2. Discussion Topics • Stage 0: Preparing for an RMS Deployment • Stage 1: Server Deployment • Stage 2: Client Deployment • Stage 3: Using Information Rights Management • Additional Technical details

  3. Stage 0: Preparing for an RMS Deployment

  4. Infrastructure Requirements • RMS server: Windows Server 2003 Std. with IIS, ASP.NET, .NET Framework & MSMQ • Database such as SQL Server 2000 SP3 (or MSDE 2000 SP3) • Active Directory (W2K or above) • Global Catalog Server on W2K or above • Mail attribute configured for each AD account • Optional: Exchange 2000, DLs, GAL • Enterprise Admin user account • Optional: SSL certificate, HSM

  5. Pre-Install Preparations • Create service account for RMS in Active Directory • This account only needs Domain Users access • Grant SQL “Database Creators” role for administrator’s log-on account (not the service account) • Note: RMS creates DB data files in SQL’s default location – change the default location before provisioning if you want to store files in a different location

  6. Stage 1: Deployment of RMS Server

  7. RMS Installation • Join Windows Server 2003 to AD domain • Log on to the Windows Server 2003 as a domain user which has local Admin authority • Add IIS, ASP.NET and MSMQ components • Install RMS (rmssetup.exe) as a local Administrator • Install a database such as SQL Server 2000 SP3 or MSDE 2000 SP3 on a separate server (or the same one) Note: servers upgraded from Windows 2000 and servers locked down beyond default Windows Server 2003 can fail the next steps

  8. RMS Pre-Provisioning • Start the RMS Administration page • RMS determines if it’s the first RMS server via an LDAP query to AD for an existing SCP • If first, it provisions as a root Certification server • If not, it provisions as a Licensing server

  9. RMS Provisioning - Input • Choose local or remote database – i.e. whether database is on the same or a different server • Choose LocalSystem or RMS service account • Configure URL where RMS will be found (i.e. match this to the DNS entry for the service) • Select the protection method for the server’s private key – software or HSM • Configure a proxy server address (if this server must communicate to the Internet through a Proxy server) • Give the server a descriptive name in the Licensor certificate box • Add the email address of the RMS administrator • Specify a third-party revocation agent, if any, for your server

  10. RMS Provisioning – Root Server • During the Root Certification server provisioning: • RMS creates application pool • RMS configures IIS • RMS configures MSMQ • RMS creates database instances on the database (such as SQL Server or MSDE) • RMS performs UDDI query to find MSN RMS activation service • RMS creates public/private keypair • RMS requests root certification server license from MSN RMS activation service • RMS sends server public key in request • MSN RMS activation service creates Server Licensor Certificate (SLC) • RMS receives SLC, installs it and completes provisioning

  11. RMS Provisioning – License Server • During the Licensing server sub-enrollment: • RMS creates application pool • RMS configures MSMQ • RMS creates new database instances • RMS performs AD lookup to find the root certification cluster • RMS requests server licensor certificate from root certification cluster • Root certification server creates public/private keypair for licensing server and signs a server licensor certificate for the licensing server • RMS receives server licensor certificate and private key from root certification cluster

  12. Summary of Infrastructure Changes made by RMS Server • NO SCHEMA CHANGES in AD • RMS uses an existing Service Connection Point object class • RMS adds one record to the Config container in AD

  13. Stage 2: Deployment of RMS Clients

  14. RMS Client Installation • Assumed: • Each “user” has ability to install software • By default, granted to Power Users or Administrators • SMS or Group Policy support this as well • RMS client makes these changes: • Installing client libraries in %systemroot%\system32 • Adds actmachine.exe utility to %systemroot%\system32\DRM • Creates registry entries in HKLM\Software\Microsoft • This step is combined with Client Activation – activation is attempted at end of install • Installation can still succeed if activation fails • Activation also requires admin-level authority, so it’s useful to perform both steps at once

  15. RMS Client Activation • Assumptions: • “User” has ability to install software • RMS Client already installed • On a Windows client with the RMS Client software installed: • Client performs service discovery – looks for enterprise RMS • Client sends Activation request to RMS or to MSN directly (depending on service discovery), with the client HWID • MSN Activation server generates RSA keypair, inserts machine’s private key in lockbox and includes machine’s public key, HWID in machine certificate • MSN Activation server sends lockbox and certificate as CAB file to requestor, and they’re unpacked and installed on the client • Activation makes these changes: • Writes secrep.dll to %windir%\system32 • Writes Cert-Machine.drm to %allusersprofile%\Application Data\Microsoft\DRM • Writes to registry under HKLM\Software\Microsoft (MSDRM and uDRM keys)

  16. RMS User Certification (1) • Assumptions: • RMS Client already installed and Activated • No special requirements for the user • Application attempts an RMS operation for a user and determines user has no RAC • Application performs service discovery to find out which Certification server to use • Registry overrides • AD lookup for SCP • Direct request to Microsoft (MSN) • Application asks user whether to use Passport or Windows credentials

  17. RMS User Certification (2) • Application forms request and calls RMS Client APIs, specifying machine public key, “permanent”/“temporary” RAC request, and Windows or Passport authority • RMS client APIs make certification request to Enterprise RMS Server (or MSN if Passport) • RMS server does the following: • Receives authentication confirmation from IIS • Looks up user’s email address in AD • Creates public/private keypair for user • Encrypts user’s RAC private key with the client machine public key • Embeds RAC keypair in RAC and sends RAC back to client

  18. Stage 3: Using Information Rights Management

  19. Terminology Review • Lockbox: unique per-machine security DLL • Stores machine’s private key • RAC: user’s RM Account Certificate • Identity of the user [one per user] • aka “Group Identity Certificate” (GIC) • CLC: user’s Client Licensor Certificate • Copy of server’s public key for publishing [one per user] • Also contains publishing keypair for the user • PL: document’s Publishing License • Where rights and content key are stored [one per document] • aka “Issuance License” (IL) • UL: Use License • Where user’s copy of content key is stored [one per document per user] • aka “End User License” (EUL)

  20. Publishing Rights-Protected Content using Office 2003 • Assumed: • User has RAC & CLC from RMS server for offline publishing • Office 2003 & RMS client already installed & activated • Offline publishing steps: • User creates document and tries to rights-protect it • Client creates random symmetric key (Content Key) • User selects email addresses for users and groups • Office app creates publishing license with rights, emails, and encrypted Content key • Content key is encrypted with the RMS server’s public key (found in the CLC) • Publishing license is added to encrypted document as another piece of the compound document

  21. Editing/Viewing Rights-Protected Content (Office 2003, RMA) • Assumption: • User has already acquired their RAC • Client requests UL: • Client opens publishing license, finds server’s URL and allowed users • Client looks for any existing User Licenses (UL) • If none, UL request (along with user’s RAC) is sent to server • RMS Server decrypts Content Key with server private key • Server encrypts Content key with user’s RAC public key and includes it in UL that’s sent to user • RMS Client will check RAC & UL (during “bind”) • If RAC is persistent, SID in RAC must match logged-on user as well • RMS Client will decrypt content key from Use license using RAC private key

  22. http://www.microsoft.com/rms For More Information

  23. Backup slides

  24. What does a UL look like?

  25. UL (in English please…)

More Related