Active Directory Rights Management Services integration (AD RMS)

MOSS Information Rights Management Ashish Bahuguna ashish.bahuguna@bitscape.com Active Directory Rights Management Services integration (AD RMS)

Agenda AD RMS Overview AD RMS Architecture Components MOSS IRM MOSS IRM Demo (Screenshots)

AD RMS Overview

How do you protect your sensitive information from unauthorized distribution? Information Author USB Drive External Users Recipient Mobile Devices

Business Reasons for AD RMS More data is available electronically Information can be distributed easily Easy to compromise information intentionally or accidentally More privacy regulations are being established Government Industry AD RMS helps with compliance

What AD RMS Does Protects documents and email Central policy management via templates Encrypts data Enforces document security after the file is opened Decrypts for authorized personnel Can restrict other capabilities Forward Print Cut/Copy/Paste

AD RMS Advantages Keeps internal information internal Helps prevent accidental leaks External unauthorized users

Rights Management Services Persistent Protection Encryption + Policy: Access Permissions Use Right Permissions Provides identity-based protection for sensitive data Controls access to information across the information lifecycle Allows only authorized access based on trusted identity Secures transmission and storage of sensitive information wherever it goes policies embedded into the content; documents encrypted with 128 bit encryption Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

AD RMS Capabilities 1 Protection and policy stay with the file 2 Protection and policy stay with the file 3 Protection and policy stay with the file 4 Policy 5 Policy 6 Policy Portal stores file in the clear Portal protects file on access Archive stores file and policy in the clear

AD RMS Architecture Components

Overview of RMS Components Active Directory Authentication Service Discovery Group Membership RMS Server Certification Licensing Templates SQL Server Configuration data Logging Cache Workstation RMS Lockbox Client API Templates (XML Copy) MOSS 2007 Document Libraries with IRM Exchange 2007 SP1 Pre-licensing Fetching Clients and Servers compatible with RMS

OS Versions and Operating System Clients RM client Windows Vista or higher Active Directory Rights Management Services (AD RMS) client (Integrated with the OS) Supported OS: Windows Vista Windows 2008 family Legacy Client Microsoft Windows Rights Management Services Client with Service Pack 2 Supported OS: Windows 2000 Service Pack 4 Windows Server 2003 Service Pack 1 Windows XP Service Pack 2 Windows Mobile 6 or higher RMS Client integrated in the operating system

Information Rights Managementaware Applications RMS-Aware Office Suite Versions Microsoft Office 2003 Standard (Read-only) Microsoft Office 2003 Professional (Read and create content) Microsoft Office Ultimate 2007 (Read and create content) Microsoft Office Professional Plus 2007 (Read and create content) Microsoft Office Enterprise 2007 (Read and create content) Other Microsoft Office 2007 Versions (Read-only) Microsoft Pocket Office (Windows Mobile 6 only Email Read and create/ Documents read only*) RMS-Aware Applications Microsoft Office Word 2003/2007 Microsoft Office Excel 2003/2007 Microsoft Office PowerPoint 2003/2007 Microsoft Office Outlook 2003/2007 Microsoft Office InfoPath 2007 Microsoft Office SharePoint 2007 Standard Microsoft Office SharePoint 2007 Enterprise Microsoft Exchange 2007 with SP1 XML Paper Specification (XPS) * Word, PowerPoint, and Excel

MOSS IRM

Office SharePoint Server 2007 IRM Integration Provides Information Rights Management capabilities to Office SharePoint Server 2007 New feature introduced in Office SharePoint Server 2007 Not supported in Windows SharePoint Services 3.0 Integrated with document lifecycle management of files stored into Document Libraries Assigns Office IRM permissions based on Office SharePoint Server 2007 permissions Optimize policy enforcement by applying contentbased protection without user intervention

How Does Office SharePoint Server 2007 IRM Work? Documents stored in clear text Provides search capabilities, content listed on search based on ACLs Documents protected before user downloads the file After a user selects a file, it is protected and provided to the client Office SharePoint Server 2007 requires online access to the AD RMS infrastructure every time a user downloads a protected file If connection fails, the file won t be provided to the client When protected file is uploaded to the portal, the content protection is removed This feature optimizes document lifecycle into Office SharePoint Server 2007

Office SharePoint Server 2007 Permissions and IRM Rights Office SharePoint Server 2007 rights Manage Permissions Manage Web Edit List Items Manage List Add and Customize Pages View List Item All Other Rights IRM permissions Full Control Edit, Copy, and Save Read No Mapping

File Formats Supported by Office SharePoint Server 2007 IRM File formats that natively support MOSS IRM Integration: Office 2003 Suite Microsoft Office Word 2003 Microsoft Office Excel 2003 Microsoft Office PowerPoint 2003 Office 2007 Suite Microsoft Office Word 2007 Microsoft Office Excel 2007 Microsoft Office PowerPoint 2007 Microsoft Office InfoPath 2007 Microsoft XPS Additional file formats are supported under MOSS IRM using partner solutions: http://www.microsoft.com/windowsserver2008/en/us/idainformation-protection.aspx

Office SharePoint Server 2007 IRM Prerequisites Office SharePoint 2007 Prerequisites Office SharePoint 2007 farm running on Windows Server 2003 and Windows Server 2008 Requires at least RMS Client v1.0 with SP2 before proceeding with the configuration of all server farm nodes http://support.microsoft.com/?kbid=917275 AD RMS servercertification.asmx file ACL permissions must be modified Read and Execute permissions must assigned to every server in the server farm Additional permissions must be applied in complex scenarios when multiple service accounts and application pulls are used

Office SharePoint Server 2007 IRM Architecture Considerations Architecture considerations ADRMS Certificates for MOSS Server/Server Farm Office SharePoint Server 2007 must belong to the same forest as the AD RMS platform in order to get RAC certificates ADRMS Licensing Issuance NOTE: In multiple forest scenarios, you can centralize them using licensing-only clusters Office SharePoint 2007 doesn t support AD RMS policy templates Permissions supported are provided using MOSS and IRM mapping

Office SharePoint Server 2007 Enabling IRM Functionality Information Rights Management applied at server farm level Configuration defined on Central Administration MOSS can use the AD SCP to locate the AD RMS cluster, or be configured to use a specific server

Office SharePoint Server 2007 IRM Document Libraries Settings Document Libraries Settings

DEMO

For More Information AD RMS Web Site http://www.microsoft.com/rms/ AD RMS Deployment with Microsoft Office SharePoint Server 2007 Step-by-Step Guide http://technet.microsoft.com/enus/library/cc753046.aspx

Questions

2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Microsoft, Active Directory, MSN, Outlook, PowerPoint, SharePoint, Visual Studio, and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA