Overview of Active Directory Rights Management Services with Windows Server 2008 R2 Student Manual Module 5: Information Rights Management on Server Applications
Information in this document, including URL and other Internet website references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2010 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents Overview of Active Directory Rights Management Services with Windows Server 2008 R2 Module 5: Information Rights Management on Server Applications... 1 Module Overview... 1 Module Objectives... 1 Lesson 1: Microsoft Office SharePoint Server 2007 IRM... 2 Using MOSS 2007 Without AD RMS Integration... 3 Using MOSS 2007 with AD RMS Integration... 4 MOSS 2007 IRM Prerequisites... 5 Enabling IRM Functionality in MOSS 2007... 6 Lab 5A: Integrating AD RMS and Microsoft SharePoint Server 2007... 8 Lesson 2: Email Protection in Exchange Server 2007... 9 AD RMS Email Protection in Exchange Server 2007 Without Prelicensing Agent... 10 AD RMS Email Protection in Exchange Server 2007 With Prelicensing Agent... 11 Enabling and Disabling the Prelicensing Agent... 12 Lesson 3: New AD RMS Features in Exchange Server 2010... 13 Exchange Server 2010 AD RMS Integration Overview... 14 Transport Rules Encryption... 15 AD RMS Integration in Unified Messaging (UM)... 17 Outlook 2010 Automatic Protection... 18 AD RMS Integration in OWA... 19 Journaling Decryption... 21 Lab 5B: Integrating AD RMS and Microsoft Exchange Server 2010... 22 Lesson 4: AD RMS Bulk Protection Tool and File Classification Infrastructure... 23 AD RMS Bulk Protection Tool... 24 AD RMS Bulk Protection Tool and File Classification Infrastructure (FCI)... 28 Lab 5C: Integrating AD RMS with Bulk Protection Tool... 29 Lab 5D: Protect Information Automatically Integrating AD RMS with FCI and Bulk Protection Tool... 30 Module Review... 31 i
Module 5: Information Rights Management on Server Applications Module Overview In this module, you will see how Active Directory Rights Management Services (AD RMS) integrates with server-side applications, which leverage AD RMS to automatically protect and license content. This module covers the following server products: Microsoft Office SharePoint Server (MOSS) 2007 Microsoft Exchange Server 2010 Module Objectives After completing this module, you will be able to: MOSS IRM o Describe how MOSS works with AD RMS to protect documents stored in MOSS document libraries. o Identify MOSS functionality. o Describe the MOSS logical and physical architecture. o Describe how Information Rights Management (IRM) works with MOSS to provide information protection. Microsoft Exchange Server 2007 and Exchange Server 2010 o Explain the requirements and design considerations for enabling the Prelicensing Agent and how to configure it. o Explain how to use the Prelicensing Agent with Microsoft Outlook 2010 and Windows Mobile 6.1 Pocket Outlook. o Explain the new features to be provided in Exchange Server 2010 around AD RMS. 1
Lesson 1: Microsoft Office SharePoint Server 2007 IRM 2
Using MOSS 2007 Without AD RMS Integration Although it is possible to upload AD RMS protected documents to Microsoft Office SharePoint 2007 (MOSS 2007) and Microsoft Windows SharePoint Services (version 3), there are some considerations that you need to take: Lack of automatic protection of documents. All documents need to be protected/classified by the end user before they are uploaded to MOSS/WSS. Limited search capabilities. Because the documents are encrypted, search results will be limited to the document metadata (assuming it is not encrypted), not the actual document content. 3
Using MOSS 2007 with AD RMS Integration This slide summarizes the process of a user uploading a document to an IRM protected MOSS document library and a second user downloading and consuming the file. 1. The author uploads a document (unprotected) to the MOSS document library. 2. MOSS stores the document in the MOSS database. 3. The recipient tries to download the document from the MOSS document library. 4. Because the file is stored in a document library that enforces IRM protection to the files, MOSS contacts the AD RMS server, applies the corresponding policies to the document and provides access to the file. 5. The user tries to open the file and gets authenticated against the AD RMS service in order to get an end-use-license (EUL). This happens without any user intervention, and once the user is authenticated, the protected file is opened. 4
MOSS 2007 IRM Prerequisites Integrating Microsoft Office SharePoint Server with IRM has the following prerequisites: The AD RMS Client (Windows Server 2008 or higher) or Windows Rights Management Client V1.0 with SP2 (Windows Server 2003) must be installed and configured in all server farm nodes. All server accounts for every server in the MOSS server farm, as well as the MOSS Internet Information Services (IIS) Web Application Pool service accounts, must have read and execute permissions on the AD RMS Server Certification pipeline (\InetPub\wwwroot\_wmcs\Certification\ServerCertification.asmx). 5
Enabling IRM Functionality in MOSS 2007 Enabling IRM functionality in Office SharePoint Server 2007 is first done at the server farm level. In the Microsoft Office SharePoint V3 Central Administration site, the server farm administrator should enable IRM integration by specifying whether to use the AD RMS service connection point (SCP) to locate the AD RMS cluster, or to override the SCP and specify which AD RMS certification server will be used. 6
Enabling IRM Functionality in MOSS 2007 (Cont.) After specifying the AD RMS cluster on the server farm level, IRM is then enabled at the document library or document list level using the Document Library Settings page. The following definitions are configured there: Policy title and description This information appears in the Office client application. In the description field, you can explain why the corporation restricted access to the document, or give details about the policy. Print Any user who has the View right can print the document if this check box is selected. Use offline for X days Even if offline access to a document has expired, users can still upload the document to the server, so they will not lose their work in progress. An example of when to use this setting would be when someone who has access is no longer in the corporation. The person will only have access to the confidential file for a specified number of days. Reject files Selecting this check box results in the document library rejecting documents that: (a) do not support IRM (e.g. image files) and (b) are not protected by this library. Remove protection on a particular date: Usage scenario Once the quarterly statement is published, the corporate policy on a financial documents library changes. Note: Templates are not available for document library settings. 7
Lab 5A: Integrating AD RMS and Microsoft SharePoint Server 2007 8
Lesson 2: Email Protection in Exchange Server 2007 9
AD RMS Email Protection in Exchange Server 2007 Without Prelicensing Agent The AD RMS Prelicensing Agent was first introduced in Exchange Server 2007 Service Pack 1. It allows Exchange to call the AD RMS server directly on behalf of the user and fetch an end-use license to consume the content, instead of forcing the end user to do it when the content is first opened. By enabling AD RMS prelicensing in Exchange Server, the AD RMS-protected email messages sent to the user mailbox are ready to be opened immediately, without any additional steps. End users will be more productive by reducing the time required to open and access email messages while also ensuring that RM-protected email is as flexible and easy to use as regular email. Additionally, when end users are mobile and access email through Office Outlook 2007 or a Windows Mobile 6.x phone, they will have offline access to their protected messages, which allows them to be as productive as they are in the office. 10
AD RMS Email Protection in Exchange Server 2007 With Prelicensing Agent The following steps are executed when the prelicensing agent is enabled in the Microsoft Exchange Server 2007 SP1 platform: 1. The Exchange server determines the users home forest by using the Exchange Server Master Account SID AD attribute. 2. The Exchange server queries the SCP of the users home forest to determine the AD RMS Server URL. 3. The Exchange server gets a pre-rights account certificate (RAC) for the user by contacting the AD RMS server in the forest where the user account is located by calling the pre-certify web method. 4. The Exchange server then contacts the AD RMS server to get an end-use license for the user based on the licensing location in the publishing license. 5. Exchange Server binds the EUL to the pre-rac and embeds it within the message. Then the user can open the email without having to contact the AD RMS server. 11
Enabling and Disabling the Prelicensing Agent 12
Lesson 3: New AD RMS Features in Exchange Server 2010 This section provides an overview of IRM features provided by Exchange Server 2010. 13
Exchange Server 2010 AD RMS Integration Overview Email has dramatically improved the ability to share information, but it has also increased the risk of accidental distribution and unauthorized access to sensitive communications and information. The problem has become particularly acute in the face of increasing regulations demanding the protection of customer and employee personal information. To better control information that gets distributed through email, Exchange Server 2010 builds on an already comprehensive list of information protection and control features, with the ability to intercept, moderate, encrypt and block email more effectively. Together, these features provide administrators with a wider range of control options, whether you want to proactively control email with automatic policies or provide users with alerts and tools to help them better manage their own information protection practices. 14
Transport Rules Encryption 15
Transport Rule Encryption (Cont.) One of the most powerful features that can be implemented with Exchange Server 2010 is automatic email protection using Exchange Server transport rules. You can specify multiple kinds of conditions that trigger automatic protection using AD RMS policy templates without user intervention. Some of these triggers can include: Group membership Author Recipients Keywords Text patterns Government ID numbers Credit card numbers/types For more information: http://technet.microsoft.com/en-us/library/bb125138(exchg.140).aspx http://technet.microsoft.com/en-us/library/aa995961(exchg.140).aspx Understanding Transport Encryption/Decryption: http://technet.microsoft.com/en-us/library/dd638122(exchg.140).aspx 16
AD RMS Integration in Unified Messaging (UM) Unified messaging (UM) administrator can allow incoming voice mail messages to be marked as private. Private voice mail is protected using Do Not Forward, preventing forwarding or copying content. Uses the Encryption/Decryption XSO API to rights protect. Private voice mail supported by UM in Outlook 2010 and Outlook Web Access (OWA). 17
Outlook 2010 Automatic Protection Together, Exchange Server 2010 and Outlook 2010 provide the capability to automatically protect messages and alert users when an email contains sensitive information. This feature can enforce or recommend the protection of an email to the user. For more information, see http://technet.microsoft.com/en-us/library/dd298182(exchg.140).aspx. 18
AD RMS Integration in OWA Support for IRM in Outlook Web Access (OWA) enables users to read and create IRM-protected messages natively, just like in Outlook. IRM-protected messages in OWA can be accessed through Windows Internet Explorer, Firefox, and Safari (no plug-in required) and includes full-text search, conversation view, and preview pane. 19
AD RMS Integration in OWA (Cont.) 20
Journaling Decryption In order to provide an easy way to recover and manage archiving of protected email, Exchange Server 2010 provides a feature to send an unprotected copy of those email messages to a mailbox that can be used to easily recover the protected information. 21
Lab 5B: Integrating AD RMS and Microsoft Exchange Server 2010 22
Lesson 4: AD RMS Bulk Protection Tool and File Classification Infrastructure 23
AD RMS Bulk Protection Tool 24
AD RMS Bulk Protection Tool System Requirements 25
AD RMS Bulk Protection Tool How to Use It 26
AD RMS Bulk Protection Tool How to Use It (Cont.) 27
AD RMS Bulk Protection Tool and File Classification Infrastructure (FCI) Reliance on data and storage resources has continued to grow in importance for most organizations. CIOs are facing increased regulations and data leakage concerns and IT administrators face the steadily growing challenge of overseeing larger and more complex storage infrastructures while simultaneously being tasked with the responsibility to ensure total cost of ownership (TCO) is maintained at reasonable levels. Managing storage resources is not just about the volume or availability of data anymore it is also about the enforcement of company policies and knowing how storage is utilized to enable efficient utilization and mitigate risk. The amount of data companies host will continue to grow and this will necessitate the ongoing need for sound strategic planning and proper responses to organizational changes. For more information, see http://www.microsoft.com/windowsserver2008/en/us/fci.aspx. 28
Lab 5C: Integrating AD RMS with Bulk Protection Tool 29
Lab 5D: Protect Information Automatically Integrating AD RMS with FCI and Bulk Protection Tool 30
Module Review 31