RMS04: Step-by-Step Deployment
Download
Report
Transcript RMS04: Step-by-Step Deployment
Microsoft® Windows®
Rights Management
Services (RMS)
Deployment and Usage, Step-by-Step
Discussion Topics
Stage 0: Preparing for an RMS
Deployment
Stage 1: Server Deployment
Stage 2: Client Deployment
Stage 3: Using Information Rights
Management
Additional Technical details
Stage 0: Preparing for an
RMS Deployment
Infrastructure Requirements
RMS server: Windows Server 2003 Std. with
IIS, ASP.NET, .NET Framework & MSMQ
Database such as SQL Server 2000 SP3 (or
MSDE 2000 SP3)
Active Directory (W2K or above)
Global Catalog Server on W2K or above
Mail attribute configured for each AD account
Optional: Exchange 2000, DLs, GAL
Enterprise Admin user account
Optional: SSL certificate, HSM
Pre-Install Preparations
Create service account for RMS in
Active Directory
This account only needs Domain Users
access
Grant SQL “Database Creators” role for
administrator’s log-on account (not the
service account)
Note: RMS creates DB data files in SQL’s
default location – change the default location
before provisioning if you want to store files in
a different location
Stage 1: Deployment of
RMS Server
RMS Installation
Join Windows Server 2003 to AD domain
Log on to the Windows Server 2003 as a
domain user which has local Admin authority
Add IIS, ASP.NET and MSMQ components
Install RMS (rmssetup.exe) as a local
Administrator
Install a database such as SQL Server 2000
SP3 or MSDE 2000 SP3 on a separate server
(or the same one)
Note: servers upgraded from Windows 2000 and servers
locked down beyond default Windows Server 2003 can fail
the next steps
RMS Pre-Provisioning
Start the RMS Administration page
RMS determines if it’s the first RMS
server via an LDAP query to AD for an
existing SCP
If first, it provisions as a root Certification
server
If not, it provisions as a Licensing server
RMS Provisioning - Input
Choose local or remote database – i.e. whether
database is on the same or a different server
Choose LocalSystem or RMS service account
Configure URL where RMS will be found (i.e. match
this to the DNS entry for the service)
Select the protection method for the server’s private
key – software or HSM
Configure a proxy server address (if this server must
communicate to the Internet through a Proxy server)
Give the server a descriptive name in the Licensor
certificate box
Add the email address of the RMS administrator
Specify a third-party revocation agent, if any, for
your server
RMS Provisioning – Root Server
During the Root Certification server provisioning:
RMS creates application pool
RMS configures IIS
RMS configures MSMQ
RMS creates database instances on the database
(such as SQL Server or MSDE)
RMS performs UDDI query to find MSN RMS activation
service
RMS creates public/private keypair
RMS requests root certification server license from
MSN RMS activation service
RMS sends server public key in request
MSN RMS activation service creates Server Licensor
Certificate (SLC)
RMS receives SLC, installs it and completes
provisioning
RMS Provisioning – License Server
During the Licensing server sub-enrollment:
RMS creates application pool
RMS configures MSMQ
RMS creates new database instances
RMS performs AD lookup to find the root certification
cluster
RMS requests server licensor certificate from root
certification cluster
Root certification server creates public/private keypair
for licensing server and signs a server licensor
certificate for the licensing server
RMS receives server licensor certificate and private
key from root certification cluster
Summary of Infrastructure
Changes made by RMS Server
NO SCHEMA CHANGES in AD
RMS uses an existing Service Connection
Point object class
RMS adds one record to the Config container
in AD
Stage 2: Deployment of
RMS Clients
RMS Client Installation
Assumed:
RMS client makes these changes:
Each “user” has ability to install software
By default, granted to Power Users or Administrators
SMS or Group Policy support this as well
Installing client libraries in %systemroot%\system32
Adds actmachine.exe utility to
%systemroot%\system32\DRM
Creates registry entries in HKLM\Software\Microsoft
This step is combined with Client Activation
– activation is attempted at end of install
Installation can still succeed if activation fails
Activation also requires admin-level authority, so it’s
useful to perform both steps at once
RMS Client Activation
Assumptions:
On a Windows client with the RMS Client software installed:
“User” has ability to install software
RMS Client already installed
Client performs service discovery – looks for enterprise RMS
Client sends Activation request to RMS or to MSN directly (depending
on service discovery), with the client HWID
MSN Activation server generates RSA keypair, inserts machine’s
private key in lockbox and includes machine’s public key, HWID in
machine certificate
MSN Activation server sends lockbox and certificate as CAB file to
requestor, and they’re unpacked and installed on the client
Activation makes these changes:
Writes secrep.dll to %windir%\system32
Writes Cert-Machine.drm to %allusersprofile%\Application
Data\Microsoft\DRM
Writes to registry under HKLM\Software\Microsoft (MSDRM and uDRM
keys)
RMS User Certification (1)
Assumptions:
Application attempts an RMS operation for a
user and determines user has no RAC
Application performs service discovery to
find out which Certification server to use
RMS Client already installed and Activated
No special requirements for the user
Registry overrides
AD lookup for SCP
Direct request to Microsoft (MSN)
Application asks user whether to use
Passport or Windows credentials
RMS User Certification (2)
Application forms request and calls RMS
Client APIs, specifying machine public key,
“permanent”/“temporary” RAC request, and
Windows or Passport authority
RMS client APIs make certification request to
Enterprise RMS Server (or MSN if Passport)
RMS server does the following:
Receives authentication confirmation from IIS
Looks up user’s email address in AD
Creates public/private keypair for user
Encrypts user’s RAC private key with the client
machine public key
Embeds RAC keypair in RAC and sends RAC back to
client
Stage 3: Using Information
Rights Management
Terminology Review
Lockbox: unique per-machine security DLL
RAC: user’s RM Account Certificate
Copy of server’s public key for publishing [one per user]
Also contains publishing keypair for the user
PL: document’s Publishing License
Identity of the user [one per user]
aka “Group Identity Certificate” (GIC)
CLC: user’s Client Licensor Certificate
Stores machine’s private key
Where rights and content key are stored [one per document]
aka “Issuance License” (IL)
UL: Use License
Where user’s copy of content key is stored [one per document
per user]
aka “End User License” (EUL)
Publishing Rights-Protected
Content using Office 2003
Assumed:
User has RAC & CLC from RMS server for offline
publishing
Office 2003 & RMS client already installed &
activated
Offline publishing steps:
User creates document and tries to rights-protect it
Client creates random symmetric key (Content Key)
User selects email addresses for users and groups
Office app creates publishing license with rights,
emails, and encrypted Content key
Content key is encrypted with the RMS server’s public key
(found in the CLC)
Publishing license is added to encrypted document
as another piece of the compound document
Editing/Viewing RightsProtected Content (Office 2003, RMA)
Assumption:
User has already acquired their RAC
Client requests UL:
Client opens publishing license, finds server’s URL and allowed
users
Client looks for any existing User Licenses (UL)
If none, UL request (along with user’s RAC) is sent to server
RMS Server decrypts Content Key with server private key
Server encrypts Content key with user’s RAC public key and
includes it in UL that’s sent to user
RMS Client will check RAC & UL (during “bind”)
If RAC is persistent, SID in RAC must match logged-on user as well
RMS Client will decrypt content key from Use license using RAC
private key
For More Information
http://www.microsoft.com/rms
Backup slides
What does a UL look like?
UL (in English please…)