Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CONTENTS
Executive Summary ............................................................................................................ 3
Introduction ......................................................................................................................... 5
Active Directory Rights Management Services ................................................................ 6
Comparison with Other Technologies
7
AD RMS Technology ........................................................................................................... 11
Licenses
11
Types of Rights Available
12
14
16
19
IT Benefits
19
29
29
32
35
Administration
36
Conclusion ........................................................................................................................... 39
For More Information .......................................................................................................... 40
Situation
Sensitive business information
created in Microsoft Office as email or
business documents was at risk of
exposure to unauthorized users.
Solution
Microsoft IT implemented Active
Directory Rights Management
Services (AD RMS) so that publishers
could use Microsoft Office
applications to restrict access to
confidential data.
Benefits
Publishers can apply detailed user
rights to email messages and
documents.
Sensitive information can be
distributed as required with less
concern that unauthorized users
will access it.
AD RMS fulfills the requirements of
multiple information protection
technologies, simplifying the user
experience and IT support tasks.
The AD RMS infrastructure is
extensible to other, internally
developed line-of-business
applications.
EXECUTIVE SUMMARY
With the continuing advancements and ubiquity of electronic communications in business, in
addition to the growing reliance on technology for conducting day-to-day operations,
companies have become vulnerable to the mismanagement and theft of intellectual property
and sensitive business information. Microsoft employees rely very heavily on email through
the Microsoft Outlook 2010 messaging and collaboration client for both internal and external
business communications. Microsoft employees also rely on Microsoft Office 2010
applicationssuch as Microsoft Word 2010, Microsoft Excel 2010 spreadsheet software, the
Microsoft PowerPoint 2010 presentation graphics program, and the Microsoft InfoPath 2010
information gathering programto document and work with corporate ideas and other
business-sensitive information. To remain a flexible and agile business, Microsoft needed a
solution that could help protect the data of its business email messages and documents
without interfering with its users' ability to be productive.
The Microsoft information Technology (Microsoft IT) organization implemented Active
Directory Rights Management Services (AD RMS), which is the protection server role
available in the Windows Server 2008 R2 operating system. It is the successor to Rights
Management Services (RMS) available for Windows Server 2003. AD RMS combined with
Office 2010 enables Microsoft staff to add usage restrictions to their email messages and
documents. The rights can specify which consumers can open the document, what they can
do with it, and how long they can open it. The rights are applied directly to the object, whether
an email message or a document file, so the protections stay with the object regardless of
whether it is sent in email or stored as a file. Each protected message or document is
encrypted and requires a use license from the AD RMS server to decrypt the content and to
apply the usage restrictions that are assigned to the consumers of that content.
Although the introduction of such a far-reaching solution is always complex, Microsoft IT
found that the design and implementation process was relatively straightforward. After
Microsoft IT identified the appropriate information-protection policies, mapping them to actual
rights to be used and deploying the necessary technology did not involve any major
environmental changes. Microsoft IT deployed both the server and client components without
major impact to the users or to operational areas at Microsoft IT.
Since the worldwide implementation of AD RMS at Microsoft, approximately 170,000 unique
users apply the technology to 7,000 documents and email messages every day. These
numbers continually grow as an increasing number of users adopt AD RMS technologies as
their preferred means of helping to protect their confidential documents and email messages.
This paper discusses the need that Microsoft IT had for protecting confidential business data,
the reasons for deploying AD RMS over other possible solutions, updates since the initial
deployment, and how AD RMS works. This paper also offers detailed lessons learned and
best practices derived from the AD RMS server and client deployment and the usage
experience of Microsoft IT. It assumes that readers are technical decision makers and are
already familiar with the fundamentals of both public key cryptography and symmetric key
security systems, the benefits that such systems offer, and the components that are required
to implement the systems.
This paper uses the term publisher to denote someone who creates rights-protected content,
such as an email message or a document created in Microsoft Office Enterprise 2007. The
Page 3
term consumer denotes someone who must retrieve a use license to open rights-protected
content.
This paper is based on Microsoft IT's experience and recommendations as an early adopter.
It is not intended to serve as a procedural guide. Each enterprise environment has unique
circumstances. Therefore, each organization should adapt the plans and lessons learned
described in this paper to meet its specific needs.
Note: For security reasons, the sample names of forests, domains, internal resources, and
organizations used in this paper do not represent real resource names used within Microsoft
and are for illustration purposes only.
Page 4
INTRODUCTION
The privacy and security of confidential data and intellectual property are vital to a business.
If a corporate email system or a business productivity application does not allow an
organization to control who can see email messages and documents after they are sent to
consumers, that system or application is limiting the organization's ability to conduct private
business with agility and efficiency.
Many businesses today may be unnecessarily restricting the use of email systems or intranet
websites for the dissemination of their confidential data because they lack knowledge of the
technologies that are available to help safeguard that data. Conversely, other businesses
simply may not comprehend the magnitude of the issue of electronic data privacy and
security. They unintentionally and unnecessarily expose their confidential data to people or
organizations that were never intended to have access.
Microsoft, like any other business that creates valuable intellectual property in a highly
competitive marketplace, needed the ability to better safeguard the privacy of its confidential
data. Microsoft IT recognized that it needed technology to control how sensitive business
email messages and business productivity documents could be shared and used, without
risking losses in productivity.
More specifically, Microsoft IT needed to implement technology that offered the publisher of
confidential email messages and business productivity documents the ability to manage who
could consume their content, and to limit usage of their content on a document-by-document
basis. Without such technology, intellectual property, trade secrets, or incident management
data belonging to Microsoft or its business partners might have been inadvertently or even
maliciously exposed to the public, the media, or business competitors.
Page 5
Microsoft Office email messages and documents that are rights-protected employ 128-bit
encryption to help prevent unauthorized viewing and usage of content.
AD RMS serves as the platform for this technology. However, Microsoft also needed a client
application that applied the technology of AD RMS. Microsoft IT found the solution with its
enterprise-wide deployment of Office 2010. Office 2010 has a feature called Information
Rights Management (IRM), which enables policy rights definitions to be applied to both email
messages and documents that are created in the Word 2010, Excel 2010, Outlook 2010,
PowerPoint 2010, and InfoPath 2010 applications.
At this time, there are no AD RMSenabled applications to specifically help protect content
within databases or within development environments for software source code. However,
those environments are typically locked down by other means to help protect their valuable
data from unauthorized access. AD RMS helps protect business documents, where
Page 6
confidential ideas, proposals, incident reports, and financial data are stored and used on a
daily basis. AD RMS complements existing data safeguards within the enterprise
organization, which enhances the organization's overall ability to protect its internal, private
information.
S/MIME
S/MIME is a security-oriented superset of Multipurpose Internet Mail Extensions (MIME), an
industry-standard protocol widely used on the Internet for email. S/MIME adds public key
encryption and support for digital signatures to MIME. Support for S/MIME technology has
been available for several versions of Microsoft messaging products. However, S/MIME does
not help protect confidential documents outside the realm of email; nor does it control usage
rights, such as the ability to restrict copying or printing protected information. Furthermore,
after a recipient opens S/MIME-protected content, that recipient can forward the content to
other recipients with the original protection removed.
ACLs
Security in Windows Server controls the use of objects through the interrelated mechanisms
of authentication and authorization. After a user is authenticated, Windows Server uses
authorization and access control technologies to determine whether an authenticated user
has the correct authorization to access an object that is protected through access control
lists.
ACLs for file and folder permissions require the use of NTFS. Any permission restrictions that
are assigned to a document through ACLs are eliminated when the file is moved from the
container where the permissions were set to another container that does not use NTFS. For
example, an ACL that restricts all access to a document to a particular set of users will no
longer be applied after that file is sent via email or is copied by an authorized user to a disk
medium that is not using NTFS (such as a floppy disk, a CD-ROM, or a hard disk formatted
through any variety of the FAT file system). The document is then available to all users who
have access to that medium.
Also, ACLs allow any user who can read a document to copy, edit, or print the contents, so
users who are allowed to access the document must be trusted not to redistribute the content
inappropriately.
EFS
EFS helps protect sensitive data in all types of files that are stored on disk via NTFS. It uses
symmetric key encryption in conjunction with public key technology to provide confidentiality
for files. In EFS, unlike most other external encryption services, file encryption does not
require the file owner to decrypt and re-encrypt the file on each use. Decryption and
encryption occur automatically as the file is read from and written to the disk. Files retain EFS
Page 7
encryption when they are moved and renamed, if they stay on NTFS volumes. Copying or
moving an encrypted file or folder to a disk medium that is formatted through any file system
other than NTFS removes the encryption and returns the file to its normal format.
Additionally, only the person who applied EFS encryption to a file or users who are
specifically assigned the right to decrypt files can decrypt the file and work with it. Other
userseven a file ownercannot open an EFS-encrypted file unless a decryption key has
been generated and encrypted through a public key.
Feature-Based Comparison
Table 1 compares IRM and AD RMS in Microsoft Office with S/MIME digital signing, S/MIME
encryption, ACLs, EFS, and BitLocker.
Table 1. Comparison of Technologies Used to Help Safeguard Confidential Data
Feature
IRM and
AD RMS
S/MIME
signing
S/MIME
encryption
ACLs
EFS
BitLocker
Yes1
Yes
No
No
No
No
Yes
No
No
Yes
No
No
Prevents unauthorized
viewing
Yes
No
Yes
Yes
Yes
Yes
Page 8
Feature
IRM and
AD RMS
S/MIME
signing
S/MIME
encryption
ACLs
EFS
BitLocker
Yes
No
Yes
No
Yes
Yes
Yes
No
No
No
No
No
Yes
No
No
No
No
No
Controls reading,
forwarding, saving,
modifying, or printing of
content by the consumer
Yes
No
No
No2
No
No
Yes4
Yes
Yes
No
Yes3
No
Yes4
No
No
No
No
No
Yes
No
No
Yes
Yes
No
No5
Yes
Yes
No5
Yes
No
Yes4
Yes
Yes
No
Yes
No
Yes4
Yes
Yes
No
Yes
Yes
Provides a physically
nonsecure branch office
server
Yes
Yes
Yes
No
Yes
Yes
No
No
No
Yes
Yes
Yes
1 AD RMS relies on user authentication at the operating system level to validate the user's
identity. Although AD RMS utilizes strong document-signing operations, these capabilities
should not be used for non-repudiation, as AD RMS persists a Publishing License unmodified
after modifications or replies to a document by other people, including the superuser and any
authorized users, limiting the usefulness of the signature as proof of originality and nonrepudiation.
2 ACLs can be set to modify, write, or read-only but apply only to the original container of the
document.
3 EFS encryption is maintained with a copied or moved file only if the destination folder is also
on an NTFS-formatted volume and (for copying) the destination folder is marked for encryption.
4 IRM technologies rely on the integrity of the client computer's lockbox. Thus, a skilled attacker
who has direct control of the files where a document is stored might be able to perform
unauthorized operations with the document. Also, if an attacker obtains credentials for a user
who has rights to perform operations on a document, either through technical means or social
engineering, the attacker can perform any operation on the document that the legitimate user has
rights to perform.
5 These protection systems rely on user authentication at the operating system level to provide
access to the protected content. Although these technologies do not support storing the
encryption key directly on a smart card, they support storing it under a protected store that can
Page 9
be accessed only after the user is authenticated. This process can require a smart card if the
corresponding policies are enabled.
After analyzing the various technologies for safeguarding confidential data and comparing
them with IRM and AD RMS, Microsoft IT determined that IRM and AD RMS met most of its
requirements. Although Microsoft IT determined that no single solution would cover all
potential risks to unauthorized data disclosure, AD RMS offered an excellent complement to
other technologies that help protect systems and data, providing key protection to documents
regardless of their location and applying usage policies that that limit the unauthorized
distribution of documents. The ease of use for both generation and consumption of protected
documents would also help keep support costs lowa factor that an organization always
must consider when introducing new technology that affects end users.
Page 10
AD RMS TECHNOLOGY
When someone attempts to open a rights-protected document or email message, AD RMS
identifies the consumer through the Simple Mail Transfer Protocol (SMTP) email address
assigned to the consumer's Active Directory logon account. AD RMS then compares this
identification with the list of rights associated with the protected content. If the specified
consumer has been granted user rights, either individually or through inclusion in a
distribution group, the AD RMS server issues a use license to the consumer.
Note: If the SMTP address specified in the list of rights is for a distribution group, AD RMS
must perform a lookup against Active Directory data to determine whether the end-user
account object is associated with the distribution group.
Licenses
To open documents that AD RMSenabled applications help protect, a consumer needs a
digital license from the AD RMS server. There are two types of licenses: publishing and use.
Publishing License
A publishing license is created when a document (including an email message) is originally
protected. Every protected document gets its own publishing license. AD RMS provides for
the creation of publishing licenses in two ways: online and offline. Online publishing requires
connectivity with the AD RMS server, whereas offline publishing does not.
IRM in Microsoft Office always publishes its content offline. To do so, the AD RMS client
computer generates a publishing license without contacting the AD RMS server. However, for
the publishing license to be generated, the offline client must have already been activated
and received its publishing certificate. The publishing certificate is generated by the AD RMS
server and downloaded to the client computer when its first piece of rights-protected content
is published, requiring online access to the AD RMS server.
End-User License
An end-user license (also called use license, UL, or EUL) is required to open the protected
content. An AD RMSenabled application uses the EUL to decrypt the content, and then
enforces the specific usage restrictions assigned to the consumer. Each protected piece of
content requires its own use license.
The AD RMS server generates use licenses in response to a valid license request, which
typically occurs when a consumer who has rights to a protected email message or document
opens that item for the first time. Use licenses can be cached and reused to open a protected
document, depending on the rights policy. In cases with Microsoft Office documents, if the
consumer has write access to the file, the use license is appended to the protected document
file. The user can then open the protected content again on any computer that has been
activated with that user's account without requiring network access to the AD RMS server
until the use license expires.
With Outlook email messages, the consumer computer stores the use license locally after the
computer obtains it from the AD RMS server. Because Microsoft IT uses Outlook with cached
mode enabled, it configured Outlook to automatically obtain use licenses for rights-protected
email messages during the synchronization process with a server running Microsoft
Exchange. Microsoft IT specifically enables this by setting a registry key during installation. If
Page 11
Microsoft IT had left the default setting in place, at the first time that the consumer attempted
to open a rights-protected email message or document, a dialog box would have appeared,
asking whether the consumer wanted to permanently enable this behavior. If enabled, this
option would have set the same registry key that Microsoft IT preset during installation.
Some policies can be set to expire use licenses after each time a consumer accesses
protected content. In these cases, the consumer must have online access to the AD RMS
server to receive another use license before that content can be reopened.
Templates that the AD RMS administrator creates to apply a predefined set of rights to a
predefined set of individuals or groups of consumers
Alternatively, email senders can use Outlook to apply rights to the message and any
unprotected Word, Excel, or PowerPoint document attachments that might be included. By
default, the only rights setting that Outlook 2010 offers is a do-not-forward right for email
messages and any attached document files from applications that support AD RMS.
However, an administrator can create customized rights policy templates for Outlook to
expand the number of offered rights.
Each of the rights available in IRM-enabled editions of Office 2010 offers or limits certain
activities that a consumer can perform with the protected content. The rights that IRM makes
available can grant or deny consumers permission to read, save, copy, modify, print, and
forward protected objects. User rights can also be set to expire on a preset date. Table 2
discusses the details of what each of these rights does to help protect content.
Table 2. IRM Rights and Their Definitions
Right
Description
Full control
This right gives the consumer the same abilities that the publisher
has. This right acts as if no rights restrictions have been applied. It
is typically enabled only for an individual who is a member of a
larger group of consumers for whom rights that are more restrictive
have been applied. It can also be used to transfer ownership of a
document.
Change
This right enables the consumer to read, edit, and save changes to
a protected document (but not print).
Read
Document expiration
Page 12
Right
Description
Print content
This right enables the consumer to read and copy the content of a
protected document to the Clipboard but not print, edit, or save the
original document. If this right is assigned, the user might be able to
copy the content to another document and then print or save it from
there, so it should be assigned with care.
Access content
programmatically
Require a connection to
verify a user's permission
This right sets the use license to expire immediately after the
protected content has been accessed. As a result, the consumer
must have online access to the AD RMS server to get another use
license every time the document is opened.
* Document expiration does not destroy the document. Only the right to open the document
expires.
Note: IRM rights in Microsoft Office 2003 and Microsoft Office 2007 can be applied only to
the entire document and not to parts of the document.
Table 3 lists the policy restrictions available in the AD RMSenabled applications within
Office Professional Edition 2003 and IRM-enabled editions of Office 2007.
Table 3. Applicable Policy Restrictions
Outlook
Full control
Change content but no printing
Read (cannot print, save, or copy)
Read with copy content permission*
Print content*
Document expiration*
Enable content access programmatically*
Require new license with every access*
Provide email address for users to request
upgraded rights*
Enable content access by means of RMA*
* In InfoPath, these capabilities are available only for forms, not for form templates.
In Microsoft Office 2007, rights are applied to objects hierarchically. For example, consider a
Microsoft Office Word 2007 document that is attached to an Office Outlook 2007 email
Page 13
message. If rights are not applied to the document before it is attached but are subsequently
applied to the email message, the attached document inherits the rights applied to the email
message. If rights are applied to the document before it is attached, email rights do not affect
the document's rights.
In Office Outlook 2003 and Office Outlook 2007, a message can be expired at a certain date
through the Expiration setting under Options. If the Do Not Forward (the read-only setting)
option is selected and message expiration is set, IRM enforces the expiration setting.
Note: Expired content does not delete itselfit only locks out the consumer. The publisher
and members of the Super User distribution group can still open the content.
The first three templates use the Microsoft All Staff distribution group. This group includes all
Microsoft full-time employees (FTEs), contractors, and vendor staff. Any person not included
in this distribution group, such as people outside the company, cannot open content that this
template helps protect. The second template is a modification of the first with restrictive readonly rights.
The fourth and fifth templates use the Microsoft All FTE distribution group. Any person not
included in this distribution groupsuch as contractor and vendor staff, along with anyone
outside the companycannot open any content that this template helps protect. The fifth
template applies the restrictive read-only rights to the Microsoft All FTE distribution group.
Finally, when the Do Not Reply All template is applied to a message, its recipients cannot use
the Reply All function. This restriction prevents large volumes of response traffic to
messages that are sent to many recipients.
The master version of a rights policy template resides in the AD RMS database and is always
used when a use license is created so that the most recent policy set by the AD RMS
administrator is enforced. Each AD RMS client must download the templates that it will use.
Page 14
These local versions of the templates do not need to be updated every time the AD RMS
administrator updates the template, because the AD RMS server uses its own copy when it
evaluates the rights that the template specifies. However, templates still must be available
locally for a user to select them when he or she performs offline publishing, as in the case of
Microsoft Office applications.
If the feature that requires a new use license with every access is used with a template, the
organization can dynamically change rights policies after the document is published or sent in
email. This way, the organization retains the option to further restrict or loosen control on one
or more users at any time.
Exchange Prelicensing
Alternatively, when a content publisher is using Outlook 2010 or Microsoft Outlook Mobile on
Windows Phone with AD RMS, an optional Microsoft Exchange Server 2010 component
called the Exchange Prelicensing agent can perform the user validation and authorization at
the Exchange Hub Transport server, and issue the use license before the message is
delivered to the user. This means that when the user receives the message, the use license
is also received and stored together with the content, preventing the need for the user to
connect to the AD RMS server when the message is open.
The Exchange Prelicensing agent is part of Microsoft Exchange Server 2007 with Service
Pack (SP) 1 or later and is installed automatically on all Hub Transport servers installed with
this version. For Exchange Prelicensing agent to work reliably, it must be installed on all Hub
Transport servers in the infrastructure. All those servers must be running Exchange
Server 2007 with SP1 or later. Additionally, the AD RMS client on the 64-bit editions of
Windows Server 2008 must be installed on the computers that perform the Hub Transport
server role.
Page 15
URL to get the use license. If the application cannot resolve the internal URL, it attempts to
use the external URL.
As long as the client computer is connected to the Internet, it can access the AD RMS server.
However, because the user is not authenticated on the Microsoft corporate network, the
consumer will first be prompted for user-name and password credentials. After the server
validates the credentials, it can issue the use license (and, if necessary, a temporary rights
account certificate [RAC]), enabling the client to open the protected content. If the content is
prelicensed, the use license is already in the client, so no connection or authentication
request occurs.
Note: For any computer on which the consumer has not logged on by using domain
credentials, such as an employee's home computer, trying to access content that has not
been prelicensed, the enterprise AD RMS server issues a temporary RAC for opening rightsprotected email and documents. It does this after prompting for the consumer's logon
credentials. The temporary RAC is valid for only 30 minutes. The employee's home computer
must download a new temporary RAC to open rights-protected content if any existing
temporary RAC has expired. An alternative is to use Microsoft Office Outlook Web Access,
which can create or consume protected content with any browser.
Page 16
Windows Phone 7.5 mitigate the risk of data leakage by using IRM to provide persistent
online and offline protection of email messages and attachments.
IRM applies AD RMS to email so that messages can circulate within a protected environment
for authorized users but not be forwarded outside the organization. AD RMS can also be
applied to Microsoft Office documents, which can be sent to Windows Phone 7.5 users as
attachments. Windows Phone 7.5 is the only smartphone currently available that includes
built-in functionality to handle rights-managed email and Microsoft Office documents. The
ability to access email from almost anywhere is increasingly common, and information
workers typically access and work with email messages from office computers and laptops as
well as from smartphones. Although the availability of email enhances productivity in
countless ways, sensitive email data is subject to increased risk from data leakage.
Page 17
Enterprise Benefits
The following benefits are most applicable to enterprises.
Application Support
AD RMS can be incorporated into both commercial applications and internally developed
line-of-business (LOB) applications to help protect information. This solution enables the
incorporation of protection across the entire range of corporate information. Microsoft IT, the
team that has designed and implemented more than 1,500 internal LOB applications at
Microsoft, is busy designing next-generation LOB applications that are AD RMS enabled to
better safeguard confidential data. For more information about the AD RMS software
development kits (SDKs), go to http://msdn.microsoft.com/enus/library/cc530379(VS.85).aspx.
Page 18
and interoperable standard that can meet any organization's needs, regardless of industry,
platform, format, media type, business model, or delivery architecture.
XrML defines a language for expressing rights and conditions for the consumption of content
in a way that is independent of the individual implementation. Although different types of
content might have somewhat different interpretations of the exact actions that a specific right
expressed in XrML should allow, the general meaning of the restrictions and the way to
express them are not platform or product specific.
Using a standard certificate format enables AD RMS to be extended and to interoperate with
third-party products, while helping to ensure compatibility as future versions of the platform
and third-party solutions evolve.
End-User Benefits
The following benefits of offering AD RMS in the enterprise apply to end users.
Ubiquitous Access
Rights-protected documents can be accessed from inside the network and from the Internet.
Protected documents can also be created and consumed while the publisher is offline, and
they can be stored in a mobile device's disk or in removable media with less danger of
unauthorized access. Protected email can be created and consumed from any computer,
even unmanaged computers, that can run any web browser that supports the full Outlook
Web Access experience.
This ability gives authorized content publishers and consumers the freedom to keep
accessing, creating, and managing documents from all their normal locations, while helping
to keep information safe from unauthorized users.
IT Benefits
The use of AD RMS as the solution to help safeguard confidential data offers the following
benefits to the enterprise IT department.
Ease of Implementation
With the release of AD RMS, Microsoft has focused on minimizing the effort that enterprises
require to implement an IRM solution. Installing the AD RMS role is as easy as enabling other
Windows Server 2008 R2 roles. Administrators can then connect it to other enterprise-critical
Page 19
servers such as those running Exchange Server, Microsoft SharePoint Server, and Windows
Server with the File Classification Infrastructure (FCI) role installed, or to external services.
They can build and enforce usage policies and establish trusted entities outside the
organization.
AD RMS provides several possible ways to deploy either single-cluster configurations or a
global, distributed AD RMS system topology. As a stateless web service, AD RMS can also
be scaled up or out through standard and well-known technologies to meet enterprise growth
needs.
Ease of Administration
Administrative features of AD RMS, such as revocation lists and exclusion policies, provide a
enhanced level of control for sensitive and proprietary content at Microsoft. In addition,
comprehensive logging enables Microsoft IT to monitor licensing activity, including granted
and denied requests.
The general use of rights policy templates enables an enterprise to define and implement
communication policies that are consistent across the organization and digitally enforced.
AD RMS administrators design and control the content of the templates, and store them on
the AD RMS servers for the enterprise publishing community to use. AD RMS administrators
can easily modify the template definitions of approved consumers and the rights that are
assigned to those users within a rights-protected document.
Templates offload the effort of determining who should be assigned user rights and what
types of rights the intended consumer should receive from the publisher, simplifying the
process that the publisher needs to follow. Furthermore, when modifications to a template
occur, all past, present, and future content based on that template will inherit the new rights
when a use license is issued.
Page 20
Occurrence
Client-to-server
bandwidth
usage
(kilobytes)
Server-to-client
bandwidth
usage
(kilobytes)
License
request
22
10
RMS
computer
activation
200
RMS account
certification
10
16
Client
enrollment
11
10
Page 21
Microsoft IT also recognized that the Active Directory query traffic generated by RMS might
potentially affect network throughput. However, Microsoft IT determined that this would not
be a major factor if RMS servers were deployed in close proximity to the global catalogs. The
exception would be if a failure of all global catalogs at a site caused a failover to another site
over a connection that did not support the same capacity throughput.
Table 5 provides baseline data on the bandwidth usage of AD RMS transactions that an
organization can use to assess the effect of Active Directory query traffic on a network.
Table 5. Baseline Data on Bandwidth Usage
Transaction
AD RMS connection
establishment (ldap_bind)
1,600
200
200
100
Note: Numbers must be applied in context. For example, if the user belongs to 15 groups,
200 bytes would be required for the search request from AD RMS, and 1,500 bytes (100
bytes 15) would be required for the response from the global catalog.
Analysis of the projected usage of RMS within Microsoft IT's network infrastructure showed
the impact to be negligible. Table 6 illustrates the specific effects that RMS has had on the
Microsoft corporate network.
Table 6. RMS Network Load Metrics Within Microsoft IT
Monitored
site name
Average
bytes sent
Maximum
bytes sent
Average bytes
received
Maximum
bytes received
Number of
requests
Computer
Activation
511,687
39,698,882
1,974
139,646
226,508
User
Certification
17,823
1,228,016
13,185
880,856
338,925
Publishing
18,242
325,430
19,532
305,515
136,927
Licensing
17,618
1,319,349
54,652
3,171,780
992,692
By using the information gathered during the planning phase, Microsoft IT decided on the
deployment topology, the number and class of servers to order, and the service availability
requirements.
In January 2003, Microsoft IT began preparations for its initial RMS deployment. Based on
the projections of the RMS product group and the results of Microsoft IT lab testing, Microsoft
IT predicted that approximately 2 percent of all email messages and attached business
productivity documents sent within Microsoft would use IRM to enforce policy. Microsoft IT
based this figure on its knowledge of its user base, the likelihood of the general population to
adopt new technologies, and to what degree the new technology would be used within the
company.
Page 22
Note: The usage estimate figure will be different for each deployment, and each enterprise
must project its own need for (and use of) AD RMS technology. After an enterprise makes
this estimate, it can determine the capacity planning requirements.
Scalability test data provided by the RMS product group revealed that in the case of Microsoft
IT, two standard-configuration servers would handle the load for all users in the company.
This configuration included dual Intel Pentium 4 2.4-GHz computers with a 512-kilobyte (KB)
Level-2 (L2) memory cache and 512 megabytes (MB) of RAM, set up as a load-balanced
cluster pair.
To accommodate unanticipated usage growth, in addition to future expansion of RMS to LOB
applications and other Microsoft and partner applications, Microsoft IT upgraded the RMS
server specification to a four-processor, 2.4-GHz computer with 1 GB of RAM.
The corporate Active Directory infrastructure largely dictated the number of RMS server
clusters that Microsoft IT needed to deploy. RMS, by design, initially checks the account
logon forest for issuing RACs and licenses. To offer all user accounts access to RMS
technologies, Microsoft IT deployed a load-balanced RMS cluster in all corporate network
forests that contain user logon accounts. Besides the main corporate forest, three other
forests are used with logon accounts at Microsoft, primarily for testing of cross-forest
functionality of enterprise software and to isolate other developmental testing efforts.
To simplify administration and troubleshooting issues with RMS, Microsoft IT chose to route
all document-publishing licensing requests to the RMS cluster for the main corporate forest.
This forest contains more than 90 percent of all Microsoft logon accounts. Routing publishing
license requests to the main corporate forest resulted in higher availability and scalability
requirements than those of the other three logon forests. To meet the higher overall
workload, Microsoft IT added a third, identically configured RMS server to the primary
corporate logon load-balanced cluster for failover support in case of hardware failure. To
accommodate future load, Microsoft IT expanded this configuration to four servers for the
production forest as part of the migration to AD RMS in 2008.
Additionally, to meet its internal security requirements for protection of the RMS server's
private key, Microsoft IT elected to include nCipher nShield hardware security modules
(HSMs) on its RMS server specification.
Microsoft IT originally used Microsoft SQL Server 2000 database software for the required
RMS transaction log database in each forest. Microsoft IT later migrated this to Microsoft
SQL Server 2005 when it implemented AD RMS. SQL Server provides the ability to use
transaction log shipping as a means to maintain a warm standby secondary server, as well
as the option of using failover clusters for immediate failure resolution of hardware or system
problems.
The final step in determining the deployment topology was identifying the connectivity
methods for which Microsoft IT wanted to support RMS licensing. In particular, Microsoft IT
determined that users must be able to obtain licenses while not logged on to the corporate
network. Microsoft IT decided to place RMS behind servers running Microsoft Internet
Security and Acceleration (ISA) Server, so that it could use externally accessible URLs for
RMS servers.
Figure 1 illustrates the original RMS topology for the main corporate forest.
Page 23
NLB Cluster
SQL Server
RMS SQL-02
Backup Config DB
Backup Logging DB
SSL
44
RMS Server-01
nCipher nShield HSM
3
1433
Firewall
RMS Server-01
nCipher nShield HSM
1433
ISA Array
Verisign issued certificate
SQL Server
RMS SQL-01
Config DB
Logging DB
Firewall
143
43
1433
44
SSL
L4
SS
44
Router
SSL 44
3
L
SS
Internet
SSL
44
33
SSL 443
14
SSL 443
44
SSL
33
SS
L
14
44
https://corprights.microsoft.com
1433
RMS Server-01
nCipher nShield HSM
RMS Server-01
nCipher nShield HSM
SQL Server
RMS SQL-03
Log Consolidation DB
Architecture Enhancements
After Windows Server 2008 R2 was released, Microsoft IT made significant changes to the
architecture of the AD RMS service.
Figure 2 illustrates the updated AD RMS topology for the main corporate forest.
Virtualization
To reduce the physical footprint and reduce costs, Microsoft IT replaced 50 percent of the
physical servers with Hyper-V virtual machines. Microsoft IT configured the virtual machines
with two virtual processors and 4 GB of RAM.
Page 24
Network-Based HSMs
The original design called for individual physical servers, each with a Peripheral Component
Interconnect (PCI)based HSM installed and configured. Microsoft IT has since removed the
individual HSMs and replaced them with network-based HSMs. Network-based HSMs enable
Microsoft IT to add or remove capacity without requiring physical access to each server to
configure the PCI HSMs.
Template Distribution
Beginning with Windows Vista SP1, a template distribution service allows the client to
connect to the AD RMS server and download templates directly. To automate the distribution
Page 25
of templates, Microsoft IT has created a logon script that enables the template distribution
service on the client and creates the appropriate Microsoft Office registry keys to point the
client to the location of the locally downloaded templates.
Office 365
With the migration of on-premises mailboxes to mailboxes that are hosted in the cloud,
Microsoft IT has enabled cloud-based users to continue to use IRM for content protection.
The full IRM experience is available for Microsoft employees that use Outlook Web Access
with Microsoft Office 365.
Monitoring
Microsoft IT monitors all AD RMS servers via the Active Directory Rights Management
Services Management Pack for Microsoft System Center Operations Manager. The alerts are
sent to a central console. From there, a support team is notified by email if an event occurs.
Microsoft IT monitors all HSMs by using Simple Network Management Protocol (SNMP) and
a Windows PowerShell script. By using SNMP, Microsoft IT can monitor the HSMs for powersupply failures, high CPU usage, failed fans, or high-temperature warnings. If an issue arises,
the script sends a notification to the support team.
Page 26
Page 27
The charts in Figure 4 are examples of daily statistics gathered on the health of the AD RMS
service.
Page 28
Page 29
Whether users can run Microsoft Visual Basic for Applications (VBA) and other custom
code in the file.
The number of days for which the license is valid. After the specified number of days has
passed, the license expires, and users must download the file again from the document
library.
Whether to allow users to upload file types that do not support IRM.
Optionally, the date to stop restricting permissions to the document library. After the
specified date passes, SharePoint Server 2010 removes all rights-management
restrictions from the documents in the library.
SharePoint Server 2010 determines the user rights to assign based on the ACL entry of a
user. If a user has access to the library, documents are delivered to the user with rights
management applied. SharePoint Server 2010 allows access according on the options set for
the library and according to the access level that the user has to the library.
Note, however, that all IRM-protected documents must be opened locally in Word (or another
Microsoft Office application that supports IRM) and will be blocked from opening through
Office Web Apps in the browser.
Figure 5 illustrates a typical document flow in SharePoint Server 2010 with AD RMS
protection.
A publisher posts a Microsoft Office document to a SharePoint document library that has
AD RMS protection enabled.
Page 30
2.
The document is stored in the SharePoint database unencrypted and unprotected. If the
document as uploaded by the publisher was originally downloaded from the same library
and is thus protected with IRM, existing protection is stripped before storage.
3.
A consumer who has read access to the documents in the library requests the document
to the SharePoint server.
4.
5.
The server uses the consumer's RAC and CLC to assign rights to the consumer to the
requested document, depending on the consumer's rights on the documents in the
library, with additional restrictions according to the policies established in the library. The
server applies the rights to the document.
6.
The consumer receives the protected document. The requesting Microsoft Office
application opens the document with the help of the AD RMS client and with the rights
that the policy has defined.
The whole process occurs automatically and does not require special input from either user.
The platform provides assurance that the documents will always be protected according to
the policies that are defined for the library.
Page 31
with the AD RMS bulk protection tool and the FCI role installed. Microsoft IT created a set of
regular expressions to search through the documents and identify matching strings of text
that would classify the data as HBI.
The Microsoft IT end-user support teams absorbed AD RMS end-user support duties.
The implementation did not require any additional support personnel.
The Identity and Access Management (IDM) team in Microsoft IT absorbed AD RMS
server administration duties. The implementation did not require any additional
administrator personnel.
The AD RMS SQL Server databases were backed up through the existing SQL Server
support infrastructure. The implementation did not require any additional infrastructure.
The AD RMS server infrastructure uses System Center Operations Manager for server
monitoring and the AD RMSspecific management pack for System Center Operations
Manager. The AD RMS development team created the new management pack
specifically for monitoring the status of AD RMS servers and activity on those servers.
Microsoft IT receives an average of 50 support calls per month related to AD RMS and IRM.
The Microsoft Helpdesk handled and closed approximately 80 percent of those calls. The
number of calls related to AD RMS and IRM is minimal, considering that Helpdesk receives
an average of approximately 11,000 calls per week. Approximately two-thirds of the calls that
Microsoft IT received were resolved as either issues related to user training or issues not
specifically related to AD RMS.
Microsoft IT assigned administration of the AD RMS infrastructure to the IDM organization.
This organization is also responsible for the day-to-day operations of Active Directory
Certificate Services (AD CS) and AD FS, and for providing continuous, year-round support.
Training
To educate the Helpdesk and other support staff for AD RMS and IRM, Microsoft IT used
deployment guides and product help available from the Microsoft Office and AD RMS product
groups. These materials consisted mainly of the publicly available Microsoft Office and
AD RMS deployment guides. Microsoft IT presented these materials to the Helpdesk staff in
a single, one-hour-long session for each shift. Additionally, Microsoft IT subject matter
experts wrote several Knowledge Base articles for the Helpdesk and end-user support teams
to use. Microsoft IT did not conduct any further support-team training specifically about
AD RMS and IRM, in part to validate the ease with which AD RMS and IRM can be deployed
in an enterprise.
Microsoft IT also produced and published user training, in the form of an informational email
message and online content. As with the training materials for the support teams, Microsoft
IT produced this content primarily from materials that the Microsoft Office and AD RMS
product groups made available.
Page 32
AD RMS Super User distribution group for efficient document recovery. If AD RMS rights are
applied to a key document and the publisher subsequently becomes unavailable or leaves
the company before the policies can be removed, the Super User group can enable the
editing or complete removal of the policies that the original publisher set. Microsoft IT has
limited membership in the Super User group to a small number of highly trusted individuals.
In addition, only in specifically defined business cases can a member of the Super User
group intervene to annul the policies of a rights-protected document.
Having a means to remove publisher-assigned policies is sound corporate policy. Like most
businesses and organizations, Microsoft considers all intellectual material that employees
create at work by using its corporate network and computing resources to be Microsoft
property. Microsoft must retain the ability to recover its property if, for example, a malicious
user intentionally use IRM policies to protect a document. Additionally, the ability to recover
rights-protected documents is necessary for legal reasons in cases of discoverability in a
court of law.
A member of the Super User distribution group on an AD RMS server is automatically
assigned full control rights to any rights-protected content published by that server. To ensure
that this trust is not abused, Microsoft IT has specific business processes in place for when
Super User permissions are used to open any rights-protected email messages and
documents.
The IDM team within Microsoft IT is responsible for the Super User distribution group and
manages the membership of that group.
Note: The Super User feature should be left disabled until it is needed. At that time, it can be
temporarily enabled, used as required, and then disabled again. This ability allows for tighter
control by requiring a specific request to trigger the use of Super User permissions only when
they are needed.
Page 33
Deployment
Microsoft IT derived the following lessons and best practices from its experience in deploying
AD RMS and IRM.
Educate Users
To take full advantage of the technology, users must be told that the service exists and
taught how to properly use it. An organization can educate users by creating self-help training
content and knowledge base articles, developing a dedicated intranet website for posting
training materials and frequently asked questions (FAQ), and regularly advertising and
discussing the service addition with employees during the deployment. Successfully
informing users about where to find the information that they need to properly use the service
will minimize the effect on the help desk.
Run a Pilot
An organization should introduce AD RMS to the enterprise in a pilot deployment project with
a limited set of users in a small, controlled area. During the pilot, the organization should test
all of the desired usage scenarios, including any planned templates.
After successful completion of the first pilot, if the organization expects the size of the
eventual rollout to include a very large number of users, it should conduct a second pilot to a
larger (but still closely monitored) group of users. After identifying and considering scaling
issues, the organization should begin the rollout to the rest of the organization, as resources
and time permit.
Employees who are running versions of Microsoft Office older than Office Professional
Edition 2003 or editions of Microsoft Office that do not support IRM directly can use RMA as
needed to read rights-protected email and documents prior to their own upgrade to IRMenabled versions of Microsoft Office. This capability must be specifically enabled in the rights
policies applied to the documents, so the organization should set it up in the policy templates
during the deployment period.
At Microsoft, Microsoft IT sent rights-protected email to successively larger groups of
consumers simultaneously, to stress test the AD RMS licensing infrastructure. Microsoft IT
considered the deployment of AD RMS and IRM officially complete when it successfully sent
a rights-protected email message to the distribution group that encompasses all Microsoft
employees, and all valid consumers were able to read it.
Page 34
infrastructure and license distribution demonstrated that the Microsoft corporate network
bandwidth was not significantly affected.
Security
Microsoft derived the following security lessons and best practices from its experience in
implementing and managing AD RMS and IRM.
Terminal Services user access on the Remote Desktop Protocol (RDP) connection
configuration on the AD RMS servers.
In addition, the organization should ensure that the discretionary access control lists (DACLs)
that are configured for the servers restrict access to only essential personnel.
To support group expansion across forests, AD RMS automatically assigns read access to
directory services to all authenticated users who have domain credentials. To increase
security, the organization should remove this access from the DACL and replace it with each
service account that is in the different forests.
Page 35
Administration
Microsoft IT derived the following lessons and best practices from its experience in managing
and administering AD RMS and IRM.
Page 36
Red: Failure.
Each health state is related to an operation or the type of functionality that a managed entity
is designed to perform. Detection rules detect health states.
Although the Active Directory Rights Management Services Management Pack can detect
transitions to specific health states, not all rules in the management pack have been
designed to take advantage of the State feature of Operations Manager. In these cases,
transitions to specific health states are exposed only through the generation of alerts, and the
relevant change in health state is not reflected on the AD RMS role and related state views.
For more information about the Active Directory Rights Management Services Management
Pack, refer to the Monitoring Scenarios page in the Windows Server 2008 Technical Library
at http://technet.microsoft.com/en-us/library/cc468596.aspx.
For more information about the errors and events that AD RMS records, refer to the Events
and Errors page for AD RMS in the Windows Server 2008 Technical Library at
http://technet.microsoft.com/en-us/library/cc771924.aspx.
Page 37
that keeps only the past 30 days of raw data on a rolling basis within the live AD RMS logging
database. Any older data is archived to the Microsoft ITdeveloped database.
The "request duration" record for each AD RMS transaction is one of the best performance
indicators, because it gives an overall indication of the load and efficiency of the servers and
of the user experience. AD RMS also provides Windows performance counters that record
the average number of transactions processed during the past second and the number of
long-running transactions. Microsoft IT collects the performance counters only during
research or troubleshooting activities, with no permanent storage for historical counters.
Microsoft IT uses SQL Server Reporting Services to automatically producedaily and on
demandreports of AD RMS usage, status, and performance. Among the most useful
reports are request volume by type, frequency and distribution of licensing errors by type,
and average request duration by hour. Microsoft IT uses these reports to assess the health
and performance of the AD RMS infrastructure and to plan proactive maintenance and
expansion.
Page 38
CONCLUSION
Microsoft benefited from the deployment of the AD RMS server infrastructure and its
counterpart, IRM, within Office Enterprise 2010 in several ways. Publishers can use IRM to
assign unique user rights for Microsoft Office documents to separate individuals and
distribution groups. IRM helps protect the confidential contents of business email and
Microsoft Office documents from unintended consumers through the use of 128-bit
encryption, can limit the time that protected content can be opened, and enables publishers
to defineat a highly detailed levelhow their content can be used or shared. AD RMS
enables an organization to create rights policy templates that provide a uniform way to help
protect sensitive information.
At the same time, as evidenced by the ever-growing IRM usage numbers in Microsoft IT,
AD RMS and IRM have filled an important data-protection gap for Microsoft staff. Many
groups within Microsoft IT, in addition to the legal and human resources departments at
Microsoft, have begun adopting AD RMS and IRM in lieu of other, older alternatives, such as
S/MIME. This adoption is due in large part to the setup and usability features in Office
Enterprise 2010, as well as the configuration work that Microsoft IT completed to make the
installation of IRM seamless to Microsoft users. The support data that Microsoft IT gathered
further reflects the ease of use of these products and the relatively small administrative
burden that AD RMS has introduced on the Microsoft corporate network infrastructure.
Page 39
Page 40