Embed Size (px)
Citation preview
Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMSOverview Technical ArticleMicrosoft FrancePublished: June 2012 (Updated: September 2013)Version: 1.0b
Author: Philippe Beraud (Microsoft France)Contributors/reviewers: Philippe Maurent (Microsoft Corporation)
For the latest information, please see www.microsoft.com/rms
Copyright © 2013 Microsoft Corporation. All rights reserved.
Abstract: Due to increased regulation, the consumerization of IT (CoIT) and the “Bring Your Own Device” (BYOD), enterprises of all sizes are facing growing needs to protect sensitive information. At the same time, enterprises have a need to share that same information amongst appropriate employees within and outside the corporate network. Microsoft Active Directory Right Management Services (AD RMS) provides the capability on-premises to create and consume protected content such as e-mail and documents. As of today, such a capability is also leveraged by the Microsoft Exchange Online services through the Information Protection and Control (IPC) features to apply persistent protection to e-mail messages and attachments. Built on existing documentation, this document is intended to provide a better understanding of how to use an on-premises AD RMS infrastructure for the Exchange Online services of the organization’s Office 365 tenant in the Cloud.This document is intended for system architects and IT professionals who are interested in understanding the basics of cross premise support for AD RMS on-premises and Exchange Online along with planning and deploying such a deployment in their environment.
ContentNOTICE..........................................................................................................1INTRODUCTION..............................................................................................3
OFFICE 365 INTRODUCTION...........................................................................................3OBJECTIVES OF THIS PAPER............................................................................................4ORGANIZATION OF THIS PAPER.......................................................................................6ABOUT THE AUDIENCE..................................................................................................7
A BRIEF OVERVIEW OF AD RMS.......................................................................8IDENTIFYING THE COMPONENTS OF THE AD RMS TECHNOLOGY..........................................10UNDERSTANDING THE AD RMS CERTIFICATES AND LICENSES.............................................18INSTALLING AND CONFIGURING AN ON-PREMISES AD RMS INFRASTRUCTURE.........................23
UNDERSTANDING THE CROSS-PREMISES DEPLOYMENT OF AD RMS.................48ON-PREMISES IRM.....................................................................................................48EXCHANGE ONLINE IRM (NO ON-PREMISES EXCHANGE)....................................................53
EXTENDING ON-PREMISES AD RMS TO OFFICE 365.........................................63EXPORTING THE AD RMS TPDS..................................................................................63CONFIGURING WINDOWS POWERSHELL..........................................................................65CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE...........................67IMPORTING THE AD RMS TPDS AND THE CORRESPONDING RIGHTS POLICY TEMPLATES...........70VIEWING AND ENABLING THE AD RMS RIGHT POLICY TEMPLATES........................................74ENABLING THE USE OF AD RMS FOR OWA AND EAS CLIENTS...........................................77
MANAGING THE CROSS-PREMISES DEPLOYMENT............................................79CHANGING THE DEFAULT TPD......................................................................................79UPDATING EXCHANGE ONLINE......................................................................................79USING OWA MAILBOX POLICIES....................................................................................81DISABLING IRM IN EXCHANGE ONLINE...........................................................................82REMOVING TPDS......................................................................................................82
Notice Since the initial release of this paper, the Microsoft Rights Management service (RMS) offerings have been introduced that provide more advanced capabilities and additional benefits compared to what an on-premises Windows Server AD Rights Management Services (a.k.a. AD RMS) infrastructure can provide.The Microsoft Rights Management suite is implemented as a Windows Azure service. It comprises a set of RMS applications that work on all your common devices, a set of software development kits, and related tooling. By leveraging Windows Azure Active Directory, the cloud-hosted Microsoft Rights Management service acts as a trusted hub for secure collaboration where an organization can easily share information securely with other organizations without additional setup or configuration. The other organization(s) may be existing Microsoft Rights Management service’s customers but if not, they can use a free Microsoft Rights Management for individuals1 capability.The Microsoft Rights Management service can be purchased as part of the Office 365 suite offerings:
It is already included in the Office 365 Enterprise E3, and E4 plans and the Education A3 and A4 plans.
It is also available as an add-on in the E1 and A2 plans.The Microsoft Rights Management service can be purchased standalone for use with the Microsoft Rights Management connector or third-party RMS enlightened applications (e.g. Microsoft Office, Microsoft Office 365, Foxit Enterprise Reader with the RMS PDF Plug-in Module2, SECUDE End-to-End Information Security for SAP3, etc.). To sign up to a Microsoft Rights Management stand-alone service, proceed with the following steps:
1. For a trial version, click on https://portal.microsoftonline.com/Signup/MainSignUp15.aspx?&OfferId=A43415D3-404C-4df3-B31B-AAD28118A778&dl=RIGHTSMANAGEMENT
2. To buy the service, click on https://portal.microsoftonline.com/Signup/MainSignUp15.aspx?&OfferId=9DF77AF9-DAAE-4d51-8E0E-EEEADD4866B8&dl=RIGHTSMANAGEMENT
As this writing, this offering is in preview and will be followed by general availability later this calendar year.Consumption of rights-protected content is free. A license is required to protect content.
Note For details, follow the RMS Team blog4. Also visit the updated www.microsoft.com/rms site.
This document won’t any further cover the Microsoft Rights Management service (RMS) offerings and rather considers the former on-premises AD RMS infrastructure.
1 Microsoft Rights Management for individuals: https://portal.aadrm.com2 Foxit Enterprise Reader with the RMS Plug-in Module: http://www.foxitsoftware.com/landingpage/2012/07/Reader-Ads-RMS/3 SECUDE End-to-End Information Security for SAP: http://www.secude.com/company/partners/end-to-end-information-security-for-sap/4 RMS Team blog: http://blogs.technet.com/b/rms
3 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
IntroductionOffice 365 introductionMicrosoft Exchange Online is a hosted messaging solution that delivers the capabilities of Microsoft Exchange Server as a cloud-based service. It provides users rich and familiar access to email, (shared) calendar, contacts, and tasks across PCs, the Web, and mobile devices and benefits from optional features such as voice mail, unified messaging, and archiving. With Exchange Online, organizations can take advantage of sophisticated messaging capabilities without the operational burden of on-premises server software. Furthermore, all network connectivity occurs over the Internet, and VPN connections are not required.For mobile devices, Exchange Online supports the Microsoft Exchange ActiveSync (EAS)5 protocol. Exchange ActiveSync provides synchronization of mailbox data between mobile devices and Exchange Online, so users can access their email, calendar, contacts, and tasks on the go. EAS is supported by a wide range of mobile devices, including Microsoft Windows Mobile 6.x and Windows Phone 7.x, Nokia E and N series devices, Palm devices, Apple iPhone and iPad, and certain Android phones. Beyond allowing users to connect to their mailboxes from a variety of devices and platforms, notably through the above support, Exchange Online offers hosted unified messaging services, which provide:
Call answering (voicemail); Dial-in user interface to Exchange (Outlook voice access); Dial-in interface for callers (automated attendant).
Hosted voice mail (unified messaging) allows an organization to connect its on-premises phone system to voicemail services provided by Exchange Online. Voicemails are recorded and stored in the Exchange Online infrastructure, allowing users to access their voice messages from Outlook, Outlook Web Access (OWA), or mobile phones. The unified messaging features available in Exchange Online are similar to those offered in Exchange Server 2010 Service Pack 1 (SP1), excepted that speech access to the directory is not supported in Exchange Online.
Note For additional information on Microsoft Exchange Online, please refer to the EXCHANGE ONLINE SERVICE DESCRIPTION 6, and the documentation available at http://help.outlook.com, especially the resources found on the help page MANAGE YOUR ORGANIZATION - OFFICE 365 FOR ENTERPRISES 7.
Exchange Online is one of several cloud services offered by Microsoft Office 3658. Office 365 provides secure anywhere access to professional email, shared calendars, instant messaging (IM), video conferencing, and document collaboration.It represents the cloud version of the Microsoft communication and collaboration products with the latest version of the Microsoft desktop suite for businesses of all sizes. 5 UNDERSTANDING EXCHANGE ACTIVESYNC: http://technet.microsoft.com/en-us/library/aa998357.aspx6 EXCHANGE ONLINE SERVICE DESCRIPTION: http://go.microsoft.com/fwlink/?LinkId=2072327 MANAGE YOUR ORGANIZATION - OFFICE 365 FOR ENTERPRISES: http://help.outlook.com/en-us/140/ff657678.aspx8 Microsoft Office 365: http://office365.microsoft.com/
4 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Beyond Microsoft Exchange Online, Office 365 indeed includes: Microsoft Office. Microsoft Office Professional Plus seamlessly connects with
Microsoft Office Web Apps for a productivity experience across PCs, mobile devices, and browsers;
Note An appropriate device, Internet connection, and supported browser are required. Some mobile functionality requires Office Mobile 2010 which is not included in Office 2010 applications, suites, or Office Web Apps. Furthermore, there are some differences between the features of the Office Web Apps, Office Mobile 2010, and the Office 2010 applications.
Microsoft SharePoint Online. SharePoint Online is a cloud-based service for creating sites that connect colleagues, partners, and customers using enterprise social networking and customization;
Microsoft Lync Online. Lync Online offers cloud-based IM, presence, and online meeting experiences with screen sharing, voice and video conferencing.
Note For additional information on Office 365 in addition to the content of this paper, please refer to the product online documentation9, the OFFICE 365 DEPLOYMENT GUIDE FOR ENTERPRISES 10, the Office 365 Tech Center web site11, and the Office 365 Community web site (blogs, forums, wikis, etc.)12.
Objectives of this paperEvery day, information workers use e-mail messages to exchange sensitive information such as financial reports and data, legal contracts, confidential product information, sales reports and projections, competitive analysis, research and patent information, customer records, employee information, etc.Because people can now access their e-mail from just about anywhere, mailboxes have transformed into repositories containing large amounts of potentially sensitive information. As a result, information leakage can be a serious threat to organizations. Leaks of confidential information can indeed result in lost revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished customer confidence, and more. This risk demands effective Information Protection and Control (IPC) systems, which are not only secure but easy to apply, whether it’s to e-mail messages sent inside an organization or outside the organization to business partner organizations.IPC goes by a lot of names: data leakage prevention, data loss protection, content filtering, enterprise rights management, etc. All of these categories aim to prevent the accidental and unauthorized distribution of sensitive information.An effective IPC system can benefit organizations in a number of ways by helping to reduce:
Violations of corporate policy and best practices; Non-compliance with government and industry regulations such as Health Insurance
Portability and Accountability Act (HIPAA)13, Gramm-Leach-Bliley Act (GLBA)14,
9 Office 365 Help: http://onlinehelp.microsoft.com/en-us/office365-enterprises/10 OFFICE 365 DEPLOYMENT GUIDE FOR ENTERPRISES: http://www.microsoft.com/download/en/details.aspx?id=2650911 Office 365 Tech Center web site: http://technet.microsoft.com/en-us/office365/default12 Office 365 Community web site: http://community.office365.com/en-us/default.aspx13 Passed in 1996, HIPAA relates to healthcare coverage and, for example, how companies may use medical information.14 Gramm-Leach-Bliley, also known as the Financial Services Modernization Act, was passed in 1999.
5 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Sarbanes-Oxley (Sarbox or SOX)15, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA or PIPED Act)16, European Union Data Protection Directive (EUDPD 2003/58/EC)17, Japan's Personal Information Privacy Act (PIPA)18, etc. to just name a few;
Loss of intellectual property and proprietary information; High-profile leaks of sensitive information; Damage to corporate brand image and reputation.
To help secure this information and prevent information leakage, Exchange Online in the context of this paper can be integrated with an on-premises Microsoft Active Directory Rights Management Services (AD RMS) infrastructure. This integration activates advanced Exchange Server 2010 Service Pack 1 (SP1) (and above) features.In other words, organization that benefits from the Exchange Online Services can leverage their on-premises AD RMS infrastructure if any to have in place a comprehensive system that automatically:
Controls the distribution of information with a proper inspection of e-mail messages (using MailTips, transport protection rules or Outlook protection rules) and the application of appropriate action, such as a protect, block, alert, redirect, etc. in accordance to the corporate security and privacy policies;
Protects online and offline access to information with support for Information Rights Management (IRM); that is, rights management encryption that travels with e-mail messages and attachments wherever they are sent, inside or outside the organization.
IRM provides persistent protection to control who can access, forward, print, or copy sensitive information within an e-mail. IRM protection can be applied by users in Microsoft Office Outlook or Outlook Web App (OWA), and it can automatically be applied by administrators using transport protection rules or Outlook protection rules. IRM helps the organization and its users controlling who can access, forward, print, or copy sensitive data within an e-mail: “Dot Not Forward”, “Company Confidential”, “So Not Reply All”, etc.Exchange Online IPC features support multiple scenarios, dramatically increasing the power and the versatility of IPC. This paper will cover them.As of this paper, SharePoint Online does not support IRM integration. While you can upload any IRM-protected files to your SharePoint Online site, SharePoint Online doesn’t understand IRM encryption. Consequently, the content will not be decrypted and the existing protection will be preserved. In such a scenario, SharePoint Online also will not be able to index or search the IRM protected file. This may evolve with future releases of Microsoft Office 365.
15 The Sarbanes–Oxley Act of 2002, also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House), is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms.16 Passed in 2000, and reviewed every 5 years, PIPEDA is a Canadian law relating to data privacy that governs how private sector organizations collect, use and disclose personal information in the course of commercial business.17 Passed in 2003, EUDPD requires that all EU members must adopt national regulations to standardize the protection of data privacy for citizens throughout the EU.18 Passed in 2003, PIPA spells out duties of the national and local government for handling personal information and measures for protecting personal information. It also sets out obligations of businesses that handle personal information.
6 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Built on existing Microsoft documentation and knowledge base articles, this paper further presents how to leverage the corporate on-premises AD RMS infrastructure in the organization’s Office 365 tenant(s), and more especially with Microsoft Exchange Online. Special thanks to Enrique Saggese, Microsoft Senior Program Manager Information Protection, for providing valuable content on this subject. For that purpose, beyond a short depiction of the AD RMS technology to introduce key concepts, requirements, and components for the rest of the paper, it describes the AD RMS cross-premises functionality with Exchange Online and how to configure it, so that Microsoft Office 365 projects involving on-premises AD RMS in this context can be more easily completed, and consequently enabling customers to realize the full potential of the Microsoft Office 365 offering.The paper provides basic instructions for setting up and configuring an AD RMS single-node cluster in a test lab environment for the cross-premises deployment with Exchange Online. It however does not provide a complete technical reference for AD RMS.
Organization of this paperTo cover the aforementioned objectives, this document adopts an organization according to the following themes, each of them being addressed in the following sections:
A BRIEF OVERVIEW OF AD RMS; UNDERSTANDING THE CROSS-PREMISES DEPLOYMENT OF AD RMS; EXTENDING ON-PREMISES AD RMS TO OFFICE 365; MANAGING THE CROSS-PREMISES DEPLOYMENT;
This paper is part of a series of documents on the identity and security features of Office 365, and more especially is the second guide of the series. It indeed completes a first whitepaper entitled MICROSOFT OFFICE 365 SINGLE SIGN-ON (SSO) WITH AD FS 2.0 19 available on the Microsoft Download Center. This first whitepaper of the series is intended to provide a better understanding of the different single sign-on deployment options for the services in Office 365, how to enable single sign-on using corporate Active Directory credentials and AD FS 2.0 to the services in Office 365, and the different configuration elements to be aware of for such deployment.
About the audienceThis document is intended for system architects and IT professionals who are interested in understanding the Information Rights Management (IRM) features in Exchange Online, how to leverage them, and the potential dependencies with the on-premises (AD RMS) infrastructure.
Note For information on the support of IRM in Exchange Online in addition to the content of this paper, please refer to the article SET UP AND MANAGE INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ONLINE 20.
19 MICROSOFT OFFICE 365 SINGLE SIGN-ON (SSO) WITH AD FS 2.0: http://www.microsoft.com/en-us/download/details.aspx?id=2897120 SET UP AND MANAGE INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ONLINE: http://help.outlook.com/en-us/140/gg597271.aspx
7 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
A brief overview of AD RMSOrganizations of all sizes are challenged to protect a growing quantity of valuable digital information against careless mishandling and malicious use. The increasing incidences of information theft and the emergence of new legislative requirements to protect data underscore the need for better protection of digital information.This digital information may include confidential e-mail messages, strategic planning documents, financial forecasts, contracts, dynamic, database-driven reports, and other sensitive information. The growing use of computers and devices to create and work with this information, the introduction of extensive connectivity through networks and the Internet, and the appearance of increasingly powerful computing devices have made protecting enterprise data an essential security consideration.In addition to the threats of theft and mishandling, a growing list of legislative requirements adds to the ongoing task of protecting digital files and information. For example, the financial, government, healthcare, and legal sectors are increasingly taxed by the need to better protect digital files and information due to emerging legislative standards such as the Healthcare Insurance Portability and Accessibility Act (HIPAA)21 and the Gramm-Leach-Bliley Act (GLBA)22 in the financial services market.Digital information must be better protected. Although no form of information will ever be completely risk-free from unauthorized use and no single approach will shield data from misuse in all cases, the best defense is a comprehensive solution for safeguarding information.As an essential part of an organization's overall security strategy, a solution for better Information Protection and Control (IPC) should provide the means to control how data is used and distributed beyond simple access control. IPC goes by a lot of names: data leakage prevention, data loss protection, content filtering, enterprise rights management, etc.An IPC solution should indeed help protect an organization's records and documents on the company intranet, as well as from being shared with unauthorized users. It should help to ensure that data is protected and tamper-resistant. When necessary, information should expire based on time requirements, even when that information is sent over the internet to other individuals. Such IPC capabilities (encrypt and usage rights) are provided by Microsoft Active Directory Right Management Services (AD RMS)23, an information protection technology that enables AD RMS-enabled applications to protect digital content from unauthorized use, both online and offline, inside and outside of the organization’s boundaries.First shipped in Windows Server 2003 timeframe, and with the latest release is Windows Server 2008 R2, AD RMS is a server role designed for organizations that need to protect sensitive and proprietary information such as confidential e-mail messages, financial reports, product specifications, customer data, etc. through persistent usage policies (also known as usage rights and conditions) by establishing the following essential elements:
Trusted entities. Organizations can specify the entities, including individuals, groups of users, computers, devices, and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS can help protect information by enabling access only to properly trusted participants.
21 Passed in 1996, HIPAA relates to healthcare coverage and, for example, how companies may use medical information.22 Gramm-Leach-Bliley, also known as the Financial Services Modernization Act, was passed in 1999.23 Microsoft Active Directory Right Management Services (AD RMS): http://go.microsoft.com/fwlink/?LinkId=84726
8 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Usage rights and conditions. Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use protected information. Examples of named rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire. Organizations can exclude applications and entities (as well as non-trusted entities) from accessing the protected information.
Encryption. Encryption is the process by which data is locked with electronic keys. AD RMS encrypts information, making access conditional on the successful validation of the trusted entities. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. The defined usage rights and conditions will then be enforced by the application.
The usage policies remain with the information, no matter where it goes, even in transport, rather than the rights merely residing on an organization’s corporate network. This also enables usage rights to be enforced after the information is accessed by an authorized recipient, both online and offline, inside and outside of the organization. The deployment of an AD RMS system provides the following benefits to an organization:
Safeguard sensitive information. Applications such as e-mail clients, word processors, and line-of-business (LOB) applications can be AD RMS-enabled to help safeguard sensitive information. Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom rights policy templates such as "Confidential - Read only" that can be applied directly to the information.
Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.
9 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For additional information on the AD RMS system, see the article ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES OVERVIEW 24, the specification [MS-RMSO]: RIGHTS MANAGEMENT SERVICES SYSTEM OVERVIEW 25, as well as the several posts of the AD RMS Team Blog26.
Identifying the components of the AD RMS technologyThe AD RMS technology, and the AD RMS system, includes the following client and server software along with SDKs:
Rights Management Server software, which is a set of Web services (*.asmx) that handle the certification of trusted entities, licensing of rights-protected information, enrollment of servers and users, and administration functions. See section § RIGHTS MANAGEMENT SERVER SOFTWARE hereafter;
Rights Management Client software, which is a group of Windows APIs that facilitate the computer device activation process and allow RMS-enabled applications to work with the AD RMS system to provide licenses for publishing and consuming rights-protected information. See section § RIGHTS MANAGEMENT CLIENT SOFTWARE;
Rights Management Services (RMS) Software development kit (SDK) for the server and client components include documentation and sample code that enable software developers to customize their AD RMS server environment and/or to create client- and server-based AD RMS-enabled applications. See section § RIGHTSMANAGEMENT SERVICES SDK .
For an end-to-end solution and a working AD RMS system, the following is necessary: ACTIVE Directory Rights Management Services (AD RMS) server role as provided by
Windows Server 2008 R2; AD RMS clients; AD RMS-enabled application or browser to create or view rights-protected
information. For the latter bullet, AD RMS is for instance integrated as Information Rights Management (IRM) in the following Microsoft products:
Microsoft Office Professional Plus (subscription), Microsoft Office Professional 2010 and Microsoft Office Professional Plus 2010, Microsoft Office for Mac 2011 and in their stand-alone versions of Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft InfoPath, and Microsoft Word. IRM-protected content that is created in Office 2010 and/or in Office for Mac 2011 can be viewed in Microsoft Office 2003, Microsoft Office 2007, Office 2010 or Office for Mac 2011.
24 ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES OVERVIEW: http://go.microsoft.com/fwlink/?LinkId=8472625 [MS-RMSO]: RIGHTS MANAGEMENT SERVICES SYSTEM OVERVIEW: http://msdn.microsoft.com/en-us/library/dd806876(v=prot.10)26 AD RMS Team Blog: http://blogs.technet.com/b/rms/
10 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For more information about features between Office suites, see the article COMPARE SERVER INTEGRATION FEATURES BETWEEN OFFICE SUITES AVAILABLE THROUGH VOLUME LICENSING 27.
Interestingly enough, users do not have to have Office to be installed to read protected documents and messages. Indeed, the Word Viewer28, Excel Viewer29 and Windows Phone 7.5 enable Windows users who have the correct permission to read some documents that have restricted permission, without using Office software. The Rights Management Add-on (RMA) for Internet Explorer30 provides a way for users of supported Windows operating systems to view, but not alter, files with restricted permission.Likewise, users can also use Microsoft Outlook Web App (OWA) to read e-mail messages that have restricted permissions, without using Outlook software.
Note For more information about IRM and AD RMS features that are supported in Office 2010, Office 2007, and Office 2003, see the articles AD RMS AND MICROSOFT OFFICE DEPLOYMENT CONSIDERATIONS 31 and PLAN FOR INFORMATION RIGHTS MANAGEMENT IN OFFICE 2010 32.
Note For more information about IRM in Office for Mac 2011, see INFORMATION RIGHTS MANAGEMENT IN OFFICE FOR MAC 2011 DEPLOYMENT GUIDE 33.
Windows SharePoint Services 3.0, Microsoft Office SharePoint Server 2007, Microsoft SharePoint Foundation 2010, and Microsoft SharePoint Server 2010, which support using IRM on documents that are stored in document libraries. By using IRM in SharePoint, you can control which actions users can take on documents when they open them from libraries in SharePoint. This differs from IRM applied to documents stored on client computers, where the owner of a document can choose which rights to assign to each user of the document.
Note For more information about how to use IRM with document libraries, see the article PLAN DOCUMENT LIBRARIES (WINDOWS SHAREPOINT SERVICES) 34.
Microsoft Exchange Server 2010, which offers new IRM-protected e-mail messages and attachments functionality including AD RMS protection for Unified Messaging voice mail messages and Microsoft Outlook protection rules that can automatically apply IRM-protection to messages in Outlook 2010 before they leave the Microsoft Outlook client. See section § ON-PREMISES IRM.
27 COMPARE SERVER INTEGRATION FEATURES BETWEEN OFFICE SUITES AVAILABLE THROUGH VOLUME LICENSING: http://office.microsoft.com/en-us/buy/compare-server-integration-features-between-office-suites-available-through-volume-licensing-FX101850719.aspx#a28 Word Viewer: http://go.microsoft.com/fwlink/p/?LinkId=18459529 Excel Viewer: http://go.microsoft.com/fwlink/p/?LinkId=18459630 Rights Management Add-on (RMA) for Internet Explorer: http://www.microsoft.com/en-us/download/details.aspx?id=475331 AD RMS AND MICROSOFT OFFICE DEPLOYMENT CONSIDERATIONS: http://go.microsoft.com/fwlink/p/?LinkId=15331432 PLAN FOR INFORMATION RIGHTS MANAGEMENT IN OFFICE 2010: http://technet.microsoft.com/en-us/library/cc179103.aspx33 INFORMATION RIGHTS MANAGEMENT IN OFFICE FOR MAC 2011 DEPLOYMENT GUIDE: http://go.microsoft.com/fwlink/?LinkId=20194034 PLAN DOCUMENT LIBRARIES (WINDOWS SHAREPOINT SERVICES): http://go.microsoft.com/fwlink/p/?LinkId=183051
11 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note To learn more about IRM and how to deploy it in Exchange 2010, see the articles UNDERSTANDING INFORMATION RIGHTS MANAGEMENT 35 and UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ACTIVESYNC 36 on Microsoft TechNet.
Beyond the above Microsoft products, AD RMS technologies also allows third parties to integrate information protection for a comprehensive platform solution, enabling the integration of information protection into other information processing infrastructures, such as automated work flows, records and document management, e-mail message archiving, content inspection, and more. This supposes to leverage the aforementioned Rights Management Services SDK. See section § RIGHTS MANAGEMENT SERVICES SDK.
Rights management server software At the core of AD RMS on-premises is the Windows Server 2008 R2 Active Directory Rights Management Services (AD RMS) server role that handles the certification of trusted entities, licensing of rights-protected information, enrollment of servers and users, and administration functions. It facilitates the steps that enable trusted entities to use rights-protected information.The AD RMS server role augments an organization’s security strategy by providing protection of information through persistent usage policies. During installation and provisioning of the AD RMS server role, you can choose the option to join a server to a cluster. When you do this, the new AD RMS server is automatically configured as a member of the AD RMS cluster. Joining one or more AD RMS servers to a root cluster is the best way to increase the availability and redundancy of your deployment. An AD RMS root cluster can contain one or many servers that provide all services to AD RMS clients.The following are features of the AD RMS server role:
Setup for trusted entities. AD RMS provides the tools to set up and configure the servers, client computers, devices and users as trusted entities in an AD RMS system. This setup process includes the following:a. Server activation. During the activation process of the first server in a new AD
RMS cluster (also known as server bootstrapping), the server generates a key pair (public and private keys) for the AD RMS cluster.The AD RMS cluster private key is used by the AD RMS cluster to sign many other identity certificates used in the system, and it is also used by the clients to encrypt other materials for the server to decrypt, as discussed later in this paper.This private key is protected with Microsoft Data Protection API (DPAPI)37 along with a complex password (as the entropy) before being stored in the configuration database (or in a Hardware Security Module (HSM)). (The private key is retrieved and decrypted (with the complex password stored under the AD RMS service account profile) from this database each time an AD RMS server is booted).The server creates the Server Licensor Certificate (SLC) which includes the AD RMS cluster public key, and signs the SLC with its private key. (Thus, it is a self-signed certificate). The AD RMS key chain root ends in the organization’s AD RMS certification cluster SLC.
35 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT: http://technet.microsoft.com/en-us/library/dd638140.aspx36 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ACTIVESYNC: http://technet.microsoft.com/en-us/library/ff657743.aspx37 WINDOWS DATA PROTECTION: http://technet.microsoft.com/en-us/library/ms995355.aspx
12 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note Earlier versions required access to the Microsoft Enrollment Center through the Internet to issue and sign the SLC. AD RMS now relies on a self-enrollment certificate that is included in Windows Server 2008 R2.
Furthermore, the created SLC is shared by all the servers in the new AD RMS cluster.
Note For additional information on the server bootstrapping, see the post AD RMS UNDER THE HOOD: SERVER BOOTSTRAPPING 38 on the AD RMS Team Blog.
b. User activation. An organization must identify the users who are trusted entities within their AD RMS system. Users are identified by two certificates: one which is used to identify users against the AD RMS servers, and another one which is used to identify a user that has protected a piece of content. The first one is called the Rights Account Certificate (RAC), and is also known by its old name, the Group Identity Certificate (GIC). When a user first authenticates against the certification URL (_wmcs/certification/certification.asmx) of an AD RMS cluster, a RAC is issued to the user, and then the user uses this certificate for any future identification needs to the system. The RAC is also used by the server to encrypt licenses being sent to the user, and by the client to sign the other user certificate mentioned above, the Client Licensor Certificate (CLC). This one is obtained from the RMS licensing pipeline (_wmcs/licensing/publish.asmx) during client activation, and it is used to license information or in other words to sign the Publishing Licenses (PL) embedded into any encrypted content, and that contain the usage rights (View, Edit, Print, Copy, etc.) and conditions for the published rights-protected information.
Publishing licenses that define usage rights and conditions. A trusted entity can use AD RMS-enabled applications to assign specific usage rights and conditions to their information, which are consistent with their organization’s business policies. These usage rights and conditions are defined within Publishing Licenses (PL) that specify the authorized users who can view the information and how that information can be used and shared.
Use licenses that enforce usage rights and conditions. Each trusted entity that is a recipient of rights-protected information transparently requests and receives a Use License (UL or EUL) from the AD RMS server when attempting to open the information. A UL is granted to authorized recipients. It contains the usage rights and conditions that individual has been granted for that information. An AD RMS-enabled application uses AD RMS technology features to read, interpret, and enforce the usage rights and conditions defined in the use license.
Encryption and keys. Protected information is encrypted to prevent unauthorized users from consuming it. An AD RMS-enabled application uses a symmetric key to encrypt the information. All AD RMS servers, client computers, devices and user accounts have a public/private pair of 1024-bit or 2048-bit RSA keys.
38 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT: http://technet.microsoft.com/en-us/library/dd638140.aspx
13 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note Service Pack 1 (SP1) for Windows 2008 R2 introduces a new cryptographic mode support for AD RMS that enables increasing the cryptographic strength of an AD RMS environment. By running in this advanced mode known as "Cryptographic Mode 2', AD RMS provides a cryptographic implementation that supports enhanced encryption as well as longer cryptographic keys. For example, in mode 2 operation, RSA encryption is enhanced from 1024 bit encryption to 2048 bit encryption. Also, hashing is enhanced from using SHA-1 (128 bits) to SHA-256 (256 bits).
To enable the use of this new Cryptographic Mode 2, all computers that host either AD RMS server or client software must be patched and updated. For additional information, please refer to the article ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICE CRYPTOGRAPHIC MODES 39 and the post AD RMS AND CRYPTOGRAPHIC SUPPORT FOR SHA-2/RSA 2048 40 on the AD RMS Team Blog.
AD RMS uses these public/private keys to encrypt the symmetric key in publishing and use licenses, and to sign rights management certificates and licenses, ensuring access only to properly authorized users and computers. See section § UNDERSTANDINGTHE AD RMS CERTIFICATES AND LICENSES .
Rights policy templates. Administrators can create and distribute official rights policy templates that define the usage rights and conditions for a pre-defined set of users. These templates provide a manageable way for organizations to establish document classification hierarchies for their information. For example, an organization might create rights policy templates for its employees that assign separate usage rights and conditions for company confidential, classified, and private data. AD RMS-enabled applications can use these templates, which provide a simple, consistent way for users to apply policies to information.
Revocation lists. Administrators can create and distribute revocation lists that identify and invalidate compromised principals. Revocation is a mechanism that revokes a credential, such as a certificate or license that has already been issued. The primary purpose of revocation is to prevent entities that are no longer trusted from participating in an AD RMS system. As an example, an organization's revocation list can invalidate the certificates for specific computers, devices or user accounts. If an employee is terminated, the principals involved can be added to the revocation list and can no longer be used for any AD RMS related operations. They can no longer be used to acquire new licenses.
Exclusion policies. Administrators can implement server-side exclusion policies to deny license requests based on the requestor's user ID (an Active Directory account or a Microsoft Account (formerly Windows Live ID)), rights management account certificates, or rights management lockbox versions (see section § RIGHTS MANAGEMENTCLIENT SOFTWARE). Exclusion policies deny new license requests made by compromised principals, but unlike revocation, exclusion policies do not invalidate the principals. Administrators can also exclude potentially harmful or compromised applications so that they cannot decrypt rights-protected content.
Logging. Administrators can track and audit the use of rights-protected information within an organization. AD RMS includes support for logging so that organizations have a record of AD RMS-related activities, including the PL and UL licenses that have been issued or denied.
The AD RMS server role in Windows Server 2008 R2 is manageable by two sets of Windows PowerShell cmdlets.
39 ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICE CRYPTOGRAPHIC MODES: http://go.microsoft.com/fwlink/p/?LinkID=24198940 AD RMS AND CRYPTOGRAPHIC SUPPORT FOR SHA-2/RSA 2048: http://blogs.technet.com/b/rms/archive/2012/04/29/ad-rms-and-cryptographic-support-for-sha-2-rsa-2048.aspx
14 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note Windows PowerShell is a command-line shell and scripting language that is designed for system administration and Automation. It uses administrative tasks called cmdlets. Each cmdlet has required and optional arguments, called parameters, that identify which objects to act on or control how the cmdlet performs its task. You can combine cmdlets in scripts to perform complex functions that give you more control and help you automate the administration of Windows and applications. It has become a common way to manage the latest generation of Microsoft Server products, including Windows Server 2008 (R2), Exchange Server 2010, etc.
For more information about Windows PowerShell 2.0, please see the Windows PowerShell Web site41, the Windows PowerShell online help42, and the Windows PowerShell Weblog43. You can also refer to the Windows PowerShell Software Development Kit (SDK)44 that includes a programmer’s guide along with a full reference.
One set (AdRmsInstall) assists in deploying and configuring AD RMS, and the second set (AdRmsAdmin) is used to administer an AD RMS cluster.To run these two set of cmdlets, you need to import both modules:
PS C:\Windows\system32> Import-Module AdRmsPS C:\Windows\system32> Import-Module AdRmsAdmin
After the modules are imported, you can manage and administer AD RMS installations and components through Windows PowerShell.
Note For additional information, you can refer to the articles AD RMS CMDLETS IN WINDOWS POWERSHELL 45 and USING WINDOWS POWERSHELL TO DEPLOY AD RMS 46.
Rights management client softwareEach client computer or device in an AD RMS system must have the Rights Management Client software installed. The component of the Rights Management Client software that performs all encryption, decryption, signing, and validation steps necessary to publish and consume rights-protected information is called the computer “lockbox.” Machine activation is the process in which the lockbox is activated on the client computer or device. The client software ships with the lockbox already included, with all the logic necessary to generate, store, and digitally sign the machine’s credentials. It will self-activate upon first use by any user, including non-administrators. Using Windows encryption and DPAPI, it will generate the necessary unique keys and credentials itself, i.e. the Security Processor Certificate (SPC), upon activation. The SPC identifies each machine and allows the machine to encrypt other elements stored locally in the computer.
41 Windows PowerShell Web site: http://www.microsoft.com/powershell42 Windows PowerShell online help: http://technet.microsoft.com/en-us/library/bb978526.aspx43 Windows PowerShell Weblog: http://blogs.msdn.com/powershell44 Windows PowerShell SDK: http://msdn2.microsoft.com/en-us/library/aa830112.aspx45 AD RMS CMDLETS IN WINDOWS POWERSHELL: http://technet.microsoft.com/en-us/library/ee61727146 USING WINDOWS POWERSHELL TO DEPLOY AD RMS: http://go.microsoft.com/fwlink/?LinkId=136806
15 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For additional information on the user activation, see the post AD RMS UNDER THE HOOD, CLIENT BOOTSTRAPPING, STEP 1 47 on the AD RMS Team Blog.
The latest version of the AD RMS Client 1.0 is included as part of the Windows 7, Windows Vista Service Pack 1 (SP1), Windows Server 2008, or Windows Server 2008 R2 operating systems. For down-level client, you can install the Microsoft Windows Rights Management Services Client with Service Pack 2 (SP2), which can be downloaded from the Microsoft Download Center48. As of this paper, a new client, the AD RMS Client 2.0, has just been released for download on the Microsoft Download Center49.The AD RMS Client 2.0 is designed for your client computers to help protect access to and usage of information flowing through applications that use AD RMS whether installed on your premises or in a Microsoft datacenter. It’s supported for Windows Vista (SP2 or later), Windows 7 (SP1 or later), Windows Server 2008 R2 or above.It ships as an optional download which can be, with acknowledgment and acceptance of its license agreement, freely distributed with your third-party software to enable client access content that has been rights protected by use and deployment of AD RMS servers in your environment (see next section).With the consumerization of IT (CoIT), which now becomes a reality, users expect to be able to use their own devices, such as smartphones, tablets or laptops, for their work. To put in place a “Bring You Own Device” (BYOD) environment that leverages AD RMS as the organization’s IPC system, you also need an AD RMS client on these devices.
Note To help figure out how to face security, compliance and compatibility issues you might deal with and give users access to corporate intellectual property from ubiquitous devices, both managed and unmanaged, you can refer to a series of documents on Consumerization of IT (CoIT), i.e. Test Lab Guides (TLGs) available on the Microsoft Download Center50. The TLGs illustrate key CoIT scenarios with current Microsoft technologies such as Windows Server 2008 R2 and allow you to get hands-on experience using a pre-defined and tested methodology that results in a working configuration.
In terms of supported devices, Windows Mobile 6.x comes with a full AD RMS client installed on the device. This enabled both the creation and consumption of protected documents. However, the end user had to activate IRM using Microsoft Windows Mobile Device Center (WMDC)51 or Microsoft ActiveSync 4.552 depending on the Windows version of the computer being used for syncing the device. See article SYNC WINDOWS PHONE 6.5 WITH MY COMPUTER 53. Windows Phone 7.5 also includes built-in functionality to handle rights–managed e-mail messages and Microsoft Office Word, Excel and PowerPoint documents, which can be sent to Windows Phone users as attachments (or made available to them through Windows SkyDrive54, a corporate on-premises Microsoft SharePoint 2010 sites, or a SharePoint Online site, which is available with Microsoft Office 365). 47 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT: http://technet.microsoft.com/en-us/library/dd638140.aspx48 HOW TO OBTAIN WINDOWS RIGHTS MANAGEMENT SERVICES WITH SERVICE PACK 2: http://support.microsoft.com/kb/91727549 Active Directory Rights Management Services (AD RMS) Client 2.0: http://www.microsoft.com/en-us/download/details.aspx?id=2989250 CONSUMERIZATION OF IT TEST LAB GUIDES: http://www.microsoft.com/en-us/download/details.aspx?id=2957451 INSTALL WINDOWS MOBILE DEVICE CENTER: http://www.microsoft.com/windowsphone/en-us/howto/wp6/sync/installing-wmdc.aspx52 INSTALL ACTIVESYNC: http://www.microsoft.com/windowsphone/en-us/howto/wp6/sync/installing-activesync.aspx53 SYNC WINDOWS PHONE 6.5 WITH MY COMPUTER: http://www.microsoft.com/windowsphone/en-us/howto/wp6/sync/sync-windows-phone-6-5-with-my-computer.aspx54 Windows SkyDrive: http://windows.microsoft.com/en-US/skydrive/home
16 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Important note IRM email conversations cannot be initiated from a Windows Phone. Windows Phone 7.5 indeed supports IRM thru Exchange ActiveSync (EAS) IRM (see section § ON-PREMISESIRM), and consequently there is no AD RMS client on the device. The Exchange Server 2010 Service Pack 1 (SP1) and above receives a protected message, decrypts it, and packages it in a way that the device understands and can enforce the rights. One advantage to this method is that no activation for the phone is required. However, you cannot author protected content on the device. As of writing, Windows Phone does not support storage encryption.
Note For additional information, see the whitepaper RIGHTS-MANAGED EMAIL AND OFFICE DOCUMENTS IN WINDOWS PHONE 7.5 55.
Rights management services SDKAD RMS technology includes the Rights Management Services SDK, a set of documentation and sample code that enables organizations to customize AD RMS and to create AD RMS-enabled applications. As of this paper, a new Active Directory Rights Management Services SDK 2.0, formerly known as Microsoft Information Protection and Control (MSIPC), has just been released for download on the Microsoft Download Center56. This version 2.0 is the revamped SDK for rights-enabling your applications and solutions that indeed provides a simple mechanism for developers to create applications that author and consume rights-protected content. It leverages the functionalities exposed by the new client 2.0 (see previous section) in the DLL Msipc.dll.
Note For additional information, you can refer to the ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES SDK 2.0 57 documentation and the AD RMS Developer's Corner58, the official blog of the Rights Management product team at Microsoft for developers working with information protection using AD RMS.
As part of a major effort to reduce complexity and streamline the development process, the entire API surface has been redesigned from the ground up to enable the natural evolution of AD RMS capabilities without breaking applications. This “write once, run anywhere” philosophy means that MSIPC-based applications are guaranteed to work on all supported AD RMS topologies and are compatible with all supported AD RMS servers (V1 SP2 for Windows Server 2003, Windows Server 2008, Windows Server 2008 R2). Perhaps most notably of all, this new version eliminates the need for developers to write thousands of lines of specialized code in order to discover AD RMS servers, download and use AD RMS certificates, and manage AD RMS identities, greatly simplifying the integration process. This new version 2.0 must now be used instead of the previous version 1.0 that is still available for download on the Microsoft Download Center59 and that leverages the core functionalities exposed by the client 1.0 (see previous section) in the DLL Msdrm.dll. It may be indeed altered or unavailable in subsequent versions.
55 RIGHTS-MANAGED EMAIL AND OFFICE DOCUMENTS IN WINDOWS PHONE 7.5: http://www.microsoft.com/en-us/download/details.aspx?id=2774356 Active Directory Rights Management Service SDK 2.0: http://www.microsoft.com/en-us/download/details.aspx?id=2989357 ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES SDK 2.0: http://msdn.microsoft.com/en-us/library/hh535290(v=vs.85)58 AD RMS Developer's Corner: http://blogs.msdn.com/b/rms/archive/2012/05/31/official-release-of-ad-rms-sdk-2-0-and-ad-rms-client-2-0.aspx59 Rights Management Services SDK : http://www.microsoft.com/en-us/download/details.aspx?id=15902
17 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Understanding the AD RMS certificates and licensesSince it encrypts and signs data, AD RMS, like Active Directory Certificate Services (AD CS) and PKI infrastructure in general, relies on certificates to the computers, devices and users in the AD RMS system, but these certificates are NOT X.509 certificates.AD RMS uses instead an XML vocabulary to express usage rights and conditions, the eXtensible rights Markup Language (XrML). The XrML specification specifies a Rights Expression Language (REL) that provides a simple-to-use, universal method for expressing usage policies that are linked to the use and protection of digital information in any format, such as e-mail, office files, etc. The XrML-based certificates issued by an AD RMS system identify trusted entities that can publish or view rights-protected information. Users who are trusted entities in an AD RMS system can assign usage rights and conditions to the information they want to protect via an AD RMS-enabled application. These usage policies specify who can use the information and what they can do with it.
Note XrML supports an extensive list of rights, and application developers can define additional rights to meet their particular needs. This extensibility helps to ensure that organizations can build business, usage, and workflow models to meet their specific requirements.
The information is encrypted using the electronic keys from the AD RMS-enabled application and the XrML-based certificates of the trusted entities. After the information is encrypted or locked by this mechanism, only the trusted entities specified in the XrML-based publishing licenses can unlock and use that information. Managing information online using XrML-based licenses provides easy access from any location. After the XrML-based license is downloaded, the rights are effective both online and offline, persisting with the digital information wherever it goes. Users could then distribute the rights-protected information to other users in their organization via e-mail, internal servers, or external sites to enable trusted external partners to access the information.
Note Various interoperable rights management systems like of the already mentioned GigaTrust Enterprise Rights Management60 partner offering can easily interpret and manage these licenses because they all use the XrML standard. The XrML specification has been standardized: the related international standard is the ISO standard ISO/IEC 21000-5:2004, INFORMATION TECHNOLOGY — MULTIMEDIA FRAMEWORK (MPEG 21) — PART 5: RIGHTS EXPRESSION LANGUAGE [REL] 61.
Similarly to a PKI infrastructure, the AD RMS hierarchy forms a chain of trust that validates the XrML-based certificate and license when being used. The following table summarizes all the XrML-based certificates and licenses required as part of the AD RMS system.
60 GigaTrust Enterprise Rights Management: http://www.gigatrust.com/index.shtml61 ISO/IEC 21000-5:2004, INFORMATION TECHNOLOGY — MULTIMEDIA FRAMEWORK (MPEG 21) — PART 5: RIGHTS EXPRESSION LANGUAGE [REL]: http://www.iso.org/iso/pressrelease.htm?refid=Ref913
18 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Table 1: AD RMS the XrML-based certificates and licensesCertificate/License Purpose Content
Server Licensor Certificate (SLC)
The server licensor certificate that is issued to licensing servers grants the right to issue:
Publishing licenses (PL), Use licenses (UL), Client licensor certificates
(CLC), Rights policy templates.
The server licensor certificate that is issued to the AD RMS cluster additionally grants the right to issue:
Rights account certificates (RAC) to clients,
Server licensor certificates (SLC) to licensing servers.
The server licensor certificate (SLC) that is issued to a licensing server contains the public key of the licensing server.The SLC that is issued to the root certification server contains the public key of the root certification server.
Client Licensor Certificates (CLC)
Grant a user the right to publish AD RMS-protected content.
Contain the public key of the certificate, and the private key of the certificate encrypted by the public key of the user who requested the certificate. Also, contain the public key of the server that issued the certificate.
AD RMS machine certificates (SPC)
Identify a computer or device that is trusted by the AD RMS system.
Contain the public key of the activated computer. The corresponding private key is contained by that computer's lockbox.
Rights Account Certificates (RAC)
Identify a user in the context of a specific computer or device.
Contain the public key of the user, and the private key of the user that is encrypted with the public key of the activated computer.
Publishing Licenses (PL)
Specify the rights that apply to the AD RMS-protected content.
Contain the symmetric content key for decrypting the content, which is encrypted with the public key of the server that issued the license.
Use Licenses (UL or EUL)
Specify the rights that apply to the AD RMS-protected content in the context of a specific authenticated user.
Contain the symmetric content key for decrypting the content, which is encrypted with the public key of the user.
19 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The above XrML-based certificates and licenses imply the use of AD RMS cryptographic keys. The following table lists all the cryptographic keys involved in the AD RMS system.
Table 2: AD RMS cryptographic key definitionsKey Use
Server keys Public key: encrypts the content key that is in a publishing license (PL) so that only the AD RMS server can retrieve the content key and issues use licenses (UL) against that publishing license.
Private key: signs all certificates and licenses that are issued by the server.
Machine keys Public key: encrypts a rights account certificate (RAC) private key. Private key: decrypts a RAC.
Client licensor keys Public key: encrypts the symmetric content key in the publishing licenses (PL) that it issues.
Private key: signs PL that are issued locally while the user is not connected to the network.
User keys Public key: encrypts the content key that is in a use license (UL) so that only a particular user can consume AD RMS-protected content by using that license.
Private key: allows a user to consume AD RMS-protected content.Content keys Encrypts AD RMS-protected content when the author publishes it.
The following figure synthetizes the two above tables.
ULIssuer
Content KeySignature
PLIssuer
Content KeySignature
CLCIssuer
Public KeySignature
Private Key
RACIssuer
Public KeySignaturePrivate Key
SLCIssuer
Public KeySignaturePrivate Key
SPCIssuer
Public KeySignaturePrivate Key
Encrypted withStrong password
or HSM
DPAPI & RSAVault
Encrypted with
Encrypted with
Issued and signed by
Issued and signed by
Issued and signed by
Encrypted with
Encrypted with
Encrypted with
Figure 1: Certificate Dependencies and Encryption
Considering the above definitions, the following diagram summarizes how AD RMS works when users publish and consume rights-protected information.
20 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
AD RMS Server
Database Server
1
Information Author
2
3
7
Information Recipient
5
9
4
86
Figure 2: Workflow of creating and viewing rights-protected information
This process includes the following steps:1. Author receives a Client Licensor Certificate (CLC) from the AD RMS server the first
time they rights-protect information. This is a one-time step that enables offline publishing of rights-protected information in the future.
2. Using an AD RMS-enabled application, an author creates a file and defines a set of usage rights and conditions for that file. A Publishing License (PL) is then generated that contains the usage policies.
3. The application encrypts the file with a symmetric key which is then encrypted to the public key of the author’s AD RMS server. The key is inserted into the publishing license (PL) and the publishing license is bound to the file. Only the author’s AD RMS server can issue use licenses to decrypt this file.
4. The author distributes the file.5. A recipient receives a protected file through a regular distribution channel and opens
it using an AD RMS-enabled application or browser.6. If the recipient does not have an account certificate on the current computer, this is
the point at which one will be issued.7. The application sends a request for a use license to the AD RMS server that issued the
publishing license for the protected information. The request includes the recipient's account certificate (which contains the recipient's public key) and the publishing license (which contains the symmetric key that encrypted the file).
Note A publishing license (PL) issued by a Client Licensor Certificate (CLC) includes the URL of the server that issued the certificate. In this case, the request for a use license (UL or EUL) goes to the AD RMS server that issued the client licensor certificate and not to the actual computer that issued the publishing license (PL).
8. The AD RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license.
9. During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the public key of the recipient, and
21 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
adds the encrypted session key to the use license. This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration or an application or operating system exclusion.
10. When the validation is complete, the licensing server returns the use license to the recipient's client computer.
11. After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a revocation list. If so, the application checks for a local copy of the revocation list that has not expired. If necessary, it retrieves a current copy of the revocation list. The application then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the file, the application renders the data, and the user may exercise the rights they have been granted.
Note For additional information on the user activation, see the post LICENSES AND CERTIFICATES, AND HOW AD RMS PROTECTS AND CONSUMES DOCUMENTS 62 on the AD RMS Team Blog.
Installing and configuring an on-premises AD RMS infrastructureInstalling and configuring requires an in-depth planning that is beyond the scope of this document. Indeed, the standard topology for an AD RMS system consists of one or more physical servers that make up the AD RMS root installation or cluster. The root installation provides both certification and licensing services. For multiple server deployments, servers can be configured as a cluster behind a single, shared URL. Only one cluster can exist in an Active Directory Domain Services (AD DS) forest.All requests for XrML-based certificates and licenses are passed to the root cluster through the shared URL defined for that collection of servers. There are numerous implementations of virtual addressing, such as round-robin DNS, Network Load Balancing (NLB) service, hardware solutions, and so on. Virtual addressing provides load balancing across the servers and increases fault tolerance by removing the dependency on any one server for licensing and publishing.
Note You can also install licensing-only servers, which automatically form a licensing cluster. Root and licensing-only clusters are independent and cannot share load balancing of the service. For more information on licensing-only cluster, see AD RMS LICENSING-ONLY CLUSTER DEPLOYMENT STEP- BY-STEP GUIDE 63.
AD RMS requires a SQL database such as Microsoft SQL Server 2005, Microsoft SQL Server 2008 or the Windows internal database (WID) included in Windows Server 2008 R2 for its configuration and policy information. The configuration database stores, shares, and retrieves configuration and other data. There is one configuration database for each AD RMS server cluster. The configuration database and logging database can be located on one of the physical servers in the cluster or on a separate server providing a remote SQL Server database instance. WID is recommended only for a single-server configuration in low-volume or test environments. Indeed, WID does not support remote connections; therefore, only one server can be used.62 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT: http://technet.microsoft.com/en-us/library/dd638140.aspx63 AD RMS LICENSING-ONLY CLUSTER DEPLOYMENT STEP-BY-STEP GUIDE: http://technet.microsoft.com/en-us/library/cc730671%28WS.10%29.aspx
22 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The following diagram illustrates a standard deployment using a separate server running the SQL database server instance.
AD RMS Cluster
AD RMS Certification and Licensing Server
License request to cluster URL
AD RMS Certification and Licensing Server
AD RMS Certification and Licensing Server
Load balancer
Rights Management Client
Database Server
Configuration Logging
Figure 3: Standard AD RMS system topology
The several technical resources available on the Active Directory Rights Management Services TechCenter64 will guide you through the several planning considerations. Step-by-step guides are also provided to accommodate different scenarios:
AD RMS DEPLOYMENT IN AN EXTRANET STEP-BY-STEP GUIDE 65; AD RMS DEPLOYMENT IN A MULTI-FOREST ENVIRONMENT STEP-BY-STEP GUIDE 66; Etc.
For illustration purposes, this section only describes the basics of the installation and the configuration to perform for deploying an on-premises single-server AD RMS root cluster with the use of WID.
Important note AD RMS is not supported and does not run in Server Core installations of Windows Server 2008 R2. AD RMS is however a good candidate for virtualization under the Hyper-V technology, especially in test lab environment.
The single-server AD RMS root cluster will be installed on the IDMGT-DC computer.This computer running Windows Server 2008 R2 is already configured as:
An intranet domain controller for the IDMGT.DEMO Active Directory mono-domain forest,
A Domain Name System (DNS) server (for both the internal IDMGT.DEMO zone and the internal/external demo.idmgt.archims.fr zone (see below),
An Active Directory Certificate Services (AD CS) enterprise root certificate authority (IDMGT-IDMGT-DC-CA),
64 Active Directory Rights Management Services TechCenter: http://go.microsoft.com/fwlink/?LinkId=8090765 AD RMS DEPLOYMENT IN AN EXTRANET STEP-BY-STEP GUIDE: http://technet.microsoft.com/en-us/library/cc753490(WS.10).aspx66 AD RMS DEPLOYMENT IN A MULTI-FOREST ENVIRONMENT STEP-BY-STEP GUIDE: http://technet.microsoft.com/en-us/library/cc772182(WS.10).aspx
23 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
And an IIS Web server.
Important note The following instructions reflect the configuration performed for the test lab at the MTC with the intent to limit the number of individual virtual machines (VMs) that are needed. Consequently, the single-server AD RMS root cluster is installed on a domain controller. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network.
Indeed, after provisioning AD RMS on a server, an organization should not use this server to run any Web sites or additional services. If services other than the AD RMS services run on AD RMS servers, conflicts that can result in security issues may occur. Isolating AD RMS on its own dedicated servers helps you predict and manage workload. Isolation also prevents the introduction of software incompatibilities that may have compromised the integrity or functionality of the AD RMS service.
Furthermore, with the advent of virtualization, aside from the operating system licensing aspect, there is no longer any reason to create multipurpose domain controllers. Each VM can have its own purpose and run independently of all other services.
Fulfilling the AD RMS installation prerequisitesThere are several prerequisites to an AD RMS installation. If you are setting up only a test environment, you will have few items to consider, but when you are ready to deploy AD RMS into a production environment, you should take the utmost care to deploy it correctly. For this reason, endeavor to make your test environment match the requirements of your production environment to prevent surprises when you perform the actual deployment.Before proceeding with the installation of the AD RMS cluster, you first need to:
Add a DNS record for the internal and external URL of the cluster; Meet some Active Directory Domain Services (AD DS) requirements and notably
create a domain user account that will be used as the AD RMS service account. It is also advisable to create a security group for the AD RMS super users;
Create and install a Web Server certificate. Additional details can be found in the documentation PRE-INSTALLATION INFORMATION FOR ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES 67.To create a CNAME record to prepare for the AD RMS URL, proceed as follows:
1. Log on as an administrator on the DNS computer (IDMGT-DC in our case).2. Launch Server Manager from the Administrative Tools program group.
3. Expand Roles\DNS Server\DNS\IDMGT-DC\Forward Lookup Zones and select demo.idmgt.archims.fr. These path and value reflect the test lab at the MTC.
67 PRE-INSTALLATION INFORMATION FOR ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES: http://technet.microsoft.com/en-us/library/cc771789.aspx
24 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
4. Right-click in the details pane and click New Alias (CNAME).5. In the New Resource Record dialog box, type for example the alias name “adrms”
and assign it to idmgt-dc.demo.idmgt.archims.fr in the Fully qualified domain name (FQDN) for target host section of the dialog box. Click OK.
Note In the MTC test lab configuration, we rely on a split-brain DNS configuration. An external DNS server is authoritative for the demo.idmgt.archims.fr zone on the Internet.
To create the AD account and group required by the AD RMS cluster, proceed as follows:1. Log on a domain controller computer (IDMGT-DC in our case) using a domain
administrator account.2. Launch Server Manager from the Administrative Tools program group.3. Expand Roles\Active Directory Domain Services\Active Directory Users and
Computers\<domain>, which is IDMGT.DEMO in our case.
4. Right-click the Users OU, point to New, and then click User.5. Name the user “ADRMSService” for example, and use this name for the Full Name,
the Logon user name and the Logon user name (pre–Windows 2000). Click Next.
6. Assign a complex password, for example “Pa$$w0rd”, clear User must change password at next logon, and select Password never expires. Click Next, and then click Finish to create the account.
Note For setting up an ADRMS cluster with multiple computers, you must create the service account as directed in these steps because you cannot use a managed service account. Managed service accounts do not work when the account is shared by multiple computers or when the account is used for a service running on multiple computers, such as for a production AD RMS cluster.
7. Right-click this newly created service account, and click Add to a group. Enter “ADRMSService” in Enter the objects names to select, click Check Names, ensure that the name correctly resolves and click OK. (This step is required in our configuration since AD RMS will run on a domain controller. You haven’t to do this step otherwise. However, you will have to grant the service account the Log on Locally permission on the server on which you will install AD RMS.)
8. Right-click on the Domain Users group, and click Properties. Enter in the E-mail textbox a valid e-mail address, for instance “[email protected]”, and click OK.
9. Create a universal global security group named for instance “ADRMS Super Users” under the Users OU.
10. Right-click on the ADRMS Super Users group, and click Properties. Enter in the E-mail textbox a valid e-mail address for the administrators, for instance “[email protected]” in our case. On the Members tab, add the Domain Admins group to this group and click OK.
25 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Because AD RMS requires SSL/TLS -encrypted web connections, you must create and install a Web server certificate before you can proceed with the installation. To prepare a Web server certificate, proceed as follows:
1. Log on to the Certificate Authority computer, using a domain administrator account. 2. Launch Server Manager from the Administrative Tools program group.3. Expand Roles\Active Directory Certificate Services and select Certificate
Templates. The node shows that you are connected to IDMGT-IDMGT-DC-CA.
Note that all the existing templates are listed in the details pane.4. Select the Web Server template in the details pane, right-click it, and then click
Duplicate Template.5. Select the version of Windows Server to support, in this case Windows Server 2008
Enterprise, and click OK.6. Name the template for example “ADRMS Web Server” and set the following options.
Leave all other options as they are.
a. On the General tab, select Publish certificate in Active Directory.b. On the Security tab, add the computer account for IDMGT-DC. To do so, click
Add, click Object Types, select Computers, and then click OK. Type the name of the machine on which the AD RMS role is going to be installed, in our case “IDMGT-DC”, click Check Names, and then click OK again.
c. Grant IDMGT-DC the Allow::Read and Allow::Enroll permissions.
26 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
7. Click OK.8. Template issuance is performed in the Certification Authority console section of
Server Manager. Expand Roles\Active Directory Certificate Services\<Certification Authority>, in our case IDMGT-IDMGT-DC-CA, and click Certificate Templates.
9. To issue a template, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.
10. In the Enable Certificate Templates dialog box, select ADRMS Web Server and click OK.
To request and install a Web Server certificate for the AD RMS, proceed as follows:1. Staying on IDMGT-DC, click the Start menu, type “mmc” in the Search box, and then
press Enter.2. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins
dialog box, select the Certificates snap-in and click Add.
27 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
3. Choose Computer Account and click Next.4. Make sure Local Computer is selected, click Finish, and then click OK.5. Expand Certificates (Local Computer)\Personal and select Certificates.6. Right-click Certificates, point to All Tasks, and then click Request New
Certificate. 7. A Certificate Enrollment dialog opens up. Click Next. 8. Make sure Active Directory Enrollment Policy is selected and click Next.
9. Select the AD RMS Web Server certificate, and then click the More information is required to enroll for this certificate. Click here to configure settings link. A Certificate Properties dialog box opens up.
10. In the Certificate Properties dialog box, on the Subject tab, in the Subject Name area, ensure that Common Name is selected, type “*.demo.idmgt.archims.fr” as the Value, and then click Add.
28 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note Since IDMGT-DC hosts multiple roles in our (limited) test lab configuration, it’s easier to configure the IIS Web server with a wildcard common name certificate, so that the same certificate can be used for multiple roles. Indeed, when SSL/TLS clients like a browser connect to a computer using https, they check to ensure the X.509 SSL/TSL certificate matches the targeted FQDN host name in the following three ways to find a match:
i. The host name exactly matches the Common Name in the certificate's subject.
ii. The host name matches a wildcard common name. For example, adrms.demo.idmgt.archims.fr matches the common name *.demo.idmgt.archims.fr.
iii. The host name is listed in the Subject Alternative Name (SAN) field. In this case, the SSL/TLS client is supposed to ignore the Common Name value and seek a match in the SAN list.
11. Still in the Certificate Properties dialog box, on the General tab, type for example “IDMGT IPC” in the Friendly Name field and “Web Server Certificate” in the Description field.
12. Still in the Certificate Properties dialog box, on the Private Key tab, click the double down arrow icon on the right to expand the Key Options section and select the Make private key exportable and Allow private key to be archived check boxes.
13. Click OK.
29 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
14. Back to Certificate Enrollment dialog, click Enroll. Click Finish.15. To verify that the certificate has been issued, click Certificates under the Personal
node in the tree pane and view the certificate in the details pane. The certificate will be named with the server name only.
16. Close the Certificates console.You are now ready to proceed with the installation and the configuration the AD RMS cluster.
Note Additional information regarding prerequisites is given in the article PRE-INSTALLATION INFORMATION FOR ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES 68.
Installing and configuring the AD RMS cluster To install the single-server AD RMS root cluster, proceed as follows:
1. Log on to IDMGT-DC computer using enterprise administrative credentials. This grants you Enterprise Administrator credentials, which are required to create the service connection point (SCP).
Note The service connection point (SCP) is an object in the Active Directory configuration partition that holds the Web address of the AD RMS cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS Web services. Only one SCP can exist in your Active Directory forest.
If you try to install AD RMS and an SCP already exists in your forest from a previous AD RMS installation that was not properly de-provisioned, the new SCP will not install properly. It must be removed before you can establish the new SCP. A SCP can be viewed using ADSI Edit for instance. To view the SCP, connect to the configuration container in ADSI Edit and navigate the following nodes: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP.
You can remove an SCP by using the ADScpRegister.exe tool included in the Rights Management Services Administration Toolkit with SP2 available for download on the Microsoft Download Center69.
In production, this server can be running Windows Server 2008 R2 Standard edition, Windows Server 2008 R2 Enterprise edition, or Windows Server 2008 R2 Datacenter edition.
2. Click Start, point to Administrative Tools, and then click Server Manager.3. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.4. On the Before You Begin page, click Next.5. On the Select Server Roles page, select Active Directory Rights Management
Services and click Next.
68 PRE-INSTALLATION INFORMATION FOR ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES: http://go.microsoft.com/fwlink/?LinkId=15331169 Rights Management Services Administration Toolkit with SP2: http://www.microsoft.com/downloads/details.aspx?familyid=BAE62CFC-D5A7-46D2-9063-0F6885C26B98&displaylang=en
30 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
6. A window may appear informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Message Queuing, and Windows Process Activation Service (WPAS) are listed.
Click Add Required Role Services. Click Next.
7. On the Active Directory Rights Management Services page, click Next.
31 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
8. On the Select Role Services page, make sure the Active Directory Rights Management Server check box is selected and click Next.Do not choose the Identity Federation Support option. You cannot install this option until the AD FS federation relationship has been created and it’s not needed in our context.
9. On the Create or Join an AD RMS Cluster page, select Create a new AD RMS cluster option and click Next.If the cluster were already created and you were installing a second server, you would select Join an existing AD RMS cluster because there can be only one cluster per forest.
32 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
10. On the Select Configuration Database page, select Use Windows Internal Database on this server to host the AD RMS databases for a single-server installation. Remember that when you use a WID instance, you cannot join other servers to this cluster. Use WID only in test environments if you do not have the resources to create a proper database server. Click Next.
11. On the Specify Service Account page, click Specify.
33 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
12. In the Windows Security dialog, type the domain user account, for example “ADRMSService”, and password, for example “Pa$$w0rd”, that should be used as the AD RMS service account, click OK, and then click Next.Remember that this account must be a member of the local Administrators group.
13. On the Configure AD RMS Cluster Key Storage page, select Use AD RMS Centrally Managed Key Storage to store the key in the AD RMS database and click Next.
Note We choose to protect the AD RMS cluster key by using this option because it simplifies the configuration and does not require additional components. However, you should normally provide the best protection for this key through hardware Cryptographic Security Provider (CSP) for a HSM.
14. On the Specify AD RMS Cluster Key page, specify a strong password, for example “Pa$$w0rd” and then click Next.
34 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
15. On the Select AD RMS Cluster Web Site page, select the website where you want to install the AD RMS Web services and click Next. If you did not prepare the Web site before, the name of the website is Default Web Site as illustrated here.
16. On the Specify Cluster Address page, select Use an SSL-encrypted connection (https://).
Note As a security best practice, the AD RMS cluster should be provisioned by using an SSL/TLS-encrypted connection. You should be using a certificate provided by a third-party commercial certification authority (CA) so that it can be automatically trusted by all parties. This certificate should already be installed on the server so that you can select it as you proceed through the installation. See previous section § FULFILLING THE AD RMS INSTALLATION PREREQUISITES. Do not use an unencrypted connection.
17. In the Internal Address section of the Specify Cluster Address page, type the fully qualified domain name (FQDN) of the AD RMS cluster, for example “adrms.demo.archims.fr”, and click Validate. If validation succeeds, the wizard updates the preview of the cluster address at the bottom of the page. Click Next.
35 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
This must be a valid FQDN, and it cannot be changed later. If you want to change the default port on which AD RMS communicates, you can do so on this page of the wizard. You must do so now, because you will not be able to change the port at a later date.
18. On the Choose a Server Authentication Certificate for SSL Encryption page, select Choose an existing certificate for SSL encryption (recommended), select the certificate you previously installed, i.e. the one with the wildcard common name, and then click Next.
Note If you did not install the certificate prior to setup, you can click Import to import the certificate now. You can also use a self-signed certificate, or, if you did not obtain the certificate prior to installation, you can select the third option, to choose encryption later. Note, however, that if you choose this last option, you cannot complete your installation until you obtain and install this certificate.
19. On the Name the Server Licensor Certificate page, type a valid name to identify the AD RMS cluster, for example “IDMGT-ADRMS”, and click Next.
36 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
20. On the Register AD RMS Service Connection Point page, select Register the AD RMS service connection point now and click Next.This action registers the AD RMS service connection point (SCP) in the AD DS.If you are preparing the cluster and need to install additional cluster members before it starts servicing requests, select Register the AD RMS service connection point later. Then join the other cluster member and, when you are ready, create the SCP.
21. On the Web Server (IIS) page, click Next.
37 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
22. On the Confirm Installation Selections page, review your choices and click Install.
23. When the installation is complete, click Close to close the installation wizard. As indicated, log off and log back on to update the permissions granted to the logged-on user account so that the account could be able to manage the AD RMS system.
The user account logged on when the AD RMS server role was installed is indeed automatically made a member of the AD RMS Enterprise Administrators group. This gives this account access to all AD RMS operations.
38 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note Additional details can be found in the documentation INSTALLING AN AD RMS CLUSTER 70. For a step-by-step installation guide, see AD RMS STEP-BY-STEP GUIDE 71. To provide high availability for the cluster, you must install additional cluster members. For information on this installation, see the documentation JOIN AN AD RMS SERVER TO AN EXISTING CLUSTER 72.
To setup the permissions on the ServerCertification.asmx file, proceed as follows:1. While still being logged on as an administrator on the IDMG-DC computer, launch the
Windows Explorer.2. In Windows Explorer, navigate to c:\inetpub\wwwroot\_wmcs\certification.3. Right-click on the ServerCertification.asmx file and select Properties.4. Open the Security tab.5. Grant the Read and Read & Execute permissions to the ADRMSService service
account, and to the IDMGT-DC computer account.6. Validate with OK.
To configure the AD RMS extranet cluster URLs, proceed as follows:1. Launch Server Manager from the Administrative Tools program group.2. Expand Roles\Active Directory Rights Management Services. 3. If the Security Alert dialog appears due to our wildcard common name certificate.
Click Yes.
The node shows that you are connected to IDMGT-DC.
4. Right-click IDMGT-DC, and then click Properties. 5. Select the Cluster URLs tab.
70 INSTALLING AN AD RMS CLUSTER: http://go.microsoft.com/fwlink/?LinkId=21087371 AD RMS STEP-BY-STEP GUIDE: http://technet.microsoft.com/en-us/library/cc753531(WS.10).aspx72 JOIN AN AD RMS SERVER TO AN EXISTING CLUSTER: http://technet.microsoft.com/en-us/library/cc753417.aspx
39 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
6. Select the Extranet URLs check box, and:a. In the Licensing box, select https://, and then type
“adrms.demo.idmgt.archims.fr”.b. In the Certification box, select https://, and then type
“adrms.demo.idmgt.archims.fr”.7. Click OK.
To enable the Super Users on the ADRMS cluster, proceed as follows:1. Still from within the Active Directory Rights Management Services snap-in, right-
click the Super Users container under Security policies, and select Enable Super Users. You are informed the Super users group is not set
2. To set it, click the Super Users container, click the Change super user group link in the middle pane, click Browse, specify “ADRMS Super Users”, click OK.
The ADRMS Super Users email address, i.e. “[email protected]” in our case, appears in the Super user group field.
3. Click OK.
Creating AD RMS rights policy templatesAD RMS right policy templates enable information authors to quickly apply a standard level of protection for information across the organization. They defines usage rights and conditions, e.g. “All FTE – Read Only”.
40 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Furthermore, templates offer additional security options that are not available in normal protection that end-users can select or servers can automatically apply (through policy rules definition) to protect information like e-mail message and its attachment(s) if any in the context of this paper. To ease distribution of rights policy templates, AD RMS introduces a new rights policy template distribution pipeline. This new pipeline allows an AD RMS client to request rights policy templates stored on the AD RMS cluster and store them locally on the client computer. This functionality is available only with AD RMS clients in Windows Vista with Service Pack 1 (SP1), Windows Server 2008 and above.For down-level clients, you can store the templates in a central location so that they can be copied to the AD RMS clients. Some distribution methods include using Microsoft System Center 2012 Configuration Manager, group policies, or manually copying the templates to the AD RMS client.
Note The AD RMS service account ADRMSService must have Write access to the rights policy template shared folder in order for the rights policy template export function to work correctly.
To create a shared folder for the AD RMS rights policy templates and set appropriate permissions for the AD RMS service account, proceed as follows:
1. Log on to IDMGT-DC as administrator. 2. Click Start, click Computer, and then double-click Local Disk (C:).3. Create a new folder named “ADRMSTemplates”. Click New Folder in the toolbar,
type the name “ADRMSTemplates”, and then press ENTER.4. Right-click the ADRMSTemplates folder, and then click Properties.5. Click the Sharing tab, and then click Advanced Sharing.6. Select the Share this Folder check box, and then click Permissions.7. Click Add, in the Enter the object names to select box type “ADRMSService”, and
then click OK.8. In the Group or user names box, click ADRMSService
([email protected]), and then, in the Permissions for ADRMSService box, select the Change check box in the Allow column.
9. Click OK twice.10. Click the Security tab, and then click Edit.11. Click Add, in the Enter the object names to select box type “ADRMSService”, and
then click OK.12. Click ADRMSService ([email protected]), and then, in the
Permissions for ADRMSService box, select the Modify check box in the Allow column, and then click OK.
13. Click Close.AD RMS rights policy templates are created on the AD RMS server, stored in the configuration database and exported to the shared folder. Likewise, when you modify a rights policy template on the AD RMS server, the server updates the template in both the configuration database and the shared folder.
41 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For additional information, see the article AD RMS POLICY TEMPLATE CONSIDERATIONS 73 on Microsoft TechNet.
The INSTALLING AND CONFIGURING OUTLOOK 2010 provides instructions on how to configure scheduled tasks to request the rights policy templates from the AD RMS cluster.To create a new AD RMS rights policy template, proceed as follows:
1. Launch Server Manager from the Administrative Tools program group.2. Expand Roles\Active Directory Rights Management Services\Rights Policy
Templates. The node shows that you are connected to IDMGT-DC. 3. In the Actions pane, select Manage Distributed Rights Policy Templates.4. To enable exporting of the AD RMS rights policy templates, click Properties in the
Actions pane.
5. Select the Enable export check box, type \\IDMGT-DC\ADRMSTemplates in the Specify templates file location (UNC) box, and then click OK.
6. In the Actions pane, click Create Distributed Rights Policy Template. The Create Distributed Rights Policy Template wizard opens up.
73 AD RMS POLICY TEMPLATE CONSIDERATIONS: http://technet.microsoft.com/en-us/library/dd996658(v=WS.10).aspx
42 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
7. Click Add. The Add New Template Identification Information dialog opens up.
8. In the Language list, choose the appropriate language for the rights policy template.9. Type “IDMGT.DEMO CC” in the Name box.10. Type “IDMGT.DEMO Company Confidential” in the Description field and then click
Add.11. Click Next.
12. Click Add. The Add User or Group dialog shows up.
13. Click Browse, type “Domain Users” in the Enter the object names to select, and then click OK. [email protected] appears in The e-mail address of a user or group box. Click OK.
14. Select the View check box to grant the Domain Users group read access to any content created by using this AD RMS rights policy template.
15. Click Finish.A {<guid>}.xml file that corresponds to the template is created under the \\IDMGT-DC\ADRMSTemplates share. It’s an XrML-based content as illustrated hereafter:
<?xml version="1.0" ?>
43 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
<XrML xmlns="" version="1.2"> <BODY type="Microsoft Official Rights Template"> <ISSUEDTIME>2012-06-11T17:33</ISSUEDTIME> <DESCRIPTOR> <OBJECT> <ID type="MS-GUID">{9fb2a2dd-2937-4a14-bd8f-4c7cc4a6add2}</ID> <NAME>LCID 1033:NAME IDMGT.DEMO CC:DESCRIPTION IDMGT.DEMO Company Confidential;</NAME> </OBJECT> </DESCRIPTOR> <ISSUER> <OBJECT type="MS-DRM-Server"> <ID type="MS-GUID">{395539f6-38dc-466f-9beb-33a527e8212a}</ID> <NAME>IDMGT-ADRMS</NAME> <ADDRESS type="URL">HTTPS://adrms.demo.idmgt.archims.fr:443/_wmcs</ADDRESS> </OBJECT> <PUBLICKEY> <ALGORITHM>RSA</ALGORITHM> <PARAMETER name="public-exponent"> <VALUE encoding="integer32">65537</VALUE> </PARAMETER> <PARAMETER name="modulus"> <VALUE encoding="base64" size="1024"> p8Hq3zdtrV/gR9SUr+FZvmAeFq+nbq+8uZqvDqWNj1fqhBMONwVBn24rAT5XTVdLaHiPU7UKwBgKt6ugKeJu4iCEu1XFHKgjtUX VPlIhVpYMPG0OL6kwAgz8P6vFo9Ugu2sFygSAE4FzRBz/f9rDAuT7IasB7CWvayLvsTV+DKs= </VALUE> </PARAMETER> </PUBLICKEY> </ISSUER> <DISTRIBUTIONPOINT> <OBJECT type="Publishing-URL"> <ID type="MS-GUID">{9A23D98E-4449-4ba5-812A-F30808F3CB16}</ID> <NAME>Publishing Point</NAME> <ADDRESS type="URL">https://adrms.demo.idmgt.archims.fr/_wmcs/licensing</ADDRESS> </OBJECT> </DISTRIBUTIONPOINT> <WORK> <OBJECT> <ID type="" /> </OBJECT> <RIGHTSGROUP name="Main-Rights"> <RIGHTSLIST>
<RIGHT name="OWNER"> <CONDITIONLIST> <ACCESS> <PRINCIPAL> <OBJECT> <ID type="Internal">Owner</ID> </OBJECT> </PRINCIPAL> </ACCESS> </CONDITIONLIST> </RIGHT> <VIEW> <CONDITIONLIST> <ACCESS> <PRINCIPAL> <OBJECT> <ID type="Unspecified" /> <NAME>[email protected]</NAME> </OBJECT> </PRINCIPAL> </ACCESS> </CONDITIONLIST> </VIEW>
</RIGHTSLIST> </RIGHTSGROUP> </WORK> </BODY> <SIGNATURE> <DIGEST> <ALGORITHM>SHA1</ALGORITHM> <PARAMETER name="codingtype"> <VALUE encoding="string">surface-coding</VALUE> </PARAMETER> <VALUE encoding="base64" size="160">uzjnTMPjzLnTkV9vFe17o061F/g=</VALUE> </DIGEST>
44 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
<ALGORITHM>RSA PKCS#1-V1.5</ALGORITHM> <VALUE encoding="base64" size="1024"> AFDX3q08GItY55oVc7yEt7tuWpJzBV9HzXd4pdjlI/O2qUuPj5Xc2H/hpd/tPRhT10qUxWVuxWQ7u1vZWcsiErhND++HY7HIANaXOFVbF clniS0Iw4jcGuJkTNcPrQfHKON/dbB/rrnMHugksEd1CiUg0qE34H7oBta7p+5PsGo= </VALUE> </SIGNATURE></XrML>
As expected, the content owner has full rights on the produced protected content while the domain users ([email protected]) the right to view the protected content.The whitepaper AD RMS RIGHTS POLICY TEMPLATES DEPLOYMENT STEP-BY-STEP GUIDE 74 further walks you through the process of creating and deploying AD RMS right policy templates in a test environment such as the one that can result from the previous to setup an on-premises single-server AD RMS root cluster.
Note For additional information on AD RMS rights policy templates, see the articles CONFIGURING RIGHTS POLICY TEMPLATES 75 and AD RMS POLICY TEMPLATE CONSIDERATIONS 76 on Microsoft TechNet.
74 AD RMS RIGHTS POLICY TEMPLATES DEPLOYMENT STEP-BY-STEP GUIDE: http://technet.microsoft.com/en-us/library/cc731070.aspx75 CONFIGURING RIGHTS POLICY TEMPLATES: http://technet.microsoft.com/en-us/library/cc731599.aspx76 AD RMS POLICY TEMPLATE CONSIDERATIONS: http://technet.microsoft.com/en-us/library/dd996658(WS.10).aspx
45 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Understanding the cross-premises deployment of AD RMSActive Directory Rights Management Services (AD RMS) is a core feature used by many organizations in their on-premises environments to provide protection for messages and attachments that remains persistent with the object. Some of them will have a set of AD RMS rights policy templates and policies in place (on-premises) that need to be available in Microsoft Office 365 to meet the security requirements for their messaging systems. This deployment method is known as the cross-premises deployment option of AD RMS.Before covering this method in section § EXCHANGE ONLINE IRM (NO ON-PREMISES EXCHANGE), we start “by the beginning” with the on-premises deployment and its related features and we then move to cross-premises deployment method where the Cloud is involved.
On-premises IRMPrior to Microsoft Exchange 2007 Service Pack 1 (SP1), Exchange was not AD RMS-enabled. Pre-licensing, which gets a use license (UL) for protected content, was introduced with this Service Pack.Among the important innovations in Microsoft Exchange Server 2010 is the integration of additional information rights management (IRM) functionalities to provide persistent online and offline protection of email messages and attachments. Microsoft Exchange Server 2010 Service Pack 1 (SP1) adds more IRM functionalities.By providing persistent protection to control who can access, forward, print, or copy sensitive data within an email, IRM can help your organization avoid disclosing sensitive information through e-mail messaging. When combined with AD RMS in Windows Server 2008 R2 (or in Windows Server 2008 with SP2 and hotfix KB97324777 applied), the IRM features of Exchange 2010 (SP1) can automatically right-protect messages that contain sensitive information. However, these features still enable right-protected messages to be scanned and archived unencrypted.
77 HOTFIX IS AVAILABLE FOR THE ACTIVE DIRECTORY RIGHTS MANAGEMENT SERVICES ROLE IN WINDOWS SERVER 2008: AUGUST 26, 2009: http://go.microsoft.com/fwlink/?LinkId=178298
46 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
IDMGT Customer Premises
AD RMS Cluster
Computer/Device
Figure 4: On-premises IRM with Exchange Server 2010
More specifically, the list of IRM-protected e-mail functionality included in Exchange Server 2010 (SP1) is as follows:
Pre-licensing that attaches a pre-license to protected messages, which allows the client to avoid making repeated trips to the AD RMS server to retrieve a use license (UL). It also enables off-line viewing of IRM-protected messages and attachments, which allows for IRM-protected messages to be viewed in Office Outlook Web App (OWA).This supposes to use the AD RMS pre-licensing agent to certify the recipient's authenticity so that the recipient can open messages without receiving a credential prompt on every attempt. The AD RMS pre-licensing agent requires the Hub Transport server role of Exchange Server 2010. No special configuration of AD RMS is required to enable pre-licensing. See UNDERSTANDING THE AD RMS PRELICENSING AGENT 78;
Support for IRM in Microsoft Office Outlook Web App (OWA), which enables users to send and open IRM-protected messages in OWA in any OWA-supported browser without requiring the installation of client software for cross-browser support (including Apple Mac OS X and Linux operating systems) (see section § RIGHTSMANAGEMENT CLIENT SOFTWARE ). OWA IRM requires the pre-licensing service, and the Client Access Server (CAS) and Mailbox server roles of Exchange Server 2010. In addition, AD RMS must be configured to support OWA IRM.Furthermore, with Exchange Server 2010 SP1, users can view supported IRM-protected attachments by using WebReady Document Viewing. This allows users to view supported attachments without having to download the attachment by using the associated application. The WebReady Document Viewing feature is covered later in this document.See UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN OUTLOOK WEB APP 79 and UNDERSTANDING FILE AND DATA ACCESS FOR OUTLOOK WEB APP 80;
78 UNDERSTANDING THE AD RMS PRELICENSING AGENT: http://msdn.microsoft.com/en-us/library/aa996600(v=exchg.140).aspx79 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN OUTLOOK WEB APP: http://technet.microsoft.com/en-us/library/dd876891.aspx80 UNDERSTANDING FILE AND DATA ACCESS FOR OUTLOOK WEB APP: http://technet.microsoft.com/en-us/library/dd298113.aspx
47 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Support for IRM in Exchange ActiveSync (EAS) with Exchange Server 2010 SP1, which allows accessing rich IRM functionality on any supported EAS device without having to configure AD RMS permissions or tether the device to a computer and activate it for IRM. Mobile device users can create, read, reply to and forward IRM-protected messages.
Note Implementation of specific EAS features varies by device and manufacturer. A community-maintained comparison of how Exchange ActiveSync features are implemented by various mobile clients is available at this COMPARISON OF EXCHANGE ACTIVESYNC CLIENTS 81 page on Wikipedia. The EAS Logo Program helps organizations identify enterprise-ready mobile devices that have implemented key Exchange ActiveSync user features and management policies. A list of EAS Logo Program Qualified Devices is available in the article EXCHANGE ACTIVESYNC LOGO PROGRAM 82 on Microsoft TechNet.
Devices supporting EAS protocol version 14.1 (as part of the SP1), including Windows Mobile Phone/Windows Phone devices, can support IRM in EAS. The mobile e-mail application on a device must support the RightsManagementInformation tag defined in EAS protocol version 14.1. This said, the mobile device doesn't need to be running Windows Mobile Phone/Windows Phone: EAS is licensed by Microsoft to mobile device manufacturers, original equipment manufacturers (OEMs), and others. See UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ACTIVESYNC 83;
Persistent protection of attachments in IRM-protected e-mail messages; Transport protection rules to implement messaging policies based on rule
conditions that help protect sensitive information by inspecting e-mail message content and its attachment(s) if any, encrypting sensitive e-mail content, and using rights management to control access to the content. Transport protection rules allow you to use transport rules to IRM-protected e-mail messages by applying an AD RMS rights policy template (See section § CREATING AD RMS RIGHTS POLICY TEMPLATES). Deploying 3rd party IFilters allows transport protection rules to scan additional attachment types (beyond Microsoft Office Word, Excel PowerPoint and XPS documents). The IFilter.org84 is a dedicated Web site to helping you find the IFilter information you are looking for.Transport rules inspect every piece of mail that flows through the Exchange environment. Even mail from one mailbox to another mailbox in the same server goes through the transport server role. See UNDERSTANDING TRANSPORT PROTECTION RULES 85;
Transport decryption to decrypt IRM-protected messages in transit to apply messaging policies. IRM-protected messages are decrypted by the decryption agent. The decryption agent decrypts: The messages IRM-protected by the user in OWA, The messages IRM-protected by the user in Outlook 2010, And the messages IRM-protected automatically by Outlook protection rules in
Outlook 2010 (see below).
81 COMPARISON OF EXCHANGE ACTIVESYNC CLIENTS: http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients82 EXCHANGE ACTIVESYNC LOGO PROGRAM: http://technet.microsoft.com/en-us/exchange/gg187968.aspx83 UNDERSTANDING INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ACTIVESYNC: http://technet.microsoft.com/en-us/library/ff657743.aspx84 IFilter.org: http://www.ifilter.org/85 UNDERSTANDING TRANSPORT PROTECTION RULES: http://technet.microsoft.com/en-us/library/dd298166.aspx
48 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
This gives trusted agents plaintext access to IRM-protected messages and enables messages and attachments to be archived and scanned for malware in order to apply message policies. See UNDERSTANDING TRANSPORT DECRYPTION 86;
Journal report decryption to allow saving a clear-text copy of IRM-protected messages in journal reports, along with the original, IRM-protected message. If the IRM-protected message contains any supported attachments that were protected by the AD RMS cluster in your organization, the attachments are also decrypted.Decryption is performed by the journal report decryption agent. The agent decrypts the following types of IRM-protected messages: The messages IRM-protected by the user in OWA. The messages IRM-protected by the user in Outlook 2010. The messages IRM-protected automatically in Outlook 2010 by using Outlook
protection rules. And the messages that were IRM-protected automatically in transit by using
transport protection rules (see above).See UNDERSTANDING JOURNAL REPORT DECRYPTION 87;
IRM decryption for search to give Exchange Search the ability to index content in IRM-protected messages and to include them in search results. It conducts full-text search of IRM-protected e-mail message and attachments in OWA and Outlook and enables indexing and searching of IRM-protected e-mail messages, including headers, subject, body, and attachments. It also applies to multi-mailbox searchMessages must be protected by using an AD RMS server in the same Active Directory forest as the Exchange 2010 Mailbox server. See UNDERSTANDING EXCHANGE SEARCH 88;
IRM-enabled Unified Messaging that lets users listen to protected voice mail messages in OWA, Outlook, and on the telephone, and can apply a “Do Not Forward” permissions for voicemail messages that are designated either by the sender (by marking the message as private) or by administrative policy. This prevents the forwarding of protected voicemails in a playable form to unauthorized persons, regardless of the mail client used;
Microsoft Outlook protection rules to apply IRM-protection to messages in Outlook 2010;
Note The above IRM features are further described in the specific context of Exchange Online. See section § EXCHANGE ONLINE IRM (NO ON-PREMISES EXCHANGE).
Note The above IRM features are fully documented in the INFORMATION RIGHTS MANAGEMENT part89 of the Exchange Server 2010 documentation as well as the wiki ROADMAP FOR IMPLEMENTING IRM FEATURES IN MICROSOFT EXCHANGE 90 available online on Microsoft TechNet. For additional information, you can also refer to the AD RMS MICROSOFT EXCHANGE SERVER 2010 INTEGRATION GUIDE 91.
Exchange Server 2010 (SP1) depends on the AD RMS cluster to decrypt and encrypt content.86 UNDERSTANDING TRANSPORT DECRYPTION: http://technet.microsoft.com/en-us/library/dd638122.aspx87 UNDERSTANDING JOURNAL REPORT DECRYPTION: http://technet.microsoft.com/en-us/library/dd876936.aspx88 UNDERSTANDING EXCHANGE SEARCH: http://technet.microsoft.com/en-us/library/bb232132.aspx89 INFORMATION RIGHTS MANAGEMENT: http://technet.microsoft.com/en-us/library/dd351035.aspx90 ROADMAP FOR IMPLEMENTING IRM FEATURES IN MICROSOFT EXCHANGE: http://social.technet.microsoft.com/wiki/contents/articles/roadmap-for-implementing-irm-features-in-microsoft-exchange.aspx#IIIWM91 AD RMS MICROSOFT EXCHANGE SERVER 2010 INTEGRATION GUIDE: http://technet.microsoft.com/en-us/library/ee849857(v=WS.10).aspx
49 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The on-premises integration between Exchange Server 2010 (SP1) and AD RMS is mostly configured using Exchange 2010 cmdlets92 using the Exchange Management Shell (Transport Rules are created in the Exchange Management Console (EMC)):
Get-IRMConfiguration. Returns the list of IRM features in Exchange Server 2010 and displays whether they are enabled or disabled.
Set-IRMConfiguration. Configures the IRM features. Test-IRM Configuration. Tests the IRM functionality. Get-RMSTemplate. Retrieves the current list of AD RMS rights policy templates in
the organization.The on-premises integration is done through Web services calls from Exchange Server to AD RMS. It requires the following pre-requisites on the AD RMS cluster:
Service Connection Point (SCP). Exchange 2010 (SP1) and AD RMS-enabled applications use the service connection point registered in Active Directory to discover an AD RMS cluster and its related URLs. As previously depicted, AD RMS allows you to register the service connection point from within AD RMS setup (see section § INSTALLING AND CONFIGURING THE AD RMSCLUSTER). If the account used to set up AD RMS isn't a member of the Enterprise Admins security group, service connection point registration can be performed after setup is complete. There is only one service connection point for AD RMS in an Active Directory forest.
Permissions. Read and Execute permissions to the AD RMS server certification pipeline (ServerCertification.asmx file located in the \inetpub\wwwroot\_wmcs\certification\ folder on the AD RMS servers) must be assigned to the following: Exchange Servers group or individual Exchange servers; AD RMS Service group on AD RMS servers; AD RMS Super Users: To enable IRM in OWA, transport decryption, journal report
decryption, and IRM for Exchange Search, you must add the Federated Delivery Mailbox user account (which is named FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042), a system mailbox created by Exchange 2010 (SP1) setup, to the super users group on the AD RMS cluster.
Because the Federated Delivery Mailbox user account is a system mailbox, it is not visible in the Exchange Management Console (EMC). To add it to a distribution group, for example “ADRMSSuperUsers”, an Exchange administrator must use the Add-DistributionGroupMember cmdlet from the Exchange Management Shell:
PS C:\Windows\system32> Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
Note For additional information, see ADD THE FEDERATION MAILBOX TO THE AD RMS SUPER USERS GROUP 93.
There are a number of transactions (certification, publishing, acquiring AD RMS templates) and then there is a frequently used Web service transaction (licensing). Exchange 2010 (SP1) provides logging of IRM operations between Exchange Server and the AD RMS servers in the organization.
92 Exchange 2010 cmdlets: http://technet.microsoft.com/en-us/library/bb12441393 ADD THE FEDERATION MAILBOX TO THE AD RMS SUPER USERS GROUP: http://technet.microsoft.com/en-us/library/ee424431.aspx
50 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The way the integration is performed results in the fact that licensing is the operation done most frequently. It also happens to be the operation that is performed during mail flow on Hub Transport servers. With on-premises solutions, this is however not a significant issue because the AD RMS servers are generally collocated with the Exchange servers and the amount of AD RMS content is low.
Exchange Online IRM (no on-premises Exchange)Exchange Online tenants can integrate IRM capabilities but Exchange Online IRM does not refer to AD RMS in the Cloud. Exchange Online is rather being able to leverage the organization’s on-premises AD RMS environment with embedded AD RMS servers in the Cloud to protect messages.In other words, an on-premises AD RMS environment is required. Exchange Online users will be able to use AD RMS in the same way as your on-premises users. The AD RMS settings such as the rights policy templates and certificate information from the on-premises AD RMS configuration have to be exported, and then imported into the Online Services in the organization tenant. For that purpose, AD RMS provides a built-in mechanism for exporting Trusted Publishing Domains (TPDs). At the basis, a TPD allows an AD RMS cluster to issue Use Licenses (UL) against Publishing Licenses (PL) issued by another AD RMS cluster.
IDMGT Customer Premises
AD RMS Cluster
Microsoft Online Services
IDMGT Customer Tenant
Embedded AD RMS serverImport TPD
Figure 5: Cross-premises deployment
For that purpose, a TPD contains three things: 1. The Server Licensor Certificate (SLC) used for signing and encrypting certificates and
licenses, 2. The URLs used for licensing and publishing, 3. The right policy templates created against that SLC (e.g. no print, cannot forward).
Considering the above numbered list, the TPD is essentially a public and private key pair that:
Represents the root authority of the tenant for AD RMS purposes; And used by AD RMS for generating RACs, CLCs, and ULs (see section §
UNDERSTANDING THE AD RMS CERTIFICATES AND LICENSES).
51 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The public key along with domain information is represented as SLC while the private key is a binary blob that needs to be protected.
Note For additional detail on TPD, see article AD RMS TRUSTED PUBLISHING DOMAIN CONSIDERATIONS 94.
In order for Exchange Online to perform the same operations through the cross-premises deployment, the TPDs (one or many) must be exported from the AD RMS cluster and then imported into Exchange Online for the organization tenant. Exchange Online uses an embedded AD RMS server.The import process of the TPD using Remote PowerShell will allow the Exchange Online to issue Use Licenses (UL) and Publish Licenses (PL) for the imported TPD. All the imported templates as part of the TPD are marked as archived by default. They will have to be marked as active to make them available to be used to author content. The entire process is fully depicted in the section § EXTENDING ON-PREMISES AD RMS TO OFFICE 365.With the TPD being imported into the Exchange Online tenant infrastructure, the Exchange Online services will essentially use the keys from the on-premises AD RMS environment. AD RMS transactions in the online datacenter are executed within the online datacenter without the need of any external calls to the on-premises AD RMS infrastructure. In Microsoft Exchange Online Services, the previous picture on IRM on-premises (see previous section) indeed changes dramatically. When an Exchange server in the online datacenter is making these transactions with an on-premises AD RMS infrastructure (cross-premise deployment), there are a number of issues that can impact mail flow for one-to-many tenants. Licensing an AD RMS message requires at least Web service transaction 1 round trip with the AD RMS server. Consequently, a non-responsive on-premises AD RMS server or latency between on-premises and online datacenters will delay mail flow for a tenant or set of tenants while categorizer threads are being held for licensing calls. This reduces the throughput of hub transport and impacts the mail delivery Service Level Agreement (SLA). Once there are multiple non-responsive or high latency AD RMS servers, the problem is compounded further leading to widespread impacts to mail delivery. The core parts of this problem lead to reduced reliability in mail delivery as well as increased difficultly and cost in supportability.The outlined above approach get around this issue.
94 AD RMS TRUSTED PUBLISHING DOMAIN CONSIDERATIONS: http://technet.microsoft.com/library/dd772677(WS.10).aspx
52 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Microsoft Online Services
IDMGT Customer Premises
AD RMS Cluster
IDMGT Customer Tenant
Embedded AD RMS server
Computer/Device
Outlook
Outlook Web App (OWA) and Exchange ActiveSync
(EAS)
Figure 6: Exchange Online IRM (no on-premises Exchange)
Consequently, the Exchange datacenter tenant receives all IRM capabilities, except for pre-licensing, which is not supported in the online datacenter. More particularly, after this one-time import of the TPD, the following features become available:
Support for IRM in Outlook Web App (OWA); Support for IRM in Exchange ActiveSync (EAS); IRM search; Transport protection rules; Protected voicemail; Journal report decryption; Outlook Protection Rules.
If the on-premises TPD is not provided, Exchange Online will process content protected on-premises as opaque. Messages and files will be delivered using Exchange Online but the content will not be rendered within OWA, delivered to EAS devices, indexed for searching, available for transport rules, decrypted for journaling, etc.As mentioned above, pre-licensing is not available in Exchange Online. (A pre-license attached to protected messages avoids the client having to make repeated calls to the AD RMS server to retrieve a use license, resulting in a faster user experience.) However, additional IRM support features enable similar experiences:
Support for IRM in Outlook Web App (OWA) provides an excellent Web experience for accessing IRM protected messages (see section § SUPPORT FOR IRM IN OUTLOOK WEB APP(OWA));
Support for IRM in Exchange ActiveSync (EAS) results in fast access of IRM-protected messages in supported devices such as Windows Mobile 6.1+ and Windows Phone 7.5+ devices; there is no need for pre-licensing (see section § SUPPORT FOR IRM INEXCHANGE ACTIVESYNC (EAS) );
Exchange Online uses the embedded AD RMS server for encrypting and decrypting while it requires on-premises for managing AD RMS templates.
53 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
In terms of storage and protection, the embedded RMS server uses the Exchange Online Active Directory as the storage location for the imported TPDs, as well as the rights access certificate key pairs and templates used by each tenant. This key material is only accessible to the Exchange service.This information is moreover secured within the Exchange Online Active Directory using Distributed Key Manager (DKM)95, a project coming from the Extreme Computing Group of Microsoft Research, which provides a solution for securely sharing data amongst multiple machines and multiple users/service accounts for datacenter (“Cloud”) class services.
Note DKM is very similar to the familiar Windows Data Protection API (DPAPI) that exists for over a decade, but that works by design on a per-user and per-machine basis, and does not share keys across users and machines. DKM improves on DPAPI by extending it to multiple users and multiple machines along with cryptographic agility capabilities. With DKM, callers only need to specify the data they wish to protect and the group of users/processes that will have access. The caller creates a GroupKey object and binds it to a group of users. Then, the caller calls Protect(data) to encrypt to that group and Unprotect(ciphertext) to decrypt.
DKM stores encryption/decryption keys and cryptographic policy in a repository, such as Active Directory and SQL Server. The repository provides controlled access to the stored data, e.g., Access Control Lists (ACL). DKM is a client-side library that lets users encrypt data under a shared group secret key so that only members of the group can decrypt the data. For additional information, see the publication KEY MANAGEMENT IN DISTRIBUTED SYSTEMS 96.
By default, DKM uses AES-128 to encrypt the AD RMS TPD and related keys. DKM works by storing the root encryption key along with crypto policy configurations in Active Directory and Access Control Lists (ACL) protect it with an Active Directory group. Beyond these nitty-gritty details, which only scratch the surface of what’s being enforced in terms of security controls notably, it should be noted that both Office 365 services and the infrastructure on which it relies (Microsoft Global Foundation Services97) employ security frameworks based on the International Standards Organization (ISO/IEC 27001:2005) family of standards and are ISO 27001 certified by independent auditors. Office 365 is the first major business productivity public cloud service to have implemented the rigorous set of physical, logical, process and management controls defined by ISO 27001. Microsoft strives to take a leadership role in industry privacy, security and compliance practices by following these trust principles.
Note For additional information, see the document STANDARD RESPONSE TO REQUEST FOR INFORMATION – OFFICE 365 SECURITY AND PRIVACY V2 98 available on the Office 365 Trust Center99.
Let’s now consider the different features that can be provided with such a cross-premises deployment.
Support for IRM in OutlookThere are many ways to access your email account in Microsoft Exchange Online. The most common ways are by using an installed version of Microsoft Outlook, the rich email program
95 Distributed Key Manager (DKM):96 KEY MANAGEMENT IN DISTRIBUTED SYSTEMS: http://research.microsoft.com/pubs/132506/Distributed%20Key%20Lifecycle%20Management.pdf97 Microsoft Global Foundation Services: http://www.globalfoundationservices.com/98 STANDARD RESPONSE TO REQUEST FOR INFORMATION – OFFICE 365 SECURITY AND PRIVACY V2: http://www.microsoft.com/en-us/download/details.aspx?id=2664799 Office 365 Trust Center: http://www.microsoft.com/en-us/office365/trust-center.aspx
54 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
that includes support for calendaring, contacts, and tasks, or Outlook Web App (OWA) in a web browser (see next section). Outlook 2010 or Outlook for Mac 2011 provide a native support for Information Right Management (IRM) and will directly communicate with the on-premises AD RMS server, thus enabling users to compose and read messages protected by AD RMS. There is no need for interoperability between the AD RMS server and Exchange Online in order to use the IRM features of Outlook. In other words, such clients still receive the protected content and continue to call the Web services of the on-premises AD RMS server to request the appropriate license to consume the AD RMS content received.Outlook 2010 and Outlook for Mac 2011 support the latest features of Exchange Online, including:
Protected voicemail (see eponym section § PROTECTED VOICEMAIL); Outlook Protection Rules (see eponym section § OUTLOOK PROTECTION RULES).
INSTALLING AND CONFIGURING OUTLOOK 2010 provides instructions on how to setup and configure Outlook 2010 for your Office 365 subscription.
Support for IRM in Outlook Web App (OWA)Microsoft Office Outlook Web App (OWA) is a Web-based version of the Outlook email program that is used with Exchange Online. Wherever users are connected to the Internet, at home, at the office, or on the road, they can access their email through OWA from a link on the Microsoft Online Services Portal (MOP) at https://portal.microsoftonline.com or at http://mail.office365.com (or https://www.outlook.com), and they can read and create IRM-protected messages natively in OWA, just like in Outlook (see previous section). It should be noted that the native support for IRM in OWA extends the ability of organizations to leverage IRM-protection.The following is the user experience for creating an e-mail message with IRM protection. You can see that the AD RMS rights policy templates that have been imported via the TPD are available for use; you can also see that there is our custom template in place for ‘IDMGT.DEMO Company Confidential’ that can be selected. (The templates are imported during the TPD import operation and will be presented to the end users accordingly.)
55 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Whilst OWA enables users to create, read and reply to (as well as reply all, forward, block print, cut/copy) IRM-protected messages natively, just like in Outlook, IRM-protected messages in OWA can be accessed through Internet Explorer, Mozilla Firefox, Apple Safari, Chrome ,and most other web browsers on computers running UNIX, Apple Macintosh, or Windows (no plug-in required). It includes full-text search, conversation view and preview pane.It eliminates the need for the Rights Management Add-on (RMA) for Internet Explorer100. End users immediately see the changes in OWA.With the additional support for WebReady Document Viewing for IRM-protected messages, recipients can view protected attachments without having to install or start the associated application (such as Microsoft Word, Microsoft PowerPoint, Adobe Acrobat, etc.). WebReady Document Viewing converts these documents into HTML for read-only viewing in a web browser window. When WebReady document viewing is enabled, users see an Open as Web Page link next to supported document types in OWA. By default, this feature is enabled in Exchange Online. It can be disabled through Remote Windows PowerShell via the following command:
PS C:\Windows\system32> Set-OWAMailboxPolicy Default -WebReadyDocumentViewingOnPublicComputersEnabled $false
Furthermore, you can use any computer that's connected to the Internet or to a local Intranet, whether you're at home, in the office, or on the road.Administrators can block users from downloading attachments in OWA. This helps prevent users from accidentally leaving content on an unsecure machine, such as an Internet kiosk. Attachment download settings in OWA are managed through Remote Windows PowerShell via the following command:
PS C:\Windows\system32> Set-OwaMailboxPolicy Default -DirectFileAccessOnPublicComputersEnabled $false
100 Rights Management Add-on (RMA) for Internet Explorer: http://www.microsoft.com/en-us/download/details.aspx?id=4753
56 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Support for IRM in Exchange ActiveSync (EAS)Users with mobile devices that support the IRM features of the Exchange ActiveSync (EAS) protocol can open and work with IRM-protected messages with the appropriate right without tethering the mobile or installing additional IRM software. Administrators can control the use of this feature using Role-Based Access Control (RBAC) and Exchange ActiveSync (EAS) policies.
IRM SearchIRM-protected messages are indexed and searchable, including headers, subject, body, and attachments. Users can search protected items in Outlook and OWA and administrators can search protected items by searching multiple mailboxes.
Transport Protection Rules As already mentioned, transport rules are used to inspect emails in transit (including inbound, outbound, and internal messages) and take actions, such as applying a disclaimer, blocking messages, or sending a blind carbon copy to a mailbox for supervisory review. Transport rules use a set of conditions, actions, and exceptions similar to inbox rules:
Conditions identify specific criteria such as sender, receiver and keywords within a message;
Actions are applied to email messages that match these conditions; Exceptions identify messages to which a transport rule action shouldn't be applied,
even if the message matches a transport rule condition. Exchange Online supports the transport rule functionality and flexibility of Exchange Server 2010 SP1, including:
Granular transport rule conditions. Administrators can create transport rules to inspect messages for a variety of email attributes, such as specific senders, recipients, distribution lists, keywords, and regular expressions (for common patterns like those associated with credit card numbers or social security numbers). Administrators can also include users’ Active Directory attributes (for example, department, country, or manager) and distinguish by message types (such as automatic replies, meeting requests, and voicemail messages);
Ability to moderate. Administrators can use transport rules to route email messages to a manager or trusted moderator for review. Reviewers can then approve or block the message and, if blocked, provide an explanation to the sender;
Message classifications. Administrators can use transport rules to apply metadata to messages, describing the intended use or audience (for example, attorney–client privileges). Users can also apply classifications manually and have transport rules check messages when they enter the transport pipeline. If messages do not meet the conditions of the classification, an action can be applied to modify, protect, or block the messages;
Attachment inspection. Administrators can create transport rules based on content in a Microsoft Office Word, Excel, PowerPoint, and XPS attachments. However, file types, such as Adobe PDF files, that require installation of third-party IFilters on the email server cannot be inspected in Exchange Online.
57 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For additional detail, see the help topic ORGANIZATION-WIDE RULES 101.
Administrators can manage transport rules using the Exchange Control Panel (ECP) or Remote PowerShell. Transport rules can act on all email traffic in an organization. (The maximum number of transport rules per tenant is 25 rules and the maximum size per rule is 4KB.)Along with the standard list of conditions that can be applied to all rules, administrators can set up transport protection rules that automatically AD RMS protection to email in transit (including Microsoft Office Word, Excel, PowerPoint, and XPS attachments).
As illustrated above, they can use for that purpose the action Apply rights protection to the message with... that automatically applies IRM protection and gives the option of various AD RMS rights policy templates.
This enables to specify exactly how a message can be handled by authorized users, whether it can be copied, forwarded and so on, and provides persistent appropriate protection for the message regardless of where it is sent and prevents forwarding, copying, or printing, depending on the AD RMS rights policy template applied.
Protected voicemailEither senders or administrators can apply Do Not Forward permissions to voicemail messages in order to prevent them from being forwarded to unauthorized persons, regardless of the email client. These permissions can be applied to all voicemail messages in the organization, or just to voicemail messages that have been marked as private by the sender.
101 ORGANIZATION-WIDE RULES: http://help.outlook.com/en-us/140/Dd207276.aspx?sl=1
58 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Journal report decryption Administrators can configure Exchange Online to journal copies of emails to any external archive that can receive messages via SMTP. For example, administrators can journal emails to an on-premises archiving solution. The journaling destination cannot be an Exchange Online mailbox. Administrators can manage journal rules in the Exchange Control Panel or Remote PowerShell and can configure journaling on a per-user and per-distribution list basis, scoping the journaling to internal recipients, external recipients, or both. Journaled messages include not only the original message but also information about the sender, recipients, copies, and blind copies.
Note For additional detail, see the help topic JOURNAL RULES 102.
When journaling the messages to an external archive, administrators can include a decrypted, clear-text copy of IRM-protected messages in journal reports, including Microsoft Office Word, Excel, PowerPoint, and XPS attachments. This allows IRM-protected messages to be indexed and searched for legal discovery and regulatory purposes. The original IRM-protected message is also included in the report.
Outlook protection rules Outlook protection rules are a new feature in Outlook 2010 and may be enabled in Exchange Online after importing a TPD. They instruct the Outlook client to protect composed messages that match your criteria. In other words, they automatically trigger Outlook to apply an AD RMS rights policy template based on sender or recipient identities, before users can send an email message.Since the messages are protected at the desktop before being sent out to Exchange Online, Outlook protection rules allow the organization to block third-party service providers or Exchange Online administrators from viewing sensitive content that is sent between your employees.Unlike transport protection rules (see section § TRANSPORT PROTECTION RULES), Outlook protection rules can be configured so that users can turn off protection for less sensitive content.
Note For additional information, please refer to the articles CREATE OUTLOOK PROTECTION RULES 103.
102 JOURNAL RULES: http://help.outlook.com/en-us/140/ff633680.aspx?sl=1103 CREATE OUTLOOK PROTECTION RULES: http://help.outlook.com/en-us/140/Gg598216.aspx
59 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Extending on-premises AD RMS to Office 365The following is a list of the step-by-step actions that need to be performed to export the AD RMS settings from the organization’s on-premises environment, and then import them into the Office 365 environment. This is assuming that an AD RMS environment is already in place and running correctly on-premises. See section § INSTALLING AND CONFIGURING AN ON-PREMISES AD RMS.The section explains the export and import steps in order. For additional information, see the help article SET UP AND MANAGE INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ONLINE 104.
Exporting the AD RMS TPDsThe first step performed by the administrator consists in exporting the Trusted Publishing Domain (TPD) to an XML file. To export a TPD, proceed as follows:
1. Log-on to the on-premises AD RMS server (IDMGT-DC) as a user with AD RMS administration permissions.
2. Launch Server Manager from the Administrative Tools program group.3. Expand Roles\Active Directory Rights Management Services. The node shows
that you are connected to IDMGT-DC. 4. From within the MMC snap-in (console), expand the AD RMS cluster server name. 5. In the console tree, expand Trust Policies and then click Trusted Publishing
Domains to select the TPD that needs to be exported.
104 SET UP AND MANAGE INFORMATION RIGHTS MANAGEMENT IN EXCHANGE ONLINE: http://help.outlook.com/en-us/140/gg597271.aspx?sl=1
60 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
6. In the Results pane, select the certificate for the domain you want to export, in this case the IDMGT-ADRMS certificate.
7. In the Actions pane, click Export Trusted Publishing Domain. The Export trusted Publishing Domain dialog box opens up. A file location, name, and password need to be provided to export the TPD into the XML file.
61 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
8. In the Publishing domain file box, type the name of the publishing domain file you are exporting, for example RMSPublishing.xml, or click Save As to export it to a special location. Make sure you specify the .xml file name extension.
9. In the Password and Confirm password boxes, type a strong password that will be used to encrypt the trusted publishing domain file, for example “Pa$$w0rd”. Make note of this password since it will be needed for the import process, see section § IMPORTING THE AD RMS TPDS AND THE CORRESPONDING RIGHTS POLICY TEMPLATES.
10. Ensure that the Saved trusted publishing domain file in RMS version 1.0 (including version 1.0 SP1 and 1.0 SP2) format check box is NOT checked.
Important note Exchange Online only supports exporting in the v2 format. If you check the Save trusted publishing domain file in RMS version 1.0 checkbox, Exchange Online will reject it during the import process.
11. Click Finish to create the trusted publishing domain file.This process results in an XML file containing the SLC, the internal URLs, and the AD RMS templates for that SLC. The process will be repeated for each TPD that needs to be exported and each AD RMS cluster that is used for licensing new or old content.The export process and task syntax is described in more detail in the article EXPORT A TRUSTED PUBLISHING DOMAIN 105.
Note This step can also be performed by using Windows PowerShell and the AD RMS Export-RmsTPD cmdlet. Please refer to the documentation of Export-RmsTPD106 for additional information.
Note Exchange only supports production hierarchy keys. Test or pre-production hierarchies are not supported.
If there are multiple TPDs, you can perform the export as described for each of the TPDs.Once all the TPDs are exported to a XML file, they can be imported into your Exchange Online tenant. To do this, you need to connect to your Exchange Online tenant using remote PowerShell in the Organization Management or Information Rights Management role.The next section describes how to configure Windows PowerShell and Windows Remote Management (WinRM) for that purpose.
Configuring Windows PowerShellThanks to Remote PowerShell, administrators can connect to Exchange Online to existing infrastructure and processes. Administrators do not need to install any Exchange Server management or migration tools in order to use Remote PowerShell. To use Remote PowerShell, administrators’ computers must be running the Windows Management Framework107, which contains Windows PowerShell v2 and Windows Remote Management (WinRM) 2.0. These components are already installed in computers running Windows 7 or Windows Server 2008 R2 and above.
105 EXPORT A TRUSTED PUBLISHING DOMAIN : http://technet.microsoft.com/en-us/library/cc731228.aspx106 EXPORT-RMSTPD : http://technet.microsoft.com/en-us/library/ee617275.aspx107 Windows Management Framework: http://go.microsoft.com/fwlink/?LinkId=165726
62 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note On previous versions of Windows (namely Windows XP SP3, Windows Vista Service Pack 1 (SP1) or Service Pack 2 (SP2), Windows Server 2003 SP2, and Windows Server 2008 SP1 or SP2), administrators have to uninstall previous version of these components if any and manually download these components (via the Windows Management Framework) as explained in the article INSTALL AND CONFIGURE WINDOWS POWERSHELL 108.
The configuration of Windows PowerShell consists in: Verifying that Windows PowerShell can run scripts, and, in the negative, enabling
scripts to run in Windows PowerShell; Verifying that WinRM allows Windows PowerShell to connect, and, in the negative,
configuring WinRM to support basic authentication.To verify that Windows PowerShell can run scripts from a Windows 7 (or Windows Server 2008 R2) computer, proceed as follows;
1. Click Start > All Programs > Accessories > Windows PowerShell.2. Right-click Windows PowerShell and select Run as administrator to open a
command prompt with administrative privileges. If you get a user account control prompt that asks if you would like to continue, click Continue.
3. At the command prompt, run the following commands:
PS C:\Users\Administrator> Get-ExecutionPolicy
4. If the value returned is anything other than RemoteSigned, you need to change the value to RemoteSigned. Run the following command if needed:
PS C:\Users\Administrator> Set-ExecutionPolicy RemoteSigned
Note When you set the script execution policy to RemoteSigned, you can only run scripts that you create on your computer or scripts that are signed by a trusted source.
When invited, press Y to confirm the operation.
To verify that WinRM allows Windows PowerShell to connect, proceeds as follows:1. In the above Windows PowerShell session you’ve just opened as an administrator, run
the following command to check the status of the WinRM service:
PS C:\Users\Administrator> sc query winrm
2. If the WinRM service isn’t running, start it with the following command:
108 INSTALL AND CONFIGURE WINDOWS POWERSHELL: http://help.outlook.com/en-us/140/cc952756.aspx
63 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
PS C:\Users\Administrator> net start winrm
3. Run the following command:
PS C:\Users\Administrator> winrm get winrm/config/client/auth
4. In the results, look for the value “Basic =”. If the value is “Basic = false”, you must change the value to “Basic = true”.If the value has to be changed, run the following command:
PS C:\Users\Administrator> winrm set winrm/config/client/auth @{Basic="true"}
The value between the braces { } is case-sensitive. In the command output, verify the value “Basic = true”.
5. If you started the WinRM service in step 2, run the following command to stop it:
PS C:\Users\Administrator> net stop winrm
Connecting Windows PowerShell to Microsoft Exchange OnlineThe next step is to open the Windows PowerShell command prompt on a local computer and connect it to your Exchange Online tenant.When you open Windows PowerShell on your computer, you're in the Windows PowerShell session of your local computer. A session is an instance of Windows PowerShell that contains all the commands that are available to you. The Windows PowerShell session of your local computer, i.e. a client-side session, only has the basic Windows PowerShell commands available to it (, as well as the one that relate to module you’ve imported into the session). By connecting to the Microsoft Exchange Online services, you connect to the Microsoft Exchange Online datacenter's server environment, i.e. a server-side session, which contains the commands used in the cloud-based service. In other words, a remote PowerShell interface is available to you so that you can access the Exchange Online configuration information using a separate set of Windows PowerShell cmdlets.Please not that, whilst the Microsoft Online Services Module for Windows PowerShell109 is generally utilized to manage various aspects of an Office 365 tenant, Exchange Online remote PowerShell is in no way tied to the Microsoft Online Module for Windows PowerShell.To connect Windows PowerShell to Microsoft Exchange Online Services from a Windows 7 (or Windows Server 2008 R2) computer, proceed as follows:
1. Click Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell.
2. From the command prompt, store the credential for the Exchange Online administrator account.
PS C:\Users\Administrator> $Cred = Get-Credential
109 Microsoft Online Services Module for Windows PowerShell: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx#BKMK_DownloadTheMOSIdentityFederationTool
64 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
In the Windows PowerShell Credential Request window that opens up, provide the credentials for the Exchange Online global administrator account such as:Username: [email protected]: ****************
3. Create a new remote Windows PowerShell session:
PS C:\Users\Administrator> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
The initial remote endpoint is at ps.outlook.com, as shown above. The AllowRedirection parameter will allow redirection to the appropriate Exchange server using a different URI.
4. Import the cmdlets to the local session:
PS C:\Users\Administrator> Import-PSSession $Session
A progress indicator appears that shows the importing of cmdlets used in the cloud-based service into the client-side session of your local computer. When the process completes, you are now able to run the Exchange Online Windows PowerShell cmdlets.
65 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For additional information see the article CONNECT WINDOWS POWERSHELL TO THE SERVICE 110 and the blog USING EXCHANGE MANAGEMENT SHELL TO MANAGE YOUR EXCHANGE ONLINE AND EXCHANGE ON PREMISES ENVIRONMENT 111. For troubleshooting, watch the video TROUBLESHOOTING POWERSHELL FOR EXCHANGE ONLINE 112.
Exchange Online uses the same PowerShell cmdlets as Exchange Server 2010 Service Pack 1 (SP1), with certain commands and parameters disabled because these features do not apply in the hosted environment. More especially, the following cmdlets listed in enable to configure and view the Information Rights Management (IRM) features of your tenant.
110 CONNECT WINDOWS POWERSHELL TO THE SERVICE: http://help.outlook.com/en-us/140/cc952755.aspx111 USING EXCHANGE MANAGEMENT SHELL TO MANAGE YOUR EXCHANGE ONLINE AND EXCHANGE ON PREMISES ENVIRONMENT: http://blogs.technet.com/b/ilvancri/archive/2012/03/16/using-exchange-management-shell-to-manage-your-exchange-online-and-exchange-on-premise-environment.aspx112 TROUBLESHOOTING POWERSHELL FOR EXCHANGE ONLINE: http://www.microsoft.com/en-us/showcase/details.aspx?uuid=ef567a38-b03a-4b09-9ddf-4615cc1c8f36
66 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Table 3: Windows PowerShell IRM Cmdlets for Exchange Online
IRM Cmdlet Description
Get-IRMConfiguration View the IRM configuration in your organizationSet-IRMConfiguration Change the properties of the IRM configuration in your
organizationTest-IRMConfiguration Test the functionality of the IRM configuration in your
organizationGet-RMSTemplate View information about specified AD RMS rights policy templates
or retrieve a list of the AD RMS rights policy templates in your organization.
Set-RMSTemplate Change the properties of an existing AD RMS rights policy template
Get-RMSTrustedPublishingDomain
View the settings of an existing trusted publishing domain (TPD) in your organization. A trusted publishing domain contains the settings needed to use AD RMS features in your organization. For example, users can apply AD RMS rights policy templates to e-mail messages
Import-RMSTrustedPublishingDomain
Import a trusted publishing domain from an on-premises server running AD RMS into your organization.
Remove-RMSTrustedPublishingDomain
Remove an existing trusted publishing domain that you've imported into your organization
Set-RMSTrustedPublishingDomain
Change the properties of an existing trusted publishing domain in your organization
The next steps of this section make use of the above cmdlets.For a list of the cmdlets available to Exchange Online administrators, see REFERENCE TO AVAILABLE POWERSHELL CMDLETS IN EXCHANGE ONLINE 113.
Importing the AD RMS TPDs and the corresponding rights policy templatesOnce all the TPDs are saved in XML format (see section § EXPORTING THE AD RMS TPDS), you need to run in Windows PowerShell connected to the organization’s Office 365 Exchange environment (see previous section) a task Import-RMSTrustedPublishingDomain for each TPD that you need to import.
113 REFERENCE TO AVAILABLE POWERSHELL CMDLETS IN EXCHANGE ONLINE: http://help.outlook.com/en-us/140/dd575549.aspx
67 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
When a TPD is imported, the corresponding templates from AD RMS are also imported. The TPD contains the templates that were created with the specific SLC contained within the TPD. Exchange Online supports up to 25 templates per TPD.
Import-RMSTrustedPublishingDomain -FileData $([byte[]](Get-Content -Encoding byte -Path "<Path to exported TPD, i.e., C:\RMSPublishing.xml>" -ReadCount 0)) -Name "TPD Name" -ExtranetLicensingUrl https://<external AD RMS cluster hostname>/_wmcs/licensing -IntranetLicensingUrl https://<internal AD RMS cluster hostname>/_wmcs/licensing
FileData. Contents of the exported TPD file location. Name. Used to provide a unique name for the TPD. ExtranetLicensingUrl. The extranet licensing URL used by your on-premises AD
RMS cluster. IntranetLicensingUrl. The intranet licensing URL used by your on-premises AD RMS
cluster. Optionally, a Default parameter can be used to indicate if the TPD should be set as the default TPD. The first imported TPD will by default be marked as default.The following is the full list of the syntax and the parameters available with the Import-RMSTrustedPublishingDomain cmdlet.
Import-RMSTrustedPublishingDomain [–Organization <OrganizationIDParameter>] [–Name <String>] [–FileData <Byte [ ]>] [–Password <SecureString>] [–IntranetLicensingURL <URL>] [–ExtranetLicensingURL <URL>] [–Default<Switch>] [–RefreshTemplate <Switch>] [– PrivateKeyFileData <Byte [ ]>] [–PrivateKeyPassword <SecureString>]
68 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Note For complete usage details on this cmdlet, review its entry in the REFERENCE TO AVAILABLE POWERSHELL CMDLETS IN EXCHANGE ONLINE 114.
In order to see the value that should be set for the ExtranetLicensingUrl and IntranetLicensingUrl you can view the URL set in the Active Directory Rights Management Services snap-in (console) in the Cluster Details when the server is selected.
Typically, this will be set to https://adrms.demo.idmgt.archims.fr/_wmcs/licensing.
Note The ExtranetLicensingUrl and IntranetLicensingUrl licensing URLs that are specified when importing will be used by Outlook clients and will also be used when content needs to be decrypted and Exchange needs to figure out which TPD to use. In order to ensure the right TPD is used these URLs must match the configuration in your on-premises AD RMS cluster.
Note As already mentioned, we rely on a split-brain DNS configuration in the MTC test lab configuration. Consequently, the ExtranetLicensingUrl and IntranetLicensingUrl licensing URLs are the same, i.e. https://adrms.demo.idmgt.archims.fr/_wmcs/licensing. An external DNS server is authoritative for the demo.idmgt.archims.fr zone on the Internet.
To import the AD RMS TPDs and the corresponding templates, proceed as follows: 1. Connect Windows PowerShell to Microsoft Exchange Online Services (see eponym
section § CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE).2. Create a variable for the FileData parameter that will be used during the import of
the xml data previously saved, i.e. the exported TPD.
PS C:\Users\Administrator> $file = Get-Content -Path "C:\RMSPublishing.xml" -Encoding byte
3. Run the command Import-RMSTrustedPublishingDomain with the required parameters that reflect your on-premises environment (see above) in order to import the TPD information.
PS C:\Users\Administrator> Import-RMSTrustedPublishingDomain -FileData $file -Name CrossPremiseRMSDomain -ExtranetLicensingUrl https://adrms.demo.idmgt.archims.fr/_wmcs/licensing -IntranetLicensingUrl https://adrms.demo.idmgt.archims.fr/_wmcs/licensing
When prompted for a password, enter the password used during export of the TPD from AD RMS. The password is used to decrypt the contents of the TPD.Depending on the configuration of your Exchange Online tenant, you may encounter the following error. See the article ENABLE-ORGANIZATIONCUSTOMIZATION: WINDOWS POWERSHELL ERROR IN EXCHANGE ONLINE 115 in the online help:
114 REFERENCE TO AVAILABLE POWERSHELL CMDLETS IN EXCHANGE ONLINE: http://technet.microsoft.com/en-us/library/dd575549.aspx115 ENABLE-ORGANIZATIONCUSTOMIZATION: WINDOWS POWERSHELL ERROR IN EXCHANGE ONLINE: http://help.outlook.com/en-us/140/hh299030.aspx?sl=1
69 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
If this is the case and as explained:a. Run the command Enable-OrganizationCustomization:
PS C:\Users\Administrator> Enable-OrganizationCustomization
b. Rerun the previous command Import-RMSTrustedPublishingDomain.
PS C:\Users\Administrator> Import-RMSTrustedPublishingDomain -FileData $file -Name CrossPremiseRMSDomain -ExtranetLicensingUrl https://adrms.demo.idmgt.archims.fr/_wmcs/licensing -IntranetLicensingUrl https://adrms.demo.idmgt.archims.fr/_wmcs/licensing
WARNING: A script or application on the AMXPRD0310PSH.OUTLOOK.COM remote computer is sending a Prompt request. When prompted, enter sensitive information like your credentials or password only if you trust the remote computer and the application or script requesting it.
Cmdlet Import-RMSTrustedPublishingDomain at command pipeline position 1Supply values for the following parameters:Password: ********WARNING: New RMS temples were imported for the trusted publishing domain “CrossPremiseRMSDomain” and set to archived. To use these RMS templates as actions in Transport Protection Rules, the template must be set to Distributed. To view archived template, use this command: Get-RmsTemplate –Type Archived. To set the archived templates to Distributed, use the Set-RmsTemplate cmdlet.
Name : CrossPremiseRMSDomainKeyId : {395539f6-38dc-466f—9beb-33a527e8212a}IntranetLicensingUrl : https://adrms.demo.idmgt.archims.fr/_wmcs/licensingExtranetLicensingUrl : https://adrms.demo.idmgt.archims.fr/_wmcs/licensingDefault : TrueAddedTemplates : {IDMGT.DEMO CC}UpdatedTemplates : {}
70 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
RemovedTemplates : {}
Alternatively, you can specify the password directly in the command with the Password parameter as follows.
PS C:\Users\Administrator> Import-RMSTrustedPublishingDomain -FileData $file –Password (ConvertTo-SecureString Pa$$w0rd –Force -AsPlainText) -Name CrossPremiseRMSDomain -ExtranetLicensingUrl https://adrms.demo.idmgt.archims.fr/_wmcs/licensing -IntranetLicensingUrl https://adrms.demo.idmgt.archims.fr/_wmcs/licensing
Important note If the TPD doesn’t contain a private key, the import will fail.
The command Import-RMSTrustedPublishingDomain needs to be repeated for each TPD.The URLs that are part of the SLC plus the optional list of licensing URLs provided will be used when content needs to be decrypted and Exchange Online needs to figure out which TPD to use. In order to ensure that the TPD is used in local licensing operations, you need to specify one or more AD RMS licensing URLs in the Exchange server tenant configuration. As aforementioned, these licensing URLs should correspond to the set of internal and external licensing URLs defined on the on-premises AD RMS licensing servers from which the TPDs were originally exported. Additionally the URLs assigned to a TPD will be stamped into the Publishing License (PL) when Exchange creates protected content (This ensures old URLs used by decommissioned clusters will still work properly.)When the first TPD is imported, it will be automatically marked as the “Default” TPD. This means that any new publishing operations will be done using this TPD. Subsequent TPDs are not Default unless specified by the administrator. In other words, the default TPD can be changed (see section § CHANGING THE DEFAULT TPD).The TPDs are stored securely in Active Directory as previously described. TPDs are protected such that unauthorized users, services, or processes cannot access the private key of the TPD. The same level of protection also extends to RACs that are stored in AD.
Viewing and enabling the AD RMS right policy templatesWhen the above import step is completed, you then need to enable the templates that have been imported. As in on-premises AD RMS, Exchange Online uses the concept of Archived and Distributed rights policy templates. When the import is complete, the type of the rights policy templates is set to Archive, which means that you cannot assign that license and it is not showed as an option from the transport rules or from OWA. You are however able to open messages that were previously protected with that template at the time of the import without changing the type from archive to distributed.Consequently, once a TPD has been imported, you need to select which AD RMS rights policy templates are Distributed (i.e., visible by end-users). To see the list of all rights policy templates contained within the default TPD, proceed as follows:
1. Connect Windows PowerShell to Microsoft Exchange Online Services (see eponym section § CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE).
2. Run the following command Get-RMSTemplate:
71 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
PS C:\Users\Administrator> Get-RMSTemplate -Type:AllName Description TemplateGuid---- ----------- ------------IDMGT.DEMO CC IDMGT.DEMO Company Confidential 9fb2a2dd-2937-4a14-bd8f-4c7cc4a6ddd2Dot Not Forward Recipients can read this message, bu... cf5cf348-a8d7-40d5-91ef-a600b88a395d
As illustrated above, when you import the default TPD from your on-premises organization into Exchange Online, one AD RMS rights policy template called “Do Not Forward” is imported. This template is distributed, by default, when you import the default TPD. You can't modify the “Do Not Forward” template using the Set-RMSTemplate cmdlet.When the “Do Not Forward” template is applied to an e-mail message, only the recipients addressed in the message can read the message. Additionally, recipients can't do the following:
Forward the message to another person; Copy content from the e-mail message; Print the e-mail message.
Important note The “Do Not Forward” rights policy template CAN NOT prevent information in an e-mail message from being copied with third-party screen capture programs, cameras, or users manually transcribing the information.
You can however create additional AD RMS rights policy templates on the on-premises AD RMS cluster to meet your own specific IPC requirements as it is the case here with the IDMGT.DEMO CC rights policy template (see section § CREATING AD RMS RIGHTS POLICYTEMPLATES ). These templates must be changed from Archived (i.e., not visible by end-users) to Distributed (i.e., visible by end-users) as outlined in the WARNING message when you’ve run the command Import-RMSTrustedPublishingDomain.
Important note If you create later additional templates, you will have to export the TPD from the on-premises AD RMS cluster again and refresh the TPD in your Exchange Online tenant before changing the type of these templates. For more information, see section § UPDATING EXCHANGEONLINE.
To change the “IDMGT.DEMO Company Confidential” (IDMGT.DEMO CC) rights policy template from Archived to Distributed, proceed as follows:
1. Connect Windows PowerShell to Microsoft Exchange Online Services (see eponym section § CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE).
2. Run the following command Set-RMSTemplate:
PS C:\Users\Administrator> Set-RMSTemplate -Identity “IDMGT.DEMO CC” -Type:Distributed
Only distributed rights policy templates in the default TPD are shown in OWA. All templates in the default TPD are allowed in transport rules. Templates in non-default TPDs are only used for decryption.Although templates in non-default TPDs can be marked as type Distributed, that has no effect unless the TPD is made the default.To view templates in a non-default TPDs and their status, proceed as follows:
1. Connect Windows PowerShell to Microsoft Exchange Online Services (see eponym section § CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE).
72 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
2. Run the command Get-RMSTemplate with the TrustedPublishingDomain parameter as follows:
PS C:\Users\Administrator> Get-RMSTemplate -TrustedPublishingDomain CrossPremiseRMSDomain
The following is the output from this command where “CrossPremisesRMSDomain” is the value specified in the Name parameter when using the import-RMSTrustedPublishingDomain in the previous stage (see section § IMPORTING THE AD RMSTPDS AND THE CORRESPONDING RIGHTS POLICY TEMPLATES ).
RunspaceId : c57c84d2-35fe-40a0-a025-b95edd5686ffName : TestTemplateDescription : This is a test AD RMS template
Type : Archived
TemplateGuid : 461be8a6-eb94-4826-bd22-89dbb05756e6
Identity : TestTemplate
IsValid : True
RunspaceId : c57c84d2-35fe-40a0-a025-b95edd5686ff
Name : Do Not Forward
Description : Recipients can read this message, but they can't forward, print, or copy content. The conversation owner has full permission to their message and all replies.
Type : Distributed
TemplateGuid : cf5cf348-a8d7-40d5-91ef-a600b88a395dIdentity : Do Not ForwardIsValid : True
From the preceding, you can see that the “TestTemplate” rights policy template, which is a custom rights policy template, is set to Archive as the type. In order to apply this template to new messages within the Online Services this needs to be switched to Distributed. The following is the sample of the command used to make the switch.
PS C:\Users\Administrator> Get-RMSTemplate -Identity TestTemplate -TrustedPublishingDomain CrossPremisesRMSDomain | Set-RMSTemplate -Type Distributed
This allows the “TestTemplate” rights policy template to be usable for protecting new content via Outlook, OWA, and transport protection rules. As already outlined, the reason the rights policy template is set to Archive is so you can import a template and allow old protected messages to be decrypted. There will be times when the organization may not want to use the old template for protecting new content, allowing the template to be imported without allowing new content to be protected by this template allows the organization’s administrators to have greater control of the AD RMS rights policy templates that are used.
73 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Enabling the use of AD RMS for OWA and EAS clientsNow that you have the AD RMS configuration imported and configured for use you can optionally move on to allowing AD RMS to be implemented for Outlook Web Apps (OWA) and Microsoft Exchange ActiveSync (EAS) clients. If you just want to use AD RMS for Outlook then this step is not needed. To see the current configuration of the AD RMS configuration, proceed as follows;
1. Connect Windows PowerShell to Microsoft Exchange Online Services (see eponym section § CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE).
2. Run the command Get-IRMConfiguration:
PS C:\Users\Administrator> Get-IRMConfiguration
InternalLicensingEnabled : False
ExternalLicensingEnabled : TrueJournalReportDecryptionEnabled : TrueClientAccessServerEnabled : TrueSearchEnabled : TrueTransportDecryptionSetting : OptionalEDiscoverySuperUserEnabled : TrueServiceLocation : https://adrms.demo.idmgt.archims.fr/_wmcs/certificationPublishingLocation : https://adrms.demo.idmgt.archims.fr/_wmcs/licensing/publish.asmxLicensingLocation : {https://adrms.demo.idmgt.archims.fr/_wmcs/licensing}
As you can see from the above output, the InternalLicensingEnabled is set to False. This is the default setting, and should be set to true to allow web-based clients to utilize the AD RMS services. The changes should be immediate and the users should then be able to use the templates from any AD RMS supported client.To set this value to true, proceed as follows;
1. From the previous Windows PowerShell command prompt, run the command Get-IRMConfiguration:
PS C:\Users\Administrator> Set-IRMConfiguration -InternalLicensingEnabled $True
The following lists out the syntax and the parameters that are available for the Set-IRMConfiguration cmdlet.
74 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Set-IRMConfiguration [-Organization <OrganizationIDParameter>] [-Identity <IDParameter>] [-ExternalLicensingEnabled <$true | $false>] [-InternalLicensingEnabled <$true | $false>] [-JournalReportDecryptionEnabled <$true | $false>] [-ClientAccessServerEnabled <$true | $false>] [-SearchEnabled <$true | $false>] [-TransportDecryptionSetting <Disabled | Optional | Mandatory>]
Note For complete usage details on this cmdlet, review its entry in the REFERENCE TO AVAILABLE POWERSHELL CMDLETS IN EXCHANGE ONLINE 116.
As you can see, there are many options with the Set-IRMConfiguration cmdlet. They can be used to control the behavior of the AD RMS usage within the Microsoft Exchange Online Services, just as they could for the on-premises services. The settings within Microsoft Office 365 typically match what you have within the organization’s on-premises environment (which can be viewed from the on-premises Exchange Server EMS running the same Get-IRMConfiguration cmdlet).The settings do not have to match; there will be some customers that may want to limit the footprint of their AD RMS configuration. This is why the settings do not have to match; most customers will choose to make the settings match to allow for a more seamless experience for the users.
Note If the administrator attempts to remove the default TPD and it’s the only TPD, then removing the TPD will succeed with a warning and IRM will be disabled. If the administrator attempts to remove the default TPD and there are other TPDs, the remove task will fail and instruct the administrator to set another TPD as default before re-attempting to remove the TPD.
116 REFERENCE TO AVAILABLE POWERSHELL CMDLETS IN EXCHANGE ONLINE: http://technet.microsoft.com/en-us/library/dd575549.aspx
75 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Managing the cross-premises deploymentThis section aims at providing additional information on the configuration established to leverage in Microsoft Exchange Online the on-premises AD RMS infrastructure.
Changing the default TPDWhen the first TPD is imported it will be marked as the default TPD. Any new publishing operation (i.e. IRM content is created) will be done using this default TPD.The default TPD can be changed using the Set-RMSTrustedPublishingDomain cmdlet as follows:
PS C:\Users\Administrator> Set-RMSTrustedPublishingDomain -Identity <TPD ID> -Default
If you attempt to remove the default TPD and if it’s the only TPD, then removing the TPD will succeed with a warning and InternalLicensingEnabled on the IRMConfiguration object will be set to false. If the administrator attempts to remove the default TPD and there are other TPDs, the remove task will fail and instruct the administrator to set another TPD as default before re-attempting to remove a TPD.
Updating Exchange OnlineCustomers will have to update their AD RMS configurations from time to time. These updates can include removing AD RMS rights policy templates, adding new templates, and modifying existing templates. When changes are made to the on-premises AD RMS rights policy template configuration the information needs to be re-imported into the Office 365 tenant environment. The process for importing the updates is the same as it is for the initial import process with one exception, there is an additional switch that needs to be added to the Import-RMSTrustedPublishingDomain parameter, and RefreshTemplates is used to refresh the templates with the newly exported XML file that contains the updates.
Important note If there were any AD RMS rights policy templates that were deleted on-premises, the templates will also be removed when the import is completed. The assumption is that you want to mirror the implementation that you have on premise so the template will match the on-premises environment with each import process. This includes the RefreshTemplates option.
The template refresh behavior depends on whether the templates from the imported TPD already exist in the tenant’s “default” TPD. The following table outlines the expected behavior when refreshing AD RMS rights policy templates in the online tenant:
76 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Table 4: Import TPD effects on AD RMS right policy templatesImported TPD contains Template(s) Present in
“Default TPD”Template Not Present in “Default TPD”
New and existing template(s)
Existing Template(s) unmodifiedState (type) is preserved.
New Template(s) addedState (type) set to “Archive”
Only new templates Existing Templates removed New Template(s) addedState (type) set to “Archive”
Updates to existing template(s)
Existing Template updatedState (type) is preserved
N/A
Important note Any new imported templates are added to the list of available templates in the tenant’s Exchange environment. The states of the new templates are automatically set to “Archived.” Before the new template can be used for protecting new content, its “type” needs to be set to “Distributed” (This process was described earlier in this lesson).
If AD RMS rights policy templates are changed on-premises, the Import-RMSTrustedPublishingDomain cmdlet can be used to update/refresh Microsoft Exchange Online Services. Proceed as follows:
1. Export the AD RMS settings again from the on-premises environment as per section § EXPORTING THE AD RMS TPDS. (This is strictly the same process as described previously when the initial export was completed.)
2. Connect Windows PowerShell to Microsoft Exchange Online Services as per section § CONNECTING WINDOWS POWERSHELL TO MICROSOFT EXCHANGE ONLINE) and run the following command:
PS C:\Users\Administrator> $file = Get-Content -Path C:\RMSPublishing.xml -Encoding byte
3. Import the TLDs as per section § IMPORTING THE AD RMS TPDS AND THE CORRESPONDINGRIGHTS POLICY TEMPLATES but use this variation of the Import-RMSTrustedPublishingDomain cmdlet with the RefreshTemplates parameter:
PS C:\Users\Administrator> Import-RMSTrustedPublishingDomain -FileData $file -Password (ConvertTo-SecureString Pa$$w0rd -Force -AsPlainText) -Name CrossPremisesRMSDomain –RefreshTemplates
The Name parameter must match the name of the previously imported TPD. After the import, you will see a list of templates that are new to Exchange Online and a list of templates that are no longer in Exchange Online.
4. Run the following command to see if there are any new templates that need the Type set to Distributed from Archive:
PS C:\Users\Administrator> Get-RMSTemplate -TrustedPublishingDomain CrossPremisesRMSDomain
5. If any of the new templates should be visible, mark them as type Distributed in the same way as outlined in section § VIEWING AND ENABLING THE AD RMS RIGHT POLICYTEMPLATES :
PS C:\Users\Administrator> Get-RMSTemplate -Identity NewTemplate -TrustedPublishingDomain CrossPremisesRMSDomain | Set-RMSTemplate -Type Distributed
77 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
6. Also ensure that deleted AD RMS rights policy templates are not referenced by transport rules because that will cause non-delivery reports (NDR).
Using OWA mailbox policiesOWA mailbox policies allow you to enable selected OWA features for groups of users. OWA features are enabled or disabled via OWA mailbox policies, which can then be assigned to specific users within the organization. OWA mailbox policy settings, once assigned override any OWA virtual directory settings.
Identifying OWA mailbox policies assigned to a userYou can use the Get-CASMailbox cmdlet to identify which OWA mailbox policies that have been assigned to a user as follows (for the [email protected] user):
PS C:\Users\Administrator> Get-CASMailbox [email protected] | fl *owa*
OWAMailboxPolicy : OwaMailboxPolicy-DefaultOWAEnabled : True
The “OwaMailboxPolicy-Default” OWA Mailbox Policy is automatically assigned to users when they are initially created. All OWA mailbox policy assignments are made using the Set-CASMailbox cmdlet. The following example assigns the “OwaMailboxPolicy-Default” OWA mailbox policy to a user account ([email protected]):
PS C:\Users\Administrator> Set-CASMailbox [email protected] –OWAMailboxPolicy “OwaMailboxPolicy-Default”
Identifying if IRM support is enabled on an OWA mailbox policyYou can use the Get-OWAMailboxPolicy cmdlet to identify which mailbox policies are configured to support IRM.
PS C:\Users\Administrator> Get-OWAMailboxPolicy | fl Name, IRMenabled
Name : OwaMailboxPolicy-DefaultIRMEnabled : True
Enabling/Disabling IRM support within an OWA mailbox policyIRM in OWA can be enabled and/or disabled at the mailbox policy level through the -IRMEnabled setting in the OwaMailboxPolicy object. The following example illustrates how to enable IRM support on the “OwaMailboxPolicy-Default” OWA mailbox policy:
78 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
PS C:\Users\Administrator> Set-OWAMailboxPolicy –Identity “OwaMailboxPolicy-Default” -IRMEnabled $true
Important note If the IRMEnabled setting in the OWAVirtualDirectory conflicts with the OWAMailbox mailbox policy assigned to the user, the OWAMailboxPolicy takes precedence.
Disabling IRM in Exchange OnlineTo stop using the TPD in Exchange Online temporarily, the IRM feature can be turned off:
PS C:\Users\Administrator> Set-IRMConfiguration -InternalLicensingEnabled $false
ConfirmSetting the InternalLicensingEnabled parameter to ‘false’ disables all internal IRM features, including Transport Protection Rules and Protected Voice Messages. To avoid NDRs, please disable all Transport Protcetion Rules and Protected Voice Messages. Do you still want to disable all internal IRM features?[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Yes”):Y
Removing TPDsThere may be a time when the tenant administrator may need to remove a TPD from the Office 365 environment. The Remove-RMSTrustedPublishingDomain cmdlet can be used to perform that operation. The following should be run from a Windows PowerShell session connected to the Office 365 Exchange environment.
PS C:\Users\Administrator> Remove-RMSTrustedPublisingDomain –Identity ”CrossPremisesRMSDomain”
The preceding cmdlet can be used if this TPD is not set as the Default and is not the last TPD in the RMS Online configuration. If there was another TPD that was imported (there can be up to 20), You could designate that TPD as the Default. The Default TPD can be set even if you do not intend to remove any TPDs. The following would be used to designate another TPD as the default. (This is assuming that you are already connected using Windows PowerShell to the Exchange Office 365 environment.)
PS C:\Users\Administrator> Set-RMSTrustedPublisingDomain –Identity “OtherTPD” –Default
Then, you would be able to remove the TPD that was previously the default TPD with the same command mentioned earlier, because this is no longer marked as the Default.
PS C:\Users\Administrator> Remove-RMSTrustedPublisingDomain –Identity ”CrossPremisesRMSDomain”
The following removes all non-default TPDs:
PS C:\Users\Administrator> Get-RMSTrustedPublishingDomain | ?{ $_.Default -eq $false } | Remove-RMSTrustedPublishingDomain
If this were the last TPD, you would want to disable the InternalLicensingEnabled parameter for the IRM configuration first, setting it to False, which is the default value.
79 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
To set the value to False manually, run the following command before removing the last TPD.
PS C:\Users\Administrator> Set-IRMConfiguration -InternalLicensingEnabled $False
Remove the last TPD using the syntax that was used previously, but add the -force switch, which would force the removal of the last TPD. Following is a sample of the syntax that would be used.
PS C:\Users\Administrator> Remove-RMSTrustedPublishingDomain –Identity ”CrossPremiseRMSDomain” –Force
ConfirmAre you sure you want to perform this actions?Removing the trusted publishing domain CrossPremiseRMSdomain[Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Yes”):Y
Before you make any changes to the environment, it is a good practice to view the TPDs that are currently in place. There may have been another tenant administrator that may have added or removed a TPD without your knowledge. To view the current TPDs, you would first connect using Windows PowerShell to the Office 365 Exchange environment as per section § CONNECTING WINDOWS POWERSHELL TO MICROSOFTEXCHANGE ONLINE ) and run the following command:
PS C:\Users\Administrator> Get-RMSTrustedPublishingDomain | fl
This will provide the output similar to the following.
PS C:\Users\Administrator> Get-RMSTrustedPublishingDomain | fl
RunspaceId : 9b88cdcc-0625-4bfa-8eb4-224117638567IntranetLicensingUrl : https://adrms.demo.idmgt.archims.fr/_wmcs/licensingExtranetLicensingUrl : https://adrms.demo.idmgt.archims.fr/_wmcs/licensingIntranetCertificationUrl : https://adrms.demo.idmgt.archims.fr/_wmcs/certificationExtranetCertificationUrl : https://adrms.demo.idmgt.archims.fr/_wmcs/certification
Default : True
CSPType : 1CSPName :
80 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
KeyContainerName :KeyId : {395539f6-38dc-466f-9beb-33a527e8212a}KeyIdType : MS-GUIDKeyNumber : 1AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)
Name : CrossPremisesRMSDomain
DistinguishedName : CN=CrossPremisesRMSDomain,CN=ControlPoint Config,CN= Transport Settings,CN=Configuration,CN=idmgt.onmicros oft.com,CN=ConfigurationUnits,CN=Microsoft Exchange, CN=Services,CN=Configuration,DC=eurprd03,DC=prod,DC= outlook,DC=comIdentity : CrossPremisesRMSDomainGuid : 01c2cf79-287e-4490-b7c7-e15c43358000ObjectCategory : eurprd03.prod.outlook.com/Configuration/Schema/ms-Ex ch-Control-Point-Trusted-Publishing-DomainObjectClass : {top, msExchControlPointConfig, msExchControlPointTrustedPublishingDomain}WhenChanged : 12/06/2012 09:58:18WhenCreated : 12/06/2012 08:38:30WhenChangedUTC : 12/06/2012 07:58:18WhenCreatedUTC : 12/06/2012 06:38:30OrganizationId : eurprd03.prod.outlook.com/Microsoft Exchange Hosted Organizations/idmgt.onmicrosoft.com - eurprd03.prod.o utlook.com/Configuration/Services/Microsoft Exchange /ConfigurationUnits/idmgt.onmicrosoft.com/Configurati onOriginatingServer : AMXPRD0310DC001.eurprd03.prod.outlook.comIsValid : True
You can see this gives a lot of great detail, including the details on which is the Default TPD. This also provides a full list of the imported TPDs. The list above only includes one TPD, since that is all that was imported. If there were multiple TPDs, you would see each of the TPDs that were imported.
81 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
Installing and configuring Outlook 2010In this section, you will see how to install the Outlook 2010 client from your subscription and how configure it to discover Office 365 settings on a Windows 7 computer.To install the Outlook 2010 client, proceed as follows:
1. From you browser, navigate to the Microsoft Online Services Portal (MOP) at http://portal.microsoftonline.com.
2. Sign in as the Exchange Online global administrator account for your subscription such as:Username: [email protected]: ****************
3. On the Admin Overview tab, under Resources on the right, click Downloads.4. The Office 365 subscription provides Office 2010 Professional Plus licensing, and you
can install Office 2010 Professional Plus from this Downloads location.
82 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
To install the Office suite, simply click Install under Install Microsoft Office Professional Plus after having selected both the language and the version.
5. Scroll to the bottom and click Set up under Set up and configure your Office desktop apps to install the Office 365 Desktop Setup application.
In order to ensure proper discovery and authentication of services in Office 365, a set of components and updates must indeed be applied to each work computer that uses rich clients (such as Office Professional Plus 2010) and connects to Office 365. Rather than manually installing the updates, one by one, Microsoft provides an automated setup package, i.e. the aforementioned Office 365 Desktop Setup application, which automatically configures workstations with the required updates. This application replaces the Microsoft Online Services Connector. If work computers have the Office 365 Desktop Setup application installed, all the requirements for the operating system are met.
Note A list of these update requirements is published for organizations that want to use an alternative method of deploying the updates. The article MANUALLY INSTALL OFFICE 365 DESKTOP UPDATES 117 fully described the list of required updates.
The Office 365 Desktop Setup application is available for download from the Microsoft Online Portal (MOP). For web-based clients such as, Outlook Web App (OWA), etc. there is no need to install the Office 365 Desktop Setup application; this is strictly for thick clients such as Outlook.
Note For additional information, see the article SET UP YOUR DESKTOP FOR OFFICE 365 118 in the online help.
6. Click Run on the Application Run security warning if any.
117 MANUALLY INSTALL OFFICE 365 DESKTOP UPDATES: http://community.office365.com/en-us/w/administration/manually-install-office-365-desktop-updates.aspx118 SET UP YOUR DESKTOP FOR OFFICE 365: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637594.aspx
83 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
7. On the Microsoft Office 365 desktop setup dialog box, provide credentials for a standard user (not your Exchange Online global administrator account).
8. Leave the checkbox checked for at least Microsoft Outlook. Also, optionally, click Show more details to see other important items that will be installed, such as the Microsoft Online Services Sign-in Assistant (MOS SIA)119.
9. Accept the End User License Agreement (EULA) if asked for.
119 DESCRIPTION OF MICROSOFT ONLINE SERVICES SIGN-IN ASSISTANT (MOS SIA): http://community.office365.com/en-us/w/office/534.aspx
84 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
10. Notice the information shown regarding Configure Microsoft Outlook (manual steps required). While for instance Lync 2010 brokers authentication to the MOS SIA, Outlook 2010 does not. Outlook 2010 goes through auto-discover and finds that the Exchange Online Client Access Server (CAS) requires Basic authentication. The credentials are then sent to Exchange Online CAS, which then Exchange Online CAS brokers the authentication through the Office 365 Identity Platform. Since the MOS SIA doesn’t assist with Outlook authentication today, you must configure the Outlook client manually (see below).Click Finish.
To manually configure Outlook 2010, proceed as follows:1. Open Outlook 2010. If the Microsoft Outlook 2010 Startup wizard displays
automatically, on the first page of the wizard, click Next. Then, on the E-mail Accounts page of the wizard, click Next again to set up an e-mail account. If the Microsoft Outlook 2010 Startup wizard doesn't appear, on the Outlook 2010 toolbar, click the File tab. Then, just above the Account Settings button, click Add Account.
85 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
2. On the Auto Account Setup page, Outlook 2010 may try to automatically fill in the Your Name and E-mail Address settings based on how you're logged on to your computer. If the settings are filled in, click Next to have Outlook finish setting up your account. If the settings on the Auto Account Setup page aren't filled in for you, type your user’s first and last name in the Your Name field, your full e-mail address, for example, “[email protected]”, in the E-mail Address field, and finally your password in the Password and Retype Password fields.
3. Click Next. Outlook will then perform an online search to find your e-mail server settings. You'll be prompted to enter your user name and password during this search. Make sure that you enter your full e-mail address (for example, “[email protected]”) as your user name.If Outlook is able to set up your account, you'll see the following text: “Your e-mail account is successfully configured. Click Finish”
Note For additional information, see the article CONNECT OUTLOOK TO THIS ACCOUNT 120 in the online help.
Finally, in order to make the AD RMS rights policy templates accessible, the AD RMS rights policy templates must be available onto the client computer.As mentioned earlier, the AD RMS client is included in the default installation of Windows 7. This client requests AD RMS rights policy templates from the AD RMS cluster by using a scheduled task, which is configured to query the template distribution pipeline on the AD RMS cluster and then gather the templates from that path. This job can be set as automated for internal use or executed manually for use from machines with sporadic connectivity to the AD RMS cluster.A scheduled task is configured by default to run up to one hour after a user logs on to the computer and every morning at 03:00. This scheduled task is disabled by default but you can enable and change the default configuration by using the Task Scheduler control panel or by using Group Policy. After the scheduled task is enabled you must configure a registry entry so that the Office 2010 can locate the directory in which the rights policy templates are stored.
120 CONNECT OUTLOOK TO THIS ACCOUNT: http://help.outlook.com/en-US/140/ms.exch.ecp.useoutlookanywhere.aspx
86 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The automated scheduled task works only on computers that are joined to your organization’s domain. There is also a manual scheduled task that should be used for users with a domain account who are using a client computer that is not joined to your organization’s domain. The manual task will only download the templates immediately after being started and when the user logs in. In order for the manual scheduled task to work in such clients, you must configure the Enterprise Publishing client registry override found in the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsof\MSDRM\ServiceLocation\EnterprisePublishing To enable the automated scheduled task, proceed as follows:
1. Log on to the client computer with an account that has administrative rights to the client.
2. Click Start > All Programs > Administrative Tools > Task Scheduler.3. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.4. Expand Task Scheduler Library, expand Microsoft, expand Windows, and then
click Active Directory Rights Management Services Client.5. Right-click AD RMS Rights Policy Template Management (Automated), and
then click Enable.6. Close Task Scheduler.
To configure the template download path, proceed as follows:1. Click Start, type regedit.exe in the search box, and then press ENTER.2. Expand the following registry key for the Office 2010 Professional Plus subscription:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM (if any of the subkeys do not exist, create them)
3. Right-click DRM, click New, click Expandable String Value, type “AdminTemplatePath” in the Value field, and then click OK.
4. Double-click the AdminTemplatePath registry value and type “%LOCALAPPDATA%\Microsoft\DRM\Templates” in the Value data box where %LOCALAPPDATA% equals C:\Users\<user name>\AppData\Local, and then click OK.
5. Close the Registry editor.Log on to an AD RMS client with a standard user account, wait for about an hour, and check the following directory: %LOCALAPPDATA%\Microsoft\DRM\Templates where %LOCALAPPDATA% equals C:\Users\<user name>\AppData\Local. Once the AD RMS rights policy templates are copied to the client, you are ready to use the templates.Before you can create or consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone.To add the AD RMS cluster to Local Intranet security zone, proceed as follows:
1. Click Start, click All Programs, and then click Internet Explorer.2. Click Tools, and then click Internet Options.3. Click the Security tab, click Local intranet, and then click Sites.4. Click Advanced.5. In the Add this website to the zone, type “https://adrms.demo.idmgt.archims.fr”,
and then click Add.
87 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
6. Click Close.At this stage, the client computer is fully configured.
88 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
89 Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.© 2013 Microsoft Corporation. All rights reserved.The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
