نمایش نتایج: از شماره 1 تا 3 از مجموع 3

موضوع: Rights Management Service and Exchange 2003

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Rights Management Service and Exchange 2003

    کد:
    http://www.msexchange.org/tutorials/Rights-Management-Service-Exchange-2003-Part1.html

    PART-1


    Rights Management Service (RMS) is an add-on to many RMS aware applications. In this article my main focus is to explain how we can utilize RMS technology with Exchange 2003 and how we can take advantage of RMS technology to increase the email security. This article is divided into two parts. Part I will explain the details of RMS architecture and its installation procedure. Part II will focus on Exchange 2003/Outlook 2003 integration with RMS. I would not be explaining the architecture details of Right Management Service here since all the details can be found on the following Microsoft web site:
    Windows Server 2003 Rights Management Services
    RMS Technology - an Overview

    Rights Management Service (RMS) is a technology used to protect sensitive information and keep internal information internal. A document author can use the RMS technology to limit the access to a file or emails to a few users from the Global Address List. This access permission list is embedded with the document or email. When a person tries to open an RMS protected document, the RMS client applications send a request to the RMS server for the validation and a valid user license. Only named users on the embedded access permission list can open the file. Unauthorized users will receive a deny access message and all the information will be logged into a SQL database.
    RMS Components

    RMS technology mainly consists of an RMS server and RMS client. The RMS server is the machine that runs Rights Management Service. Rights Management Service can be installed on a Windows Server 2003 Standard, Enterprise, Web or Datacenter Editions. The main function of the RMS server is to provide certificates and validate the client access. A RMS server requires SQL or MSDE for the database.
    RMS technology highly relies on Active Directory. A minimum of Windows 2000 Active Directory with SP3 is required to use RMS technology in the organization. When an Author tries to add the users to the access permission list, it uses Global Address List to find the appropriate user accounts. This information also resides in the Active Directory. Also, a mail-enabled user account is required in the Active Directory to give permission to the document through RMS technology.
    The RMS Server software can be downloaded from the following location:
    Download details: Microsoft Windows Rights Management Services with Service Pack 1
    RMS Client is a client side or desktop software required for creating or viewing the rights-protected document or email. RMS client software can be downloaded from the following location:
    Download details: Microsoft Windows Rights Management Services Client with Service Pack 1
    The RMS client software can be deployed through Group Policy, SMS or any of your existing application deployment methods. RMS is only used with RMS aware applications. Microsoft Office Professional 2003 is an RMS aware application. There is a Rights Management Add-On (RMA) for Internet Explorer 5.5 or later to view, but not to create the rights protected document in the Internet Explorer. The RMA can be downloaded from the following location:
    Download details: Rights Management Add-on for Internet Explorer
    Also, an SDK for RMS, can be download from the following location for developers:
    Download details: Rights Management Services Service Pack 1 (SP1) Software Development Kit (SDK)
    In the following sections, I will explain the details of installing and provisioning an RMS server, Service Connection Point (SCP) registration in Active Directory and installing RMS client.
    RMS Server Installation

    My lab consists of an Active Directory 2003 Domain, Exchange 2003 Server, SQL Server 2000, Windows 2003 member server and Windows XP desktop with MS Office 2003 Professional edition. I will use the Windows 2003 member server as my dedicated RMS server. APS.Net, Message Queuing and IIS is a pre-requisite for installing RMS. So make sure all the pre-requisites are met before installing the RMS server software.

    1. Download the RMS installation file from the following location: Download details: Microsoft Windows Rights Management Services with Service Pack 1
    2. Double click on the WindowsRightsManagementServicesSP1-KB839178-Server-ENU.exe file
    3. Click Next in the Welcome window
    4. Select Agree and click Next in the License Agreement window
    5. Select the installation folder in the Select Installation Folder window
    6. Click Install in the Confirm Installation window
    7. Click Close in the Installation Complete window.

    If you open the Enterprise manager, you can validate the database installation and configuration on the SQL server. During the installation, RMS will create three databases (Configuration, Directory Services and Logging) in the SQL server.

    Figure 1
    Also, during installation, RMS creates a security group called RMS Service Group on the local computer. Later when you provision RMS on a server, the RMS service account will be added to RMS Service Group.

    Figure 2
    Provisioning an RMS Server

    Go to Start -> All Programs -> Windows RMS and click on the Windows RMS Installation. The default administration port is 5720.

    1. Under the Provisioning and Administration section, click on Provision RMS on this Web site link
    2. In the Configuration database section, enter the SQL server information (local or remote)
    3. In the RMS service account section, enter the RMS Service Account name and password. The RMS service account cannot be the same domain account that was used to install RMS.
    4. Enter the URL name in the Cluster URL section. Default cluster URL is http://servername/WMCS.
    5. In the Private key Protection and enrollment section, select the appropriate software and hardware based private key encryption method. In my lab, I selected to use default RMS software private key password option. Enter the password in both password fields. By default the Server licensor certificate name is the name of the local RMS server.
    6. Enter an administrative contact in the Administrative Contact column
    7. In the Server Internet Connectivity select Online - automatically obtain a certificate over the network option.

    Note:
    If your RMS server is not connected to the internet you can select the Offline - manually obtain a certificate after provisioning option.
    1. Click Submit.

    The following web page will be displayed with a status of Server Licensor Certificate process:

    Figure 3
    1. Check and make sure no errors are displayed on the page.

    If you select the Offline - manually obtain a certificate after provisioning option in the Server Internet Connectivity section,

    1. Open the Windows RMS Administration web page (Go to Start->All Programs ->Windows RMS).
    2. Under the Provisioning and Administration section, click the RMS on this web site link.
    3. Click the Enroll button.
    4. Click the Export button and save the file into the local hard drive.
    5. Copy the exported certificate XML file into an internet connected machine and access the following link from the internet connected machine:
      https://activation.drm.microsoft.com...nrollment.aspx

    Follow the procedure to download the ServerCert.XML certificate file and copy back to the RMS server.

    1. Open the Windows RMS Administration page again on the RMS server.
    2. Under the Provisioning and Administration section, click the RMS on this web site link.
    3. Click the Enroll button.
    4. Click Browse and select the ServerCert.XML and click Import.
    5. Click OK and make sure no errors are displayed.

    RMS Service Connection Point

    The registration of Service Connection Point (SCP) is not an automated process. When you open the Administrator page, you will see a warning message “RMS did not detect the service connection point in Active Directory”. The next step is to manually register the Service Connection Point (SCP) in the Active Directory.

    1. Open RMS Administration web page (Go to Start -> All Programs -> Windows RMS)
    2. Click on Register URL. You must be an enterprise administrator to register SCP in the Active Directory. It will take a few minutes to complete the registration process.
    3. The following web page will display with the status of the SCP registration.


    Figure 4
    Validate the SCP Registration in the Active Directory


    1. Logon to a Domain Controller and open ADSI edit (make sure you have support tools installed on the machine)
    2. Expand the Configuration container, then expand Services and click on Right Management Services and make sure there is an SCP folder underneath it. If you go to the Properties on the SCP folder, you will see all registered attribute there.


    Figure 5
    RMS Client Software Installation

    RMS client requires activation. With SP1, the client machine activation step no longer requires connection to Microsoft hosted activation servers. This activation service generates a unique lockbox and machine certificate, validating the client machine allows the use of RMS. Client activation occurs upon first use of RMS by any user on the machine. There are no additional steps to activate the RMS client software.
    To install the RMS client software:

    1. Download the file from the following location:
      Download details: Microsoft Windows Rights Management Services Client with Service Pack 1
    2. Double click on the WindowsRightsManagementServicesSP1-KB839178-Client-ENU.exe file.
    3. Click Next in the Welcome window.
    4. Select Agree and click Next in the License Agreement window
    5. Select the installation folder in the Select Installation Folder window
    6. Click Install in the Confirm Installation window
    7. Click Close in the Installation Complete window.

    To validate the lockbox installation, you can go to C:\Windows\System32 folder and make sure the secproc.dll file exists. Lockbox is a RMS client component. It is responsible for authentication and the valid use of RMS protected documents.

    Figure 6
    When you open an Office 2003 professional application, you will see new items in the Permission menu called Restrict Permission As.. and a new item in the tool bar ().

    Figure 7
    I hope this article provides a better understanding of RMS technology and its installation process. In the next part, I will explain the details of RMS integration with Email. If you have any questions regarding this article, feel free to email me or post a comment on the newsgroup.





    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.msexchange.org/tutorials/Rights-Management-Service-Exchange-2003-Part2.html
    PART-2

    If you follow the first part of the document, at this point we are ready to test the RMS functionality from a client machine. To explain the RMS functionality, I am using two users in this scenario User1 (Princy) and User2 (Margot). Our goal is to protect the email content using the built-in Do Not Forward template. Using the built-in Do Not Forward template, the recipient cannot edit, forward, print or copy the email and the reply does not include the original email message.
    How to Protect E-mail Messages


    1. Logon to User1's (Princy) computer and open Outlook 2003.
    2. Create a new email message by selecting File->New->New Message
    3. In the To field, type the receipt(s) address or select recipient(s) from the address book. In this scenario, I am sending this mail to user #2, Margot.
    4. To protect the document using the built-in Do not forward template, go to File->Permission menu and select the Do Not Forward option.

    1. You will see a message showing that it is contacting the RMS server and verifying your logon information.

    Note:
    This process installs a machine certificate, a rights account certificate and client licensor certificate for the user. By default, it is stored in C:\Documents and Settings\<User Name>\Local Settings\Application Data\Microsoft\DRM
    1. Once it completes the verification process, a banner will appears at the top of the e-mail message indicating this email message is protected with Do Not Forward template.


    Note:
    The Do Not Forward template is a Built-in template and it is automatically available when you install the RMS server/client software. Using the Do Not Forward template, the recipient cannot edit, forward, print or copy the email and the reply does not include the original email message.
    1. Click the Send button to send the email message to the recipient.

    Verify the Protected E-mail Messages


    1. Logon to Margot’s computer and open Outlook 2003.
    2. As you can see in the following screen shot, Margot received a new email from Princy. The new message has an attachment symbol indicating it is a RMS protected e-mail

    1. Double click or go to File -> Open-> Selected Items to open the new email message. The following screen will pop-up, indicating that it is a RMS protected document and it will contact the RMS server for license. Click OK.

    1. You will also see the following message about Outlook contacting the RMS Server.

    1. As you can see in the email, this email is protected with the Do Not Forward template and the Forward, Print and Copy buttons are grayed out.

    The above scenario shows how easy it is to protect your emails, as well as keep information internal by using Rights Management Service (RMS). It is also possible to create custom temples that fit into your organizational needs. Custom temples information will be explained in part 3.
    When you use a template or open a RMS protected document, RMS installs a machine certificate, a rights account certificate and client licensor certificate for the user. By default, it is stored in C:\Documents and Settings\<User Name>\Local Settings\Application Data\Microsoft\DRM. In the next section, I will explain how to verify or identify those certificates.
    How to Verify the Client Certificate


    1. Logon to Princy’s computer and open Windows Explorer
    2. Enable the Show hidden files and folders option (Tools -> Folder Options -> View, select the View hidden files and folders option. Click OK)
    3. Open the C:\Documents and Settings\Princy.Paul\Local Settings\Application Data\Microsoft\DRM folder.
    4. Make sure the following files exist:

    A. CLC-XXX
    Client Licensor Certificate (CLC): Certifies clients to encrypt with RMS Server Public Key
    B. CERT-machine.drm
    Machine Certificate: Unique per user on a machine; used to protect the RAC
    C. GIC-XXX
    Rights Account Certificate (RAC): User’s RSA key pair issued and signed by server
    D. EUL-XXX
    End User License or Use License: Signed proof of a Principal’s Rights plus the enabling bits for content usage by Grantee
    Note:
    A user account has one Rights Account Certificate (RAC) and one Client Licensor Certificate (CLC) file, but multiple End User License (EUL) files for each piece of content that is accessed.
    RMS Policy Templates

    RMS policy templates are a pre-defined set of rules that can be applied any RMS protected content. It can be used to describe a standard set of users, rights, rules and conditions. When a user applies the RMS template to the RMS content, the pre-defined set of rules and rights defined in the RMS template will become part of the publishing license. RMS stores right policy template in the Configuration database. In addition, it will keep a Policy Template file (XML) on the shared template folder location specified in the Template location on the RMS server. To verify this, you can open the shared folder and view all the XML files or you can open the DRMS_RightsTemplate table in the Configuration database. (I will explain these details in Part 3 of this document).
    How to Specify Policy Template Location


    1. Open the RMS Administration console (Start->All Programs->Windows RMS->RMS Administration)
    2. Click Administer RMS on this Website option.
    3. In the Administration Links section, click Rights policy temples option.
    4. In the Template location section, specify the shared folder name in the Location of temples: box.

    1. Click Save.

    Note:
    Make sure the policy template location (C:\RMS Templates) is available to client users. It is a best practice to use a shared folder for storing all the RMS template files. Also, templates should not be created in Program Files or ISSRoot Folders.
    Policy Template Location on Client Machines

    RMS Template location on the client machine is determined by the RMS-enabled application. For Office 2003, it is stored as a user setting in the registry in the following location:
    HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\C ommon\DRM\AdminTemplatePath
    This can be accomplished by modifying the registry on the client machines.

    1. Logon to the client machine
    2. Click Start -> Run -> and then type Regedit in the Open box. Click OK.
    3. Click on the HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\C ommon\DRM registry key.
    4. Go to the Edit menu, select New -> String Value option.

    1. Add the following value:

    Name: AdminTemplatePath
    Value Data: C:\RMS Templates
    If the AdminTemplatePath points to a local folder on the client machine, the template files (XML) must be copied to the local machine from the RMS template shared folder. This procedure is explained later in this article. If the AdminTemplatePath points to a network shared folder, it will be unavailable when the user is offline, unless Offline Folders are used.







  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.msexchange.org/tutorials/Rights-Management-Service-Exchange-2003-Part-3.html
    PART-3

    Scenario

    At the end of every year the Human Resource Manager sends out an email with employee utilization and performance details to all the executive staff and HR employees. According to a new company policy, the company wants to make sure the HR employees are not forwarding this information to other employees in the organization. Also, the company wants to make sure this limitation will not apply to the executive staff.
    In this organization, they have two mail enabled security groups, executives (executives@santhosh.lab) and HR (hr@santhosh.lab). All the executive employees are part of Executives security universal group and all HR employees are part of the HR security universal group.

    1. Open the RMS Administration console (Start->All Programs->Windows RMS->RMS Administration).
    2. Click Administer RMS on this website option.


    Figure 1
    1. In the Administration links section, click the Rights Policy Templates option.


    Figure 2
    1. On the Rights Policy Template page, select the Add rights policy template option.
    2. In the Template identification section, specify the Template name, Template description, and Right request URL for the template.


    Figure 3
    1. In the Users and Group section, type executives@santhosh.lab in the Add users or groups box, click Add button. Repeat the same procedure for hr@santhosh.lab.


    Figure 4
    1. Select executive@santhosh.lab and select the Full Control check box.


    Figure 5
    1. Select hr@santhosh.lab and select the View Rights check box.


    Figure 6
    1. Click Submit.
    2. You can view the template details by clicking the View button.


    Figure 7
    1. The View use rights will explain the details for the template rights.


    Figure 8
    1. Click Return button to go back to the Rights policy templates page.
    2. You can edit/modify the template by clicking the template name. Once you complete the edit, click the Submit button again to update the changes.


    Figure 9
    How to Verify the Template File and its Existence

    As I explained the Part 2 of my document, RMS stores the rights policy template in the Configuration database. In addition, it will keep a Policy Template file (XML) on the shared template folder location specified in the Template location on the RMS server. Once you create the custom templates, you can open the template location to verify the template file existence.

    1. Open Windows Explorer and browse the C:\RMS Template folder.


    Figure 10
    How to Verify the Template Details in the Configuration Database


    1. Logon to the SQL Server.
    2. Open the Enterprise Manager.
    3. Expand the Databases folder and expand the configuration database (DRMS_Config_lab1_rms1_80).
    4. From the left pane, select Tables.
    5. Right click the DRMS_RightsTemplatetable in the right pane.
    6. Select Open Table and click Return all rows option.


    Figure 11
    1. You will see the template details as displayed in the following screen shot.


    Figure 12
    The template distribution is important because when you log on to a client machine and open Outlook you won’t be able to see any of the custom templates. You will only see the built-in Do Not Forward template. This is because you haven’t distributed the template to the client machines.
    Template Distribution

    Templates can be distributed using any of the existing distribution methods such as SMS, Group Policy, etc. In my lab I am going to copy the template manually from my RMS server to the client machine.

    1. Logon to the client computer.
    2. Click Start -> Run and then type \\lab1-rms1\RMS Templates\ in the Open box. Click OK.


    Figure 13
    1. Copy policy template files (XML) from \\lab1-rms1\RMS Templates\ to C:\RMS Templates folder.

    Note:
    On a client machine, the RMS template location must be configured through AdminTemplatePath registry key in order to use the custom template with RMS aware applications. AdminTemplatePath configuration details are described in Part 2 of this document.
    At this point the custom templates are available to use with any RMS aware application.

    1. Logon to Margot’s Computer and open Outlook.
    2. Create a new email message by selecting File->New->New Message.
    3. Go to File menu and select Permission. You will see the newly created custom template Employee Utilization Report (Executive and HR only) on the template list.


    Figure 14
    1. Select the Employee Utilization Report (Executives and HR only) template. Once it completes the verification process a banner will appear at the top of the e-mail message indicating this email message is protected with Employee Utilization Report (Executives and HR only) template.


    Figure 15
    Note:
    By default the document author has full permission in the protected email. You can change the configuration by modifying the Extended Policy section in the template.

    Figure 16
    You can verify the protected email by logging onto HR and Executive employees mailboxes. Following is a screen shot of an executive employee. As you can see in the email, this email is protected with Employee Utilization Report (Executive and HR only) and the executive employee has full permission.

    Figure 17
    Following is the screen shot of an HR employee. As you can see in the email, this email is protected with Employee Utilization Report (Executive and HR only) and the “Reply, Reply to All, Forward”, “Print” and “Copy” buttons are grayed out. According to the template settings, HR employees have only View permission.

    Figure 18
    I always receive a lot of questions about attachments, as well as email template permission inheritance. Here are the points you need to keep in mind when attaching a RMS protected document.

    • Attached document will inherit Outlook message permissions if it does not have its own permissions setup with RMS
    • If rights were applied to the attached document prior to the attachment, the document rights are unaffected by email rights






کلمات کلیدی در جستجوها:

ad rms templates windows xp

rms do not forward rename

do not forward inbuilt template rights

install software permission in win server 2003

predefined template do not forward

do not forward emails

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •