Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

vermontdroningΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

1.470 εμφανίσεις





Information
Protection and

Control

(
IPC
) in Microsoft Exchange Online
with AD RMS

Overview Technical Article


Microsoft France

Published:
June

201
2 (Updated: September 2013)

Version: 1.
0b


Author: Philippe Beraud (Microsoft France)

Contributors/reviewers: Philippe Maurent (Microsoft Corporation)


For the latest information, please see

www.microsoft.com/rms



Copyright © 2013 Microsoft Corporation. All rights reserved.


Abstract:

Due to increased regulation, the consumerization of IT (CoIT) and the “Bring Your Own
Device” (BYOD), enterprises of all sizes are facing growing needs to protect sensitive information. At
the same time, enterprises have a need to share that sam
e information amongst appropriate
employees within and outside the corporate network.


Microsoft Active

Directory
Right Management Services

(AD
RMS
)
provides
the capability
on
-
premises

to create and consume protected content such as
e
-
mail and
documents.

As of today, s
uch a capability
is
also
leveraged by
the
Microsoft
Exchange

Online services through the
Information
Protection and
Control

(I
PC
)
features

to apply persistent protection to e
-
mail

messages and attachments
.


Built

on existing documentation,
t
his document is intended
to provide a better understanding
of

how
to
use

an

on
-
premises

AD RMS infrastructure
for

the

Exchange Online services of the
organization’s
Office

365 tenant in the Cloud
.

This document is intended for system architects

and IT professionals
who are interested in
understanding the basic
s

of
c
ross premise support for
AD RMS
on
-
premises

and Exchange Online

along with pl
anning and deploying such a
deployment

in their environment
.



i

Information
Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Content


NOTICE

................................
................................
................................
................................
...........................

1

INTRODUCTION

................................
................................
................................
................................
............

3

O
FFICE
365

INTRO
DUCTION

................................
................................
................................
................................
.............

3

O
BJECTIVES OF THIS PA
PER

................................
................................
................................
................................
...............

4

O
RGANIZATION OF THIS
PAPER

................................
................................
................................
................................
........

6

A
BOUT THE AUDIENCE

................................
................................
................................
................................
.......................

7

A BRIEF OVERVIEW OF
AD RMS

................................
................................
................................
.................

8

I
DENTIFYING THE CO
MPONENTS OF THE
AD

RMS

TECHNOLOGY

................................
................................
............

10

U
NDERSTANDING THE
AD

RMS

CERTIFICATES AND LIC
ENSES

................................
................................
.................

18

I
NSTALLING AND CONFIG
URING AN ON
-
PREMISES
AD

RMS

INFRASTRUCTURE

................................
.....................

23

UNDERSTANDING THE CR
OSS
-
PREMISES DEPLOYMENT
OF AD RMS

................................
..............

48

O
N
-
PREMISES
IRM

................................
................................
................................
................................
........................

48

E
XCHANGE
O
NLINE
IRM

(
NO ON
-
PREMISES
E
XCHANGE
)

................................
................................
.........................

53

EXTENDING ON
-
PREMISES AD RMS TO O
FFICE 365

................................
................................
............

63

E
XPORTING THE
AD

RMS

TPD
S

................................
................................
................................
................................
..

63

C
ONFIGURING
W
INDOWS
P
OWER
S
HELL

................................
................................
................................
.....................

65

C
ONNECTING
W
INDOWS
P
OWER
S
HELL TO
M
ICROSOFT
E
XCHANGE
O
NLINE

................................
........................

67

I
MPORTING THE
AD

RMS

TPD
S AND THE CORRESPOND
ING RIGHTS POLICY TE
MPLATES

................................
....

70

V
IEWING AND ENABLING
THE

AD

RMS

RIGHT POLICY TEMPLAT
ES

................................
................................
..........

74

E
NABLING THE USE OF
AD

RMS

FOR
OWA

AND
EAS

CLIENTS

................................
................................
..............

77

MANAGING THE CROSS
-
PREMISES DEPLOYMENT

................................
................................
..............

79

C
HANGING THE DEFAULT
TPD

................................
................................
................................
................................
......

79

U
PDA
TING
E
XCHANGE
O
NLINE

................................
................................
................................
................................
.....

79

U
SING
OWA

MAILBOX POLICIES

................................
................................
................................
................................
..

81

D
ISABLING
IRM

IN
E
XCHANGE
O
NLINE

................................
................................
................................
.......................

82

R
EMOVING
TPD
S

................................
................................
................................
................................
...........................

82


1

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Notice


Since the initial release of this paper, the Microsoft Rights Management service (RMS) offerings have been
introduced that provide more
advanced capabilities and additional benefits compared to what an on
-
premises Windows Server AD Rights Management Services (a.k.a. AD RMS) infrastructure can provide.

The Microsoft Right
s

Management suite is implemented as a Windows Azure service. It compr
ises a set of
RMS applications that work on all your common devices, a set of software development kits, and related
tooling. By leveraging Windows Azure Active Directory, the cloud
-
hosted Microsoft Rights Management
service acts
as a trusted hub for secur
e collaboration where an organization can easily share information
securely with other organizations without additional setup or configuration. The other organization(s) may
be existing Microsoft Rights Management service’s customers but if not, they can u
se a free
Microsoft
Rights Management for individuals
1

capability.

The

Microsoft Rights Management service can be purchased as part of the Office 365 suite offerings:



It

is already included in the Office 365 Enterpr
ise E3, and E4 plans an
d the Education A3 and A4
plans
.



It
is also available as a
n add
-
on in the E1 and A2 plans
.

The Microsoft Rights Management service can be purchased standalone for use with the Microsoft Rights
Management connector or third
-
party RMS
enlightened applications (e.g.

Microsoft Office, Microsoft
Office 365,

Foxit Enterprise Reader with the
RMS

PDF Plug
-
in Module
2
,
SECUDE
End
-
to
-
End Information
Security
for SAP
3
, etc.).

To s
ign up to
a
Microsoft Rights Management
stand
-
alone

service, proceed with the following steps:

1.

For a
trial version, click on
https://portal.microsoftonline.com/Signup/MainSignUp15.aspx?&OfferId=A43415D3
-
404C
-
4df3
-
B3
1B
-
AAD28118A778&dl=RIGHTSMANAGEMENT


2.

To

buy the service, click on
https://portal.microsoftonline.com/Signup/MainSi
gnUp15.aspx?&OfferId=9DF77AF9
-
DAAE
-
4d51
-
8E0E
-
EEEADD4866B8&dl=RIGHTSMANAGEMENT

As this writing, this offering is in preview and will be followed by general availability later this calendar
year.

Consumption of rights
-
protected content is free. A license is
required to protect content.





1

Microsoft Rights Management for individuals: https://portal.aadrm.com

2

Foxit Enterprise Reader with the
RMS

Plug
-
in Module
:
http://www.foxitsoftware.com/landingpage/2012/07/Reader
-
Ads
-
RMS/

3

SECUDE End
-
to
-
End Information Security for SAP:
http://www.secude.com/company/partners/end
-
to
-
end
-
information
-
security
-
for
-
sap/


2

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Note

For details, follow the
RMS Team blog
4
.

Also visit the updated
www.microsoft.com/rms

site.

This document won’t any further cover
the Microsoft Rights Management service (RMS) offerings and
rather considers the former on
-
premises AD RMS infrastructure.





4

RMS Team blog
: http://blogs.technet.com/b/rms


3

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Introduction

Office 365 introduction

Microsoft Exchange Online is a hosted messaging solution that delivers the capabilities of Micro
soft
Exchange Server as a cloud
-
based service. It
provides

users rich and familiar access to email,
(shared)
calendar, contacts
,
and tasks across PCs, the W
eb, and mobile devices and
benefits from

option
al features
s
uch as

voice mail, unified messaging, an
d archiving.

With Exchange Online, organizations can take advantage of sophisticated messaging capabilities without
the o
perational burden of
on
-
premises

server software.

Furthermore, a
ll network connectivity occurs over
the Internet, and VPN connections
are not required.

For mobile devices, Exchange Online supports the
Microsoft Exchange ActiveSync (EAS)
5

protocol.
Exchange ActiveSync provides synchronization of mailbox data between mobile devices and Exchange
Online, so users can access their email, calendar, contacts, and tasks on the go.

EAS

is supported by a wide range of mobile devices, including Mic
rosoft Windows Mobile
6.x
and
Windows Phone

7.x
, Nokia E and N series devices, Palm devices, Apple iPhone and iPad, and certain
Android phones.

Beyond
allow
ing

users to connect to their mailboxes from a v
ariety of devices and platforms,

notably
through th
e above support,
Exchange Online offers hosted unified messaging services, which provide:



Call answering (voicemail);



Dial
-
in user interface to Exchange (Outlook
v
oice
a
ccess);



Dial
-
in interface for callers (
a
utomated
a
ttendant).

Hosted
voice mail (
unifie
d messaging
)

allows a
n

organization to connect its
on
-
premises

phone system to
voicemail services provided by Exchange Online. Voicemails are recorded and stored in the Exchange
Online infrastructure, allowing users to access their voice messages from Outl
ook, Outlook Web Access

(OWA)
, or mobile phones.

The unified messaging features available in Exchange Online are similar to those offered in Exchange
Server 2010 Service Pack 1 (SP1), except
ed that

speech access to the directory is not supported in
Exchan
ge Online.





5

U
NDERSTANDING
E
XCHANGE
A
CTIVE
S
YNC
:
http://technet.microsoft.com/en
-
us/library/aa998357.aspx


4

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Note

For additional information on Microsoft Exchange Online, please refer to
the
E
XCHANGE
O
NLINE
S
ERVICE
D
ESCRIPTION
6
, and
the documentation available at
http://help.outlook.com
, especially the resources found on the
help page
M
ANAGE
Y
OUR
O
RGANIZATION
-

O
FFICE
365

FOR ENTERPRISES
7
.

Exchange Online is one of several cloud services offered by
Microsoft Office 365
8
. Office 365

provides
secure anywhere access to

professional email, shared calendars,
instant messaging (
IM
), video
conferencing,

and document collaboration
.

It

represents

the cloud version of
the Microsoft
communication and collaboration products with the latest
version of the
Microsoft
desktop suite for businesses of all sizes
.

Beyond
Microsoft Exchange Online
,

Offic
e 365 indeed includes:




Microsoft Office
.
Microsoft Office Professional Plus seamlessly connects with Microsoft Office
Web Apps for a productivity experience across PCs, mobile devices, and browsers;

Note

An appropriate device, Internet connection, and sup
ported browser are required. Some mobile
functionality requires Office Mobile 2010 which is not included in Office 2010 applications, suites, or Office Web
Apps. Furthermore, there are some differences between the features of the Office Web Apps, Office Mo
bile 2010,
and the Office 2010 applications.



Microsoft SharePoint Online
.
SharePoint Online is a cloud
-
based service for creating sites that
connect colleagues, partners, and customers using enterprise social networking and
customization;



Microsoft Lync On
line
.
Lync Online offers cloud
-
based IM, presence, and online meeting
experiences with screen sharing
,

voice and video conferencing.

Note

For additional information on Office 365 in addition to the content of this paper, please refer to the
product online documentation
9
, the
O
FFICE
365

D
EPLOYMENT
G
UIDE FOR
E
NTERPRISES
10
, the
Office 365 Tech Center web
site
11
,
and the
Office 365 Community web site (blogs, forums, wikis, etc.)
12
.

Objectives of this
p
aper

Every day, information workers use e
-
mail
messages
to exchange sensitive information such as financial
reports and data, legal contracts, confidential product information, sales reports and projections,
competitive analysis, research and patent inform
ation, cus
tomer
records
,

employee information
, etc
.





6

E
XCHANGE
O
NLINE
S
ERVICE
D
ESCRIPTION
:
http://go.microsoft.com/fwlink/?LinkId=207232

7

M
ANAGE
Y
OUR
O
RGANIZATION
-

O
FFICE
365

FOR ENTERPRISES
:
http://help.outlook.co
m/en
-
us/140/ff657678.aspx

8

Microsoft Office 365:
http://office365.microsoft.com/

9

Office 365 Help
:
http://onlinehelp.microsoft.com/en
-
us/office365
-
enterprises/

10

O
FFICE
365

D
EPLOYMENT
G
UIDE FOR
E
NTERPRISES
:
http://www.microsoft.com/download/en/details.as
px?id=26509

11

Office 365 Tech Center web
site
: http://technet.microsoft.com/en
-
us/office365/default

12

Office 365 Community

web

site:
http://community.office365.com/en
-
us/default.aspx


5

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Because people can now access their e
-
mail from just about anywhere, mailboxes have transformed into
repositories containing large amounts of potentially sensitive information. As a result,

information leakage
can be a serious threat to organizations.
Leaks of confidential information can
indeed
result in lost
revenue, compromised ability to compete, unfairness in purchasing and hiring decisions, diminished
customer confidence, and more. Thi
s risk demands
effective
Information Protection and Control (IPC)
system
s
,

which are not only secure but easy to apply, whether it

s to
e
-
mail
messages sent inside an
organization or outside the organization to
business partner organizations
.

IPC goes by a

lot of names:
data leakage prevention, data loss protection, content filtering, enterprise
rights management, etc.

All of these categories aim to prevent the accidental and unauthorized
distribution of sensitive information
.

An effective IPC system can be
nefit organizations in a number of ways by helping to reduce:



Violations of corporate policy and best practices
;



Non
-
compliance

with
government and industry regulations
such as
Health Insurance Portability
and Accountability Act (HIPAA)
13
, Gramm
-
Leach
-
Blil
ey Act (GLBA)
14
, Sarbanes
-
Oxley (
Sarbox or
SOX)
15
, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA

or PIPED
Act
)
16
, European Union Data Protection Directive (EUDPD

2003/58/EC
)
17
, Japan's Personal
Information Privacy Act (PIPA)
18
,
etc.

to just name a f
ew;



Loss of intellectual property and proprietary information
;



High
-
profile leaks of
sensitive

i
nformation;



Damage to corporate brand image and reputation
.

To help
secure this information

and
prevent information leakage
,

Exchange Online

in the context of this
paper
can be integrated with an
on
-
premises

Microsoft Active Directory

Rights Management Services (
AD
RMS)

infrastructure. This integration activates advance
d

Exchange Server 2010 Service Pack 1 (SP1)
(and
above)
features.

In other words
,
o
rganization
that benefits from the Exchange Online Services
can leverage

th
eir

on
-
premises

AD
RMS

infrastructure if any
to
have in place
a comprehensive system that automatically
:



Controls the distribution of information with a
proper inspection of
e
-
mail
messages
(using
MailTips,
transport protection rules or Outlook protection rules
)
and the application of




13

Passed in 1996, HIPAA relates to healthcare coverage and, for example,
how companies may use medical information.

14

Gramm
-
Leach
-
Bliley, also known as the Financial Services Modernization Act, was passed in 1999.

15

The Sarbanes

Oxley Act of 2002, also known as the 'Public Company Accounting Reform and Investor Protection Act'
(in the
Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House), is a United States federal law tha
t set new
or enhanced standards for all U.S. public company boards, management and public accounting firms.

16

Passed in 200
0, and reviewed every 5 years,
PIPEDA is a Canadian law relating to data privacy

that

governs how private sector
organizations collect, use and disclose personal information in the course of commercial business
.

17

Passed in 2003,
EUDPD requires that all EU

members must adopt national regulations to standardize the protection of data privacy
for citizens throughout the EU.

18

Passed in 2003, PIPA spells out duties of the national and local government for handling personal information and measures fo
r
protecti
ng personal information. It also sets out obligations of businesses that handle personal information.


6

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

appropriate action, such as a
protect,
block, alert, redirect, etc. in accordance to the corporate
security and privacy
pol
ic
ies
;



Protects

online and offline
access to
information
with support for Information Rights
Management (IRM)
;

that is, rights management encryption that travels with
e
-
mail messages and
attachments

wherever
they

are

sent, insi
de or outside the organizatio
n.

IRM provides persistent protection to control who can access, forward, print, or copy

sensitive information
within an e
-
mail.

IRM protection can be applied by users in Microsoft Office Outlook or Outlook Web App

(OWA)
, and it
can
automatically
be applied by administrators using transport protection rules or Outlook protection
rules. IRM helps
the organization

and
its users
control
ling

who can access, forward, print, or copy sensitive
data within an e
-
mail
: “Dot Not Forward”, “Company Confidentia
l”, “So Not Reply All”, etc.

Exchange Online IPC features support multiple scenarios, dramatically increasing the power and the
versatility of IPC. This paper will cover them.

As of this paper, SharePoint Online does not support IRM

integration
. While you

can
upload any

IRM
-
protected files to your SharePoint Online site, SharePoint Online doesn’t understand IRM encryption.
Consequently
, the content will not be decrypted and the existing protection will be preserved. In such a
scenario, SharePoint Online al
so will not be able to index or search the IRM protected file.
This may evolve
with future release
s

of Microsoft Office 365.

Built on existing Microsoft documentation and knowledge base articles, t
his paper
further
presents
how to
leverage the corporate
on
-
premises

AD RMS infrastructure in the organization’s
Office

365 tenant(s)
, and
more especially with Microsoft Exchange Online
.

Special thanks to
Enrique Saggese
, Microsoft Senior Program Manager

Information Protection
, for
provid
ing

valuable content on this subject.


For that purpose
, beyond a short depiction of
the

AD

RMS

technology
to introduce
key
concepts,
requirements, and
components for the rest of the paper
,
it
d
escribe
s

the
AD
RMS
cross
-
premises

functionality with
Exchange On
line

and how to configure it
, s
o that
Microsoft Office 365

projects
involving
on
-
premises

AD
RMS

in this context can be
more easily

completed, and consequently enabling customers
to realize the full potential of
the Microsoft Office 365 offering
.

The paper provides basic instructions for setting up and configuring an AD

RMS single
-
node cluster in
a
test lab environment
for
the
cross
-
premises

deployment with Exchange Online. It however does not
provide a complete technical reference for AD

RMS.

Orga
nization of this
paper

To cover
the aforementioned objectives
, this document adopts an organization according to the following
themes, each of them being addressed
in the following sections
:



A

BRIEF OVERVIEW OF
AD

RM
S
;



U
NDERSTANDING
THE
CROSS
-
PREMISES

DEPLOYMENT OF
AD

RMS
;



E
XTENDING
ON
-
PREMISES

AD

RMS

TO
O
FFICE

365
;



M
ANAGING THE
CROSS
-
PREMISES

DEPLOYMENT
;


7

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

This paper is part

of a series of documents on the identity and security features of Office 365, and more
especially is the second guide of the series.

It indeed completes a first whitepape
r entitled
M
ICROSOFT
O
FFICE
365

S
INGLE
S
IGN
-
O
N
(SSO)

WITH
AD

FS

2.0
19

a
vailable on the Microsoft Download Center.
This first whitepaper of the series is intended to provide a
better understanding of the different single sign
-
on deployment options for the services in Office 365,
how to enable single sign
-
on using corporate Active Directory credentials and AD

FS 2.0 to the service
s

in
Office

365
, and the different configuration e
lements to be aware of for such deployment.

About the audience

This document is intended for system architects
and IT professionals
who are interested in understanding

the
Information Rights Management

(IRM)
features

in Exchange Online
,

how to leverage the
m, and the
potential dependencies with the
on
-
premises

(AD RMS)
infrastructure
.


Note

For information on the
support of
IRM

in Exchange Online
in addition to the content of this paper,
please refer to the

article
S
ET
U
P AND
M
ANAGE
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
E
XCHANGE
O
NLINE
20
.






19

M
ICROSOFT
O
FFICE
365

S
INGLE
S
IGN
-
O
N
(SSO)

WITH
AD

FS

2.0
:
http://www.microsoft.com/en
-
us/download/details.aspx?id=28971

20

S
ET
U
P AND
M
ANAGE
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
E
XCHANGE
O
NLINE
:
http://help.outlook.com/en
-
us/140/gg597271.aspx


8

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

A brief overview of AD
RM
S

Organizations of all sizes are challenged to protect a growing quantity of valuable digital infor
mation
against careless mishandling and malicious use. The increasing incidences of information theft and the
emergence of new legislative requirements to protect data underscore the need for better protection of
digital information.

This digital informati
on may include confidential e
-
mail messages, strategic planning documents, financial
forecasts, contracts, dynamic, database
-
driven reports, and other sensitive information. The growing use of
computers and devices to create and work with this information,

the introduction of extensive connectivity
through networks and the Internet, and the appearance of increasingly powerful computing devices have
made protecting enterprise data an essential security consideration.

In addition to the threats of theft and m
ishandling, a growing list of legislative requirements adds to the
ongoing task of protecting digital files and information. For example, the financial, government,
healthcare, and legal sectors are increasingly taxed by the need to better protect digital
files and
information due to emerging legislative standards such as the Healthcare Insurance Portability and
Accessibility Act (HIPAA)
21

and the Gramm
-
Leach
-
Bliley Act (GLBA)
22

in the financial services market.

Digital information must be better protected. A
lthough no form of information will ever be completely
risk
-
free from unauthorized use and no single approach will shield data from misuse in all cases, the best
defense is a comprehensive solution for safeguarding information.

As an essential part of an o
rganization's overall security strategy, a solution for better
I
nformation
P
rotection
and Control (IPC)
should provide the means to control how data is used and distributed beyond
simple access control.
IPC goes by a lot of names:
data leakage prevention,
data loss protection, content
filtering, enterprise rights management, etc.

An
IPC solution

should indeed help protect an organization's records and documents on the company
intranet, as well as from being shared with unauthorized users. It should help to
ensure that data is
protected and tamper
-
resistant. When necessary, information should expire based on time requirements,
even when that information is sent over the internet to other individuals.

Such
IPC

capabilities (e
ncrypt and
u
sage
r
ights
) are provided by
Microsoft Active Directory Right
Management Services (AD RMS)
23
, an information protection technology
that enables
AD RMS
-
enabled
applications
to protect
digital
content

from una
uthorized use, both online and offline, inside and outside
of the organization’s boundaries
.





21

Passed in 1996, HIPAA relates to healthcare coverage and, for example, how companies may use medical information.

22

Gramm
-
Leach
-
Bliley, also known as the Financial Serv
ices Modernization Act, was passed in 1999.

23

Microsoft Active Directory Right Management Services (AD RMS):
http://go.microsoft.com/fwlink/?LinkId=84726


9

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

First shipped in Windows Server 2003 timeframe,
and with the
latest release
is

Windows
Server
2008

R2
,
AD RMS
is a
server role designed for organizations that need

to protect sensitive and proprietary
information such as confidential

e
-
mail messages
,

financial reports, product specifications, customer data,
etc. through persistent usage policies (also known as usage rights and conditions) by establishing the
followi
ng essential elements:



Trusted entities
.
Organizations can specify the entities, including individuals, groups of users,
computers, devices, and applications that are trusted participants in an AD RMS system. By
establishing trusted entities, AD RMS can he
lp protect information by enabling access only to
properly trusted participants.



Usage rights and conditions
.

Organizations and individuals can assign usage rights and
conditions that define how a specific trusted entity can use protected information. Exam
ples of
named rights are permission to read, copy, print, save, forward, and edit. Usage rights can be
accompanied by conditions, such as when those rights expire. Organizations can exclude
applications and entities (as well as non
-
trusted entities) from a
ccessing the protected
information.



Encryption
.

Encryption is the process by which data is locked with electronic keys. AD

RMS
encrypts information, making access conditional on the successful validation of the trusted
entities. Once information is locked,

only trusted entities that were granted usage rights under the
specified conditions (if any) can unlock or decrypt the information in an AD RMS
-
enabled
application or browser. The defined usage rights and conditions will then be enforced by the
applicatio
n.

The usage policies remain with the information, no matter where it goes, even in transport, rather than the
rights merely residing on an organization’s corporate network. This also enables usage rights to be
enforced after the information is accessed by

an authorized recipient, both online and offline, inside and
outside of the organization.

The deployment of an AD

RMS system provides the following benefits to an organization:



Safeguard sensitive information
.

Applications such as e
-
mail clients, word pr
ocessors, and line
-
of
-
business
(LOB)
applications can be AD

RMS
-
enabled to help safeguard sensitive information
.

Users can define who can open, modify, print, forward, or take other actions with the information.
Organizations can create custom
rights

polic
y templates such as "
C
onfidential
-

R
ead only" that
can be applied directly to the information.



Persistent protection
.

AD

RMS augments existing perimeter
-
based security solutions, such as
firewalls and access control lists (ACLs), for better information pr
otection by locking the usage
rights within the document itself, controlling how information is used even after it has been
opened by intended recipients.



Flexible and customizable technology
.

Independent software vendors (ISVs) and developers
can
AD

RMS
-
enable any application or enable other servers, such as content management
systems or portal servers running on Windows or other operating systems, to work with AD

RMS
to help safeguard sensitive information. ISVs are enabled to integrate informatio
n protection into
server
-
based solutions such as document and records management, e
-
mail gateways and archival
systems, automated workflows, and content inspection.


10

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Note

For additional information on the AD RMS system, see the article
A
CTIVE
D
IRECTORY
R
IGHTS
M
ANAGEMENT
S
ERVICES
O
VERVIEW
24
, the specification
[MS
-
RMSO]:

R
IGHTS
M
ANAGEMENT
S
ERVICES
S
YSTEM
O
VERVIEW
25
,
as
well as
the several posts of the
AD RMS Team Blog
26
.

Identifying the c
omponents of
the
AD RMS
t
echnology

The AD
RMS technology
, and the
AD

RMS s
ystem,

includes the following client and server software along
with SDKs:



Rights

Management Server software
, which is a set of
Web services
(*.asmx)
that handle the
certification of trusted entities, licensing of rights
-
protected information, enrollment of servers
and users, and administration functions
. See section §
R
IGHTS
M
ANAGEMENT
S
ERVER
S
OFTWARE

hereafter
;



Rights Management Client software
, which
is a group of
Windows
APIs
that facilitate the
computer device

activation process and allow RMS
-
enabled applications to work with the AD
RMS system to provide licenses for publishing and consuming rights
-
protected information
. See
section §
R
IGHTS
M
ANAGEMENT
C
LIENT
S
OFTWARE
;



Rights Management Services
(RMS)
Software development kit (SDK)

for the server and client
components include documentation and sample code that enable software developers to
customize their A
D RMS server environment and
/or

to create client
-

and server
-
based AD RMS
-
enabled applications.
See section §
R
IGHTS
M
ANAGEMENT
S
ERVICES
SDK
.


For an
end
-
to
-
end solution

and a working AD RMS system
, the following is necessary:



A
CTIVE

Directory Rights Management Services (AD RMS) server role as provided by Windows
Server 2008 R2
;



AD RMS

client
s
;



AD
RMS
-
enabled application or browser

to create or view rights
-
protected information
.


For the latter bullet,
AD
RMS is
for instance
integrated
as Information Rights Management (IRM)

in
the
following
Microsoft products
:



Microsoft Office Professional Plus

(subscription)
, Microsoft Office
Professional 2010

and Microsoft
Office Professional
Plus
2010
,
Microsoft Office for Mac 2011
and in the
ir

stand
-
alone versions of
Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, Microsoft InfoPath, and Microsoft
Word. IRM
-
protected content that i
s created in Office 2010
and/or in Office for Mac 2011
can be
viewe
d in Microsoft Office 2003,
Microsoft Office
2007
,
Office 2010
or Office
for Mac
201
1
.





24

A
CTIVE
D
IRECTORY
R
IGHTS
M
ANAGEMENT
S
ERVICES
O
VERVIEW
:
http://go.microsoft.com/fwlink/?LinkId=84726

25

[MS
-
RMSO]:

R
IGHTS
M
ANAGEMENT
S
ERVICES
S
YSTEM
O
VERVIEW
:
http://msdn.microsoft.com/en
-
us/library/dd806876(v=prot.10)

26

AD RMS Team Blog:
http://blogs.technet.com/b/rms/


11

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Note

For more information about
features between Office suites
, see the article
C
OMPARE SERVER INTEGR
ATION
FEATURES BETWEEN
O
FFICE SUITES AVAILAB
LE THROUGH VOLUME LI
CENSING
27
.

Interestingly enough, users do not have to have Office to be installed to read protected
documents and messages. Indeed, the
Word Viewer
28
,
Excel Viewer
29

and Windows Phone 7.5
enable Windows users who have the correct permission to read some documents that have
restricted permission, without using Office software.
The
Rights Management Add
-
on (RMA)
for Internet Explorer
30

provides a way for users of supported Windows operating systems to
view, but not alter, files with restricted permission.

Likewise, users can also use Microsoft Outlook Web App (OWA) to read

e
-
mail messages that
have restricted permissions, without using Outlook software.

Note

For more information about IRM and AD RMS features that are supported in Office 2010, Office
2007, and Office 2003, see the articles
AD

RMS

AND
M
ICROSOFT
O
FFICE
D
EPLOYMENT
C
ONSIDERATIONS
31

and
P
LAN FOR
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
O
FFICE
2010
32
.


Note

For more information about IRM in Office
for Mac
201
1
, see
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
O
FFICE
FOR
M
AC
2011

D
EPLOYMENT
G
UIDE
33
.



Wind
ows SharePoint Services 3.0,
Microsoft Office SharePoint
Server 2007
, Microsoft SharePoint
Foundation 2010, and Microsoft SharePoint Server 2010, which
support using IRM on documents
that are stored in document libraries.

By using IRM in SharePoint, you can control which actions users can take on documents when

they
open them from libraries in SharePoint. This differs from IRM applied to documents stored on
client computers, where the owner of a document can choose which rights to assign to each user
of the document.

Note

For more information about how to use I
RM with document libraries, see the article
P
LAN DOCUMENT
LIBRARIES
(W
INDOWS
S
HARE
P
OINT
S
ERVICES
)
34
.



Microsoft Exchange

Server 2010, which offers
new IRM
-
protected e
-
mail
messages and
attachmen
ts
functionality including AD RMS protection for Unified Messaging voice mail
messages and Microsoft Outlook protection rules that can automatically apply IRM
-
protection to




27

COMPARE

SERVER

INTEGRATION

FEATURES

BETWEEN

OFFICE

SUITES

AVAILABLE

THROUGH

VOLUME

LIC
ENSING
:
http://office.microsoft.com/en
-
us/buy/compare
-
server
-
integration
-
features
-
between
-
office
-
suites
-
available
-
through
-
volume
-
licensing
-
FX101850719.aspx#a

28

Word Viewer:

http://go.microsoft.com/fwlink/p/?LinkId=184595

29

Excel Viewer
:

http://go.microsoft.com/fwlink/p/?LinkId=184596

30

Rights Management Add
-
on (RMA) for Internet Explorer
: http://www.microsoft.com/en
-
us/download/details.aspx?id=4753

31

AD

RMS

AND
M
ICROSOFT
O
FFICE
D
EPLOYMENT
C
ONSIDERATIONS
:
http://go.microsoft.com/fwlink/p/
?LinkId=153314

32

P
LAN FOR
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
O
FFICE
2010
:

http://technet.microsoft.com/en
-
us/library/cc179103.aspx

33

I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
O
FFICE FOR
M
AC
2011

D
EPLOYMENT
G
UIDE
:

http://go.microsoft.com/fwlink/?LinkId=201940

34

P
LAN
DOCUMENT LIBRARIES
(W
INDOWS
S
HARE
P
OINT
S
ERVICES
)
:

http://go.microsoft.com/fwlink/p/?LinkId=183051


12

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

messages in Outlook 2010 before they leave the Microsoft Outlook client.

S
ee

sectio
n §
O
N
-
P
REMISE
S

IRM
.

Note

To learn more about IRM and how to deploy it in Exchange 2010, see the articles
U
NDERSTANDING
I
NFORMATION
R
IGHTS
M
ANAGEMENT
35

and
U
NDERSTANDING
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
E
XCHANGE
A
CTIVE
S
YNC
36

on
Microsoft TechNet.

Beyond the above Microsoft products,
AD RMS
technologies
also allows third parties to integrate
information protection for a comprehensive platform solution, enabling the integration of information
protection into other informati
on processing infrastructures, such as automated work flows, records and
document management, e
-
mail message archiving, content inspection, and more.
This supposes to
leverage the aforementioned
Rights Management Services

SDK.

See section §
R
IGHTS
M
ANAGEMENT
S
ERVICES
SDK
.

Rights
m
anagement
s
erver
s
oftware

At the core of AD RMS

on
-
premises

is the Windows Server 2008 R2
Active Directory Rights
Management
Services (AD RMS) server role

that handles the certification of trusted entities, licensing of rights
-
protected
information, enrollment of servers and users, and administration functions. It facilitates the steps that
enable trusted entities to
use rights
-
protected information.

The AD RMS server role augments an organization’s security strategy by providing protection of
information through persistent usage policies.

During installation and provisioning of the AD RMS server role, you can choose
the option to join a server
to a cluster. When you do this, the new AD RMS server is automatically configured as a member of the AD
RMS cluster.

Joining one or more AD RMS servers to a root cluster is the best way to increase the
availability and redundanc
y of your deployment. An AD RMS root cluster can contain one or many servers
that provide all services to AD RMS clients.

The following are features of the AD RMS server role:



Setup for trusted entities
.

AD RMS provides the tools to set up and configure th
e servers, client
computers, devices and users as trusted entities in an AD RMS system. This setup process includes
the following:

a.

Server activation
.

During
the activation process of the first server in a new AD RMS cluster
(also

known as server bootstrapp
ing),
the server generates
a
key pair

(public and private keys)
for the AD RMS cluster
.

The
AD RMS cluster
private key
is used by the
AD RMS cluster

to sign many other identity
certificates used in the system, and it is also used by the clients to encrypt
other materials for
the server to decrypt, as discussed later in this paper.

This private key
is protected with
Microsoft Data Protection API (DPAPI)
37

along with a
complex password
(
a
s the entropy
)

before being stored in the configuration database
(
or in
a





35

U
NDERSTANDING
I
NFORMATION
R
IGHTS
M
ANAGEMENT
:
http://technet.microsoft.com/en
-
us/library/dd638140.aspx

36

U
NDERSTANDING
I
NFORMATION
R
IGHTS
M
ANAGEMENT IN
E
XCHA
NGE
A
CTIVE
S
YNC
:
http://technet.microsoft.com/en
-
us/library/ff657743.aspx

37

W
INDOWS
D
ATA
P
ROTECTION
: http://technet.microsoft.com/en
-
us/library/ms995355.aspx


13

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Hardware Security Module (HSM)
)
.

(
The private key is retrieved and decrypted (with the
complex password stored under the AD RMS service account profile) from this database each
time
an AD RMS server is booted
)
.

T
he server creates the
S
erver
L
icensor
C
ertificate (SLC)

which includes the AD RMS cluster
public key
, and

signs the SLC with its private key
.

(
T
hus, it is a self
-
signed certificate).

The AD
RMS key chain root ends in the organ
ization’s AD RMS certification cluster SLC.

Note

Earlier versions required access to the Microsoft Enrollment Center through the Internet to
issue

and
sign the SLC. AD RMS now relies on a self
-
enrollment certificate

that is included in Windows Server 2008

R2.

Furthermore, the created SLC is shared by all the servers in the new AD RMS cluster.

Note

For additional information on the server bootstrapping
, see the
post

AD

RMS

UNDER THE HOOD
:

S
ERVER
BOOTSTRAPPING
38

on
the AD RMS Team Blog
.

b.

User
activation
.

An organization must identify the users who are trusted e
ntities within their
AD RMS system.
Users are identified by two certificates: one which is
used

to identify users
against the AD RMS servers, and another one which is used to identify a user that has
protected a piece of content.

The first one is called t
he
Rights Account Certificate (RAC)
, and is
also known by
its

old
name, the
Group Identity Certificate

(GIC)
. When a user first authenticates against the
certification URL
(
_wmcs/certification/certification.asmx
)
of an AD RMS cluster,
a RAC is i
ssued
to
the user
, and then
the user

uses this certificate for any future identification needs to the
system.

The RAC is also used by the server to encrypt licenses being sent to the user, and by the client
to sign the other user certificate mentioned above, the
C
lient Licensor Certificate (CLC)
. This
one is obtained from the RMS licensing pipeline (
_wmcs/licensing/publish.asmx
) during client
activation, and it is used to license information or in other words to sign the Publishing
Licenses (PL) embedded into any e
ncrypted content, and that

contain the usage rights
(View,
Edit, Print, Copy, etc.)

and conditions for
the published
rights
-
protected information.



Publishing licenses that def
ine usage rights and conditions
.
A trusted entity can use AD RMS
-
enabled applicat
ions to assign specific usage rights and conditions to their information, which are
consistent with their organization’s business policies. These usage rights and conditions are
defined within
P
ublishing
L
icenses (PL)

that specify the authorized users who
can view the
information and how that information can be used and shared.



Use licenses that enforce usage right
s and conditions
.

Each trusted entity that is a recipient of
rights
-
protected information transparently requests and receives a
Use License (UL
or EUL)

from
the AD RMS server
when

attempting to open the information. A
UL

is granted to authorized
recipients. It contains the usage rights and conditions that individual has been granted for that
information. An AD RMS
-
enabled application uses AD RMS t
echnology features to read, interpret,
and enforce the usage rights and conditions defined in the use license.





38

U
NDERSTANDING
I
NFORMATION
R
IGHTS
M
ANAGEMENT
:
http://technet.microsoft.com/en
-
us/library/dd638140.
aspx


14

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS



Encryption and keys
.

Protected information is encrypted to prevent unauthorized users from
consuming it. An AD RMS
-
enabled application uses a sym
metric key

to encrypt the information.
All AD RMS servers, client computers, devices and user accounts have a public/private pair of
1024
-
bit or 2048
-
bit RSA keys.

Note

Service Pack 1
(SP1)
for Windows 2008 R2 introduces a new cryptographic mode support
for AD
RMS that enables increasing the cryptographic strength of an AD RMS environment. By running in this advanced
mode known as "Cryptographic Mode 2', AD RMS provides a cryptographic implementation that supports
enhanced encryption as well as longer cry
ptographic keys. For example, in mode 2 operation, RSA encryption is
enhanced from 1024 bit encryption to 2048 bit encryption. Also, hashing is enhanced from using SHA
-
1 (128
bits) to SHA
-
256 (256 bits).

To enable the use of this new Cryptographic Mode 2,
all computers that host either AD RMS server or client
software must be patched and updated. For additional information, please refer to the article
A
CTIVE
D
IRECTORY
R
IGHTS
M
ANAGEMENT
S
ERVICE
C
RYPTOGRAPHIC
M
ODES
39

and the
post
AD

RMS

AND CRYPTOGRAPHIC SU
PPORT FOR
SHA
-
2/RSA

2048
40

on the AD RMS Team Blog
.

AD RMS uses these pu
blic/private keys to encrypt the symmetric key in publishing and use
licenses, and to sign rights management

certificates and licenses, ensuring access only to properly
authorized users and computers.

See section §
U
NDERSTANDING THE
AD

RMS

CERTIFICATES AND LIC
ENSES
.



Rights policy templates
.

Administrators can create and distribute official rights policy templates
that define the usage rights and cond
itions for a pre
-
defined set of users. These templates
provide a manageable way for organizations to establish document classification hierarchies for
their information. For example, an organization might create rights policy templates for its
employees th
at assign separate usage rights and conditions for company confidential, classified,
and private data. AD RMS
-
enabled applications can use these templates, which provide a simple,
consistent way for users to apply policies to information.



Revocation lists
.

Administrators can create and distribute revocation lists that identify

and
invalidate

compromised principals
. Revocation is a mechanism that revokes a credential, such as a
certificate or license that has already been issued. The primary purpose of revoc
ation is to prevent
entities that are no longer trusted from participating in an AD RMS system. As an example, an
organization's revocation list can invalidate the certificates for specific computers, devices or user
accounts. If an employee is terminated,

the principals involved can be added to the revocation list
and can no longer be used for any AD RMS related operations. They can no longer be used to
acquire new licenses.



Exclusion

policies
.

Administrators can implement server
-
side exclusion policies to

deny license
requests based on the requestor's user ID (
an
Active Directory
account
or
a Microsoft Account
(formerly
Windows Live ID
)
), rights management account certificates, or rights management
lockbox versions

(see section §
R
IGHTS
M
ANAGEMENT
C
LIENT
S
OFTWARE
)
. Exclusion policies deny new
license requests made by compromised principals, but unlike revocation, exclusion policies do not
invalidate the
principals. Administrators can also exclude potentially harmful or compromised
applications so that they cannot decrypt rights
-
protected content.





39

A
CTIVE
D
IRECTORY
R
IGHTS
M
ANAGEMENT
S
ERVICE
C
RYPTOGRAPHIC
M
ODES
:
http://go.microsoft.com/fwlink/p/?LinkID=241989

40

AD

RMS

AND CRYPTOGRAPHIC SU
PPORT FOR
SHA
-
2/RSA

2048
:

http://blogs.technet.com/b/rms/archive/2012/04/29/ad
-
rms
-
and
-
cryptographic
-
support
-
for
-
sha
-
2
-
rsa
-
2048.aspx


15

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS



Logging
.

Administrators can track and audit the use of rights
-
protected information within an
organization. AD

RMS includes support for logging so that organizations have a record of AD
RMS
-
related activities, including the
PL and UL

licenses that have been issued or denied.

The A
D

RMS server role in Windows Server

2008

R2 is
manageable

by two sets of Windows Powe
rShell
cmdlets.



Note

Windows PowerShell

is a command
-
line shell and scripting language that is designed for
system

administration and Automation. It uses administrative tasks called cmdlets. Each cmdlet has required and
optional arguments, called parameters, that identify which objects to act on or control how the cmdlet performs
its task. You can combine cmdlets in s
cripts to perform complex functions that give you more control and help
you automate the administration of Windows and applications. It has become a common way to manage the
latest generation of Microsoft Server products, including Windows Server 2008 (R2)
, Exchange Server 2010, etc.

For more information about Windows PowerShell 2.0, please see the
Windows PowerShell Web site
41
, the
Wi
ndows PowerShell online help
42
, and the
Windows PowerShell Weblog
43
. You can also refer to the

Windows
PowerShell Software Development Kit

(SDK)
44

that includes a programmer’s guide along with a full reference
.

One set (
AdRmsInstall
) assists in deploying and configuring AD

RMS, and the second set (
AdRmsAdmin
) is
used to administer
an AD

RMS cluster.

To run these two set of cmdlets, you need
to import both modules:


PS C:
\
Windows
\
system32> Import
-
Module AdRms

PS C:
\
Windows
\
system32> Import
-
Module AdRmsAdmin


After the modules are imported, you can manage and administer AD RMS installations and components
through Windows PowerShell.

Note

For additional information, you can refer to the articles
AD

RMS

C
MDLETS IN
W
INDOWS
P
OWER
S
HELL
45

and
U
SING
W
INDOWS
P
OWER
S
HELL T
O
D
EPLOY
AD

RMS
46
.

Rights
m
anagement
c
lient
s
oftware

Each client computer or device in an AD RMS system must have the Rights Management Client software
installed.

The component of the Rights Management Client software that performs all encryption, decryption,
signing, and validation steps necessary to publish and consume rights
-
protected information is called the
computer “lockbox.”





41

Windows PowerShell Web

site:
http://www.microsoft.com/powershell

42

Windows PowerShell online help
:
http://technet.microsoft.com/en
-
us/library/bb978526.aspx

43

Windows PowerShell Weblog
:
http://blogs.msdn.com/powershell

44

Windows P
owerShell
SDK:
http://msdn2.microsoft.com/en
-
us/library/aa830112.aspx

45

AD

RMS

C
MDLETS IN
W
INDOWS
P
OWER
S
HELL
:
http://technet.microsoft.com/en
-
us/library/ee617271

46

U
SING
W
INDOWS
P
OWER
S
HELL TO
D
EPLOY
AD

RMS
:
http://go.microsoft.com/fwlink/?LinkId=136806


16

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Machine activation is the proce
ss in which the lockbox is activated on the client computer or device. The
client software ships with the lockbox already included, with all the logic necessary to generate, store, and
digitally sign the machine’s credentials. It will self
-
activate upon fi
rst use by any user, including non
-
administrators. Using Windows encryption and
DPAPI
, it will generate the necessary unique keys and
credentials itself, i.e. the
Security Processor Certificate
(SPC), upon activation.

The SPC
identifies each machine and a
llows the machine to encrypt other elements stored locally in the
computer.


Note

For additional information on the user activation, see the post
AD

RMS

UNDER THE HOOD
,

C
LIENT
B
OOTSTRAPPING
,

S
TEP
1
47

on the AD RMS Team Blog.

The latest version of the AD

RMS
C
lient
1.0
is included as part of the
Windows 7, Windows Vista Service
Pack 1 (SP1), Windows Server 2008, or Windows Server 2008 R2

operating systems.
For down
-
level client,
you can install the
Microsoft Windows Rights Management Services Client with Service Pack
2

(SP2)
, which
can be downloaded from the
Microsoft Download Center
48
.


As of this paper, a new client, the A
D RMS

Client 2.0, has just been released for download on the
Microsoft
Download Center
49
.

The AD RMS Client 2.0 is designed for your client

computers to help protect access to and usage of
information flowing through applications that use AD RMS whether installed on your premises or in a
Microsoft datacenter. It’s supported for Windows Vista (SP2 or later),
Windows 7 (SP1 or later)
,
Windows
Server 2008 R2

or above.

It ships as an optional download which can be, with acknowledgment and acceptance of its license
agreement, freely distributed with your third
-
party software to enable client access content that has been
rights protected by use and

deployment of AD RMS servers in your environment (see next section).

With the consumerization of IT (CoIT), which
now becomes

a reality, users expect to be able to use their
own devices, such as smartphones, tablets or laptops, for their work
.
To
put in p
lace a “Bring You Own
Device”
(BYOD)
environment that leverages AD RMS as
the organization’s
IPC
system
, you also need an
AD RMS client on these devices.

Note

To help figure out how to face security, compliance and compatibility issues you might deal with
and
give users access to corporate intellectual property from ubiquitous devices, both managed and unmanaged, you
can refer to a series of documents on Consumerization of IT (CoIT), i.e. Test Lab Guides (TLGs) available on the
Microsoft Download Center
50
. The TLGs illustrate key CoIT scenarios with current Microsoft technologies such as
Windows Server 2008 R2 and allow you to get hands
-
on experience using a pre
-
defined and tested m
ethodology
that results in a working configuration
.

In terms of
supported
devices,
Windows Mobile 6.x comes with a full AD RMS client installed on the
device. This enabled both the creation and consumption of protected documents. However, the end user




47

U
NDERSTANDING
I
NFORMATION
R
IGHTS
M
ANAGEMENT
:
http://technet.microsoft.com/en
-
us/library/dd638140.aspx

48

H
OW TO OBTAIN
W
INDOWS
R
IGHTS
M
ANAGEMENT
S
ERVICES WITH
S
ERVICE
P
ACK
2
:
http://su
pport.microsoft.com/kb/917275

49

Active Directory Rights Management Servic
es (AD RMS) Client 2.0
:
http://www.microsoft.com/en
-
us/download/details.aspx?id=29892

50

C
ONSUMERIZATION OF
IT

T
EST
L
AB
G
UIDES
:

http://www.microsoft.com/en
-
us/download/details.aspx?id=29574


17

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

had to activate
IRM

using
Microsoft Windows Mobile Device Center (WMDC)
51

or
Microsoft ActiveSync

4.5
52

depending on the Windows version of the computer being used for syncing the device
.
See article
S
YNC
W
INDOWS
P
HONE
6.5

WITH MY COMPUTER
53
.

Windows Phone
7.5
also
includes built
-
in functionality to handle rights

managed e
-
mail
messages
and
Microsoft
Office
Word, Excel and PowerPoint
documents
, which can be sent to Windows Phone users as
attachme
nts
(
or made avai
lable to them through
Windows SkyDrive
54
, a corporate
on
-
premises

Microsoft
SharePoint 2010 site
s
, or a SharePoint Online site, which is avai
lable with Microsoft Office 365
)
.

Important n
ote

IRM email conversations cannot be initiated from a Windows Phone. Windows Phone 7.5
indeed supports IRM thru Exchange ActiveSync

(EAS)

IRM (see section §
O
N
-
P
REMISE
S

IRM
), and consequently
there is no AD RMS client on the device. The Exchange Server 2010 Service Pack 1 (SP1)
and above
receives a
protected message, decrypts it, and packages it in a way that
the device understands and can enforce the rights.
One advantage to this method is that no activation for the phone is required. However, you cannot author
protected content on the device. As of writing, Windows Phone does not support storage encryption.


Note

For additional information, see the whitepaper
R
IGHTS
-
MANAGED EMAIL AND
O
FFICE DOCUMENTS IN
W
INDOWS
P
HONE
7.5
55
.

Rights
m
anagement
s
ervices SDK

AD RMS technology includes th
e
Rights Management
Services
SDK
, a set of documentation and sample
code that enables organizations
to customize
AD

RMS

and to create
AD
RMS
-
enabled applications
.


As of this paper,

a
new
Active Directory
Rights Management
Services
SDK

2.0
,

formerly known as
Microsoft
Information Protection and Control (MSIPC),

has

just

been

released

for download on the
Microsoft
Download Center
56
. This version 2.0
is the revamped S
DK for rights
-
enabling your applications and
solutions that indeed
provide
s

a simple mechanism for developers to create applications that author and
consume rights
-
protected content.

It leverages the functionalities exposed by the new client 2.0 (see
previ
ous section) in

the DLL

Msipc.dll
.






51

I
NSTALL
W
INDOWS
M
OBILE
D
EVICE
C
ENTER
:
http://www.microsoft.com/windowsphone/en
-
us/howto/wp6/sync/installing
-
wmdc.aspx

52

I
NSTALL
A
CTIVE
S
YNC
:
http://www.microsoft.com/windowsphone/en
-
us/howto/wp6/sync/installing
-
activesync.aspx

53

S
YNC
W
INDOWS
P
HONE
6.5

WITH MY COMPUTER
:
http://www.microsoft.com/windowsphone/en
-
us/howto/wp6/sync/sync
-
windows
-
phone
-
6
-
5
-
with
-
my
-
computer.aspx

54

Windows SkyDrive:

http://windows.microsoft.com/en
-
US/skydrive/home

55

R
IGHTS
-
MANAGED EMAIL AND
O
FFICE DOCUMENTS IN
W
INDOWS
P
HONE
7.5
:
http://www.micros
oft.com/en
-
us/download/details.aspx?id=27743

56

Active Directory Rights Management Service SDK 2.0
:
http://www.microsoft.com/en
-
us/download/details.aspx?id=29893


18

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Note

For additional information, you can refer to the
A
CTIVE
D
IRECTORY
R
IGHTS
M
ANAGEMENT
S
ERVICES
SDK

2.0
57

documentation

and the
AD RMS Developer's Corner
58
, the official blog of the Rights Management product
team at Microsoft for developers working with informat
ion protection using AD RMS.


As part of a major effort to reduce complexity and streamline the development process, the entire API
surface has been redesigned from the ground up to enable the natural evolution of
AD
RMS capabilities
without breaking appli
cations. This “
write once, run anywhere
” philosophy means that MSIPC
-
based

applications are guaranteed to work on all supported
AD
RMS topologies and are compatible with all
supported
AD
RMS servers (V1 SP2

for Windows Server 2003
,
Windows
Server 2008,
Win
dows
Server 2008
R2).

Perhaps most notably of all,
this new version

eliminates the need for developers to write thousands of
lines of specialized code in order to discover
AD
RMS servers, download and use
AD
RMS certificates, and
manage
AD
RMS identities,

greatly simplifying the integration process.

This new version 2.0 must now be used instead of the previous version 1.0 that is
still available for
download on the
Microsoft
Download Center
59

and that leverages the core
functionalities exposed by the
client 1.0 (see previous section) in

the DLL

Msdrm.dll
.

It may be indeed altered or unavailable in
subsequent versions.

Understanding the AD RMS certificates and licenses

Since it
encrypts and signs data, AD RMS, like Active Directory Certificate Services (AD CS) and PKI
infrastructure

in general
, relies on certificates to the computers, devices and users in the AD RMS system
,
but
these certificates are
NOT

X.509 certificates
.

AD RM
S uses
instead
an XML vocabulary to express usage rights and conditions, the eXtensible rights
Markup Language (XrML). The XrML specification specifies a Rights Expression Language (REL) that
provides a simple
-
to
-
use, universal method for expressing usage
policies that are linked to the use and
protection of digital information in any format, such as e
-
mail, office files, etc.

The XrML
-
based certificates issued by an AD RMS system identify trusted entities that can publish or view
rights
-
protected informat
ion. Users who are trusted entities in an AD RMS system can assign usage rights
and conditions to the information they want to protect via an AD RMS
-
enabled application. These usage
policies specify who can use the information and what they can do with it.


Note

XrML supports an extensive list of rights, and application developers can define additional rights
to

meet their particular needs. This extensibility helps to ensure that organizations can build business, usage, and
workflow models to meet their spe
cific requirements.

The information is encrypted using the electronic keys from the AD RMS
-
enabled application and the
XrML
-
based certificates of the trusted entities. After the information is encrypted or locked by this




57

A
CTIVE
D
IRECTORY
R
IGHTS
M
ANAGEMENT
S
ERVICES
SDK

2.0
:
http://msdn.microsoft.com/en
-
us/library/
hh535290(v=vs.85)

58

AD RMS Developer's Corner
: http://blogs.msdn.com/b/rms/archive/2012/05/31/official
-
release
-
of
-
ad
-
rms
-
sdk
-
2
-
0
-
and
-
ad
-
rms
-
client
-
2
-
0.aspx

59

Rights Management
Services SDK
: http://www.microsoft.com/en
-
us/download/details.aspx?id=15902


19

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

mechanism, only the trusted entiti
es specified in the XrML
-
based publishing licenses can unlock and use
that information.


Managing information online using
XrML
-
based
licenses provides easy access from any location.

After the
XrML
-
based
license is downloaded, the rights are effective both

online and offline, persisting with the
digital information wherever it goes.

Users could then distribute the rights
-
protected information to other
users in their organization via e
-
mail, internal servers, or external sites to enable trusted external part
ners
to access the information.

Note

V
arious interoperable rights management systems like of the

already mentioned

GigaTrust
Enterprise Rights Management
60

partner offering can easily interpret and manage these lic
enses because they all
use the XrML standard. The XrML specification has been standardized: the related
international

standard is the
ISO standard
ISO/IEC

21000
-
5:2004,

I
NFORMATION TECHNO
LOGY


M
ULTIMEDIA FRAMEWORK
(MPEG

21)



P
ART
5:

R
IGHTS
E
XPRESSION
L
ANGUAGE
[REL]
61
.

Similarly to a PKI infrastructure, the AD RMS hierarchy forms a chain of trust that validates the XrML
-
based
certificate and license

when being used
.

The following table
summarizes

all

the
XrML
-
based certificates
and licenses
required

as part of the
AD RMS
system.








60

G
igaTrust Enterprise Rights Management:
http://www.gigatrust.com/index.shtml

61

ISO/IEC 21000
-
5:2004, INFORMATION TECHNOLOGY


MULTIMEDIA FRAMEWORK (MPEG 21)


PART 5: RIGHTS EXPRESSION
LANGUAGE [REL]:

http://www.iso.org/iso/pressrelease.htm?refid=Ref913


20

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

Table
1
: AD
RMS
the XrML
-
based c
ertificates and
l
icens
es

Certificate/License

Purpose

Content

Server Licensor Certificate
(SLC)

The
server licensor certificate that is issued
to licensing servers grants the right to issue:



Publishing licenses

(PL)
,



Use licenses

(UL)
,



Client licensor certificates

(CLC)
,



Rights policy templates.

The server licensor certificate that is issued
to the
AD

RMS

cluster additionally grants
the right to issue:



Rights account certificates

(RAC)

to
clients,



Server licensor certificates

(SLC)

to
licensing servers.

The server licensor certificate

(SLC)

that is issued to a licensing server
contains the public key
of the
licensing server.

The
SLC

that is issued to the root
certification server contains the
public key of the root certification
server.

Client Licensor Certificates
(CLC)

Grant a user the right to publish AD RMS
-
protected content.

Contain the public
key of the
certificate, and the private key of the
certificate encrypted by the public
key of the user who requested the
certificate. Also, contain the public
key of the server that issued the
certificate.

AD RMS machine
certificates

(SPC)

Identify a
computer or device that is trusted
by the AD RMS system.

Contain the public key of the
activated computer. The
corresponding private key is
contained by that computer's
lockbox.

Rights Account Certificates
(RAC)

Identify a user in the context of a specifi
c
computer or device.

Contain the public key of the user,
and the private key of the user that
is encrypted with the public key of
the activated computer.

Publishing Licenses (PL)

Specify the rights that apply to the AD RMS
-
protected content.

Contain the
symmetric content key
for decrypting the content, which is
encrypted with the public key of the
server that issued the license.

Use Licenses (UL or EUL)

Specify the rights that apply to the AD RMS
-
protected content in the context of a
specific
authenticated user.

Contain the symmetric content key
for decrypting the content, which is
encrypted with the public key of the
user.





21

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS

The above XrML
-
based certificates and licenses imply the use of AD RMS cryptographic keys. The
following table
lists

a
ll the cryptographic keys involved in the AD RMS system.

Table
2
: AD
RMS
cryptographic k
ey
d
efinitions

Key

Use

Server keys



Public key
:

e
ncrypts the content key that is in a publishing license
(PL)
so that
only the AD
RMS server can

retrieve the content key and i
ssues use licenses
(UL)
against that
publishing license.



Private key
:

s
igns all certificates and licenses that are issued by the server.

Machine keys



Public key
: e
ncrypts a rights account certificate

(RAC)

private key.



Private key
: d
ecrypts a
RAC
.

Client licensor keys



Public key
: e
ncrypts the symmetric content key in
the publishing licenses
(PL)
that it
issues.



Private key
: s
igns
PL

that are issued locally while the user is not connected to
the network.

User keys



Public key
: e
ncrypts the content key that is in a use license
(UL)
so that only a
particular user can consume
AD
RMS
-
protected content by using that license.



Private key
: a
llows a user to consume
AD
RMS
-
protected content.

Content keys



Encrypts
AD
RMS
-
protected content when the author publishes it.


The following figure synthetizes the two above tables.


Figure
1
:

Certificate Dependencies and Encryption

Considering the above definitions, t
he following diagram summarizes
how AD RMS works when users
publish and consume rights
-
protected information.

UL
Issuer
Content Key
Signature
PL
Issuer
Content Key
Signature
CLC
Issuer
Public Key
Signature
Private Key
RAC
Issuer
Public Key
Signature
Private Key
SLC
Issuer
Public Key
Signature
Private Key
SPC
Issuer
Public Key
Signature
Private Key
Encrypted
with
Strong password
or HSM
DPAPI
&
RSAVault
Encrypted
with
Encrypted
with
Issued and
signed by
Issued and signed by
Issued and signed by
Encrypted with
Encrypted with
Encrypted with

22

Information Protection and Control (IPC) in Microsoft Exchange Online with AD RMS


Figure
2
:

Workflow of creating and viewing rights
-
protected information

This process includes the following steps:

1.

Author receives a
C
lient
L
icensor
C
e
rtificate

(CLC) from the AD RMS server

the first time they
rights
-
protect information
. This is a one
-
time step that enables offline publishing of rights
-
protected information in the future
.

2.

Using an AD RMS
-
enabled application, an author creates a file and

defines a set of usage rights
and conditions for that file. A
P
ublishing
L
icense
(PL)
is then generated that contains the usage
policies.

3.

The application encrypts the file with a symmetric key which is then encrypted to the public key of
the author’s AD

RMS server.

The key is inserted into the publishing license (PL) and the publishing
license is bound to the file. Only the author’s AD RMS server can issue use licenses to decrypt this
file.

4.

The author distributes the file.

5.

A recipient receives a protecte
d file through a regular distribution channel and opens it using an
AD RMS
-
enabled application or browser.

6.

If the recipient does not have an account certificate on the current computer, this is the point at
which one will be issued.

7.

The application sends a

request for a use license to the AD RMS server that issued the publishing
license for the protected information. The request includes the recipient's account certificate
(which contains the recipient's public key) and the publishing license (which contain
s the
symmetric key that encrypted the file).

Note

A publishing license (PL) issued by a Client Licensor Certificate (CLC) includes the URL of the server
that issued the certificate. In this case, the request for a use license (UL or EUL) goes to the AD
RMS server that
issued the client licensor certificate and not to the actual computer that issued the publishing license (PL).