How to protect the security of important documents in a domain environment (II)-REM & RMS (II)

Document directory

•  

How to protect the security of important documents in the above domain environment (ii) --- in the asset management system (I, we can see that the use of REM can easily grant different permissions to different users, thus protecting the security of documents. this service is different from other conventional encryption methods and works with applications that support it (such as Microsoft Office System). It truly achieves that no matter whether the computer is online or offline, it is inside or outside the LAN, to view or operate confidential documents, you must obtain valid authorization. however, we have also noticed that the actual use of REM may cause some inconvenience, such as the need to connect to the Internet and use the user's live ID for identity authentication, this is hard to achieve in many companies with strict restrictions. so will we be forced to discard such good technical means in such a company? Of course not, because we still have RMS (Rights Management Services), a milestone information protection technology.

I believe that many netizens who are interested in information security are interested in or are already using RMS on Windows Server 2003. as shown in, the conventional RMS system generally includes the following parts:

1. Active Directory

The active directory database provides the user's authentication and necessary information (such as the email address), and notifies the user of the location of the RMS root cluster through the service connection point.

2. Root authentication server/root cluster root Cluster

One or more RMS servers in the domain/Forest form the RMS root cluster. When there are multiple servers, the load can be shared. the root authentication server/root cluster has a server license certificate (server lisensor certificate) and controls the RMS service operation rules, it issues security processor certificate and rights management account certificate certificates to the client computer and user accounts respectively, and authorizes users to publish restricted files (client license certificate) and the recipient/user's permission to use restricted files (use license ).

3. SQL db SQL database

The database stores the configuration data, log records, directory services, and other information of the root cluster.

4. Client

By default, Windows 7, Windows Server 2008, and Windows vista systems already contain RMS clients. RMS clients must be installed in other earlier versions of the operating system. in addition, you must install a browser or application (such as Microsoft Office 2007) that supports RMS on the Client operating system that enables the RMS Client ).

Anyone who has deployed RMS on Windows Server 2003 knows that RMS exists as a plug-in on Windows Server 2003. To install it, you must download it from the Microsoft website, after the installation is complete, you need to connect to the Microsoft Registration Service (that is, the process of creating and signing the SLC), and the configuration is performed on the website form interface, with many steps and error-prone.

In Windows Server 2008, RMS is included in the system as a Server role and officially renamed as ad rms. in addition, the management of ad rms is completed in the MMC console, and the user experience is enhanced. in addition, the ad rms cluster no longer needs to connect to the Microsoft registration service. By using the server self-registration certificate, the entire registration process can be fully performed on the local server. the third advantage is that the integration of ad rms and ad fs (Federation Services) makes it easy to provide collaboration for external partner enterprises that do not deploy ad rms, users on both sides use their domain accounts for identity authentication instead of using Windows Live ID.

Therefore, considering that more and more enterprises are using Windows Server 2008 and the ad rms under 08 is so attractive, I will also use AD RMS in Windows Server 2008 for all the explanations and demos in this article.

Let's take a look at the topology of my test environment:

Environment Description:

1. My RMS root group only has one RMS authentication server. If you have any conditions, you can build multiple.

2. the operating system on the DC Server is windows Server 2003 R2 SP2, the SQL database is Windows Server 2003 R2 SP2 + SQL2008, And the RMS authentication Server is Windows Server 2008 R2 (RTM version ), the client is Windows 7 (RTM) and the Office 2007 Enterprise software is installed.

3. Strictly speaking, we also need an exchange email server, because users and user groups who want to use RMS to publish content or be authorized must have an email address in AD. In my experiment environment, hardware resources are limited and not deployed, so you need to set them manually.

In view of this emphasis on ad rms, the hardware and software environments and preparations required before the establishment of ad rms are described in detail here.

First, let's take a look at the minimum and recommended hardware configurations of the ad rms Authentication server Based on the windows server 2008 operating system:

Requirements	Suggestions
One Pentium 4 3 GHz processor or more advanced processor	Two Pentium 4 3 GHz processors or more advanced Processors
512 MB RAM	1024 MB RAM
40 GB of available hard disk space	80 GB available hard disk space

We can see that hardware is not demanding.

Note: The hardware requirements for DC and SQL databases are not described here.

Let's look at the software requirements:

Software	Requirements
Operating System	Windows Server 2008/Windows Server 2008 R2
File System	We recommend that you use the NTFS file system.
Message	MSMQ Message Queue
Web Services	Internet Information Service (IIS ). ASP. NET must be enabled.
Active Directory or Active Directory domain service	Ad rms must be installed in the Active Directory domain, where the domain controller is running Windows Server 2000, Windows Server 2003, and Windows Server with Service Pack 3 (SP3? 2008 or Windows Server 2008 R2. All users and groups that use ad rms to obtain licenses and publish content must configure email addresses in Active Directory.
Database Server	Ad rms uses database servers (such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008) and stored procedures to perform operations. The ad rms service role on Windows Server 2008 R2 does not support Microsoft SQL Server 2000.

Note: The software environment on the DC and SQL server is not described here.

If your Client is an earlier operating system, go to the Microsoft official website to download the RMS Client (the latest version is with SP2) for installation.

You can enter the pre-installation phase of the ad rms server by clearly understanding and meeting the hardware and software requirements of the ad rms server.

In the pre-installation phase, we should first create an ad rms installation account on the DC (here I set it to adrmsadmin ). This installation account must be added to the local administrator group of the ad rms Server and have local administrator permissions and database roles of the SQL Server. If you need to register a service connection point (SCP) during installation, this account also needs to be a member of the Enterprise Admins domain. After creating an ad rms installation account, we also need to create a domain account used as the ad rms service account (here I set it to adrmssrvc). This account does not require additional permissions, just like domain users members.

At the same time, because the domain control operating system is Windows Server 2003, check that the domain function level is upgraded to 2003.

Of course, if your domain control is built on Windows Server 2008, you do not need to check or upgrade it.

In order to allow readers to clearly see the final experiment results, I will use three domain users/groups in the contoso domain to demonstrate authorization and authorization operations.

After completing the above preparations, you can start to install the ad rms Server role on Windows Server 2008.

Note: the installation and configuration of SQL Server 2008 and the installation of Office 2007 software on the client are not described here.

Log on to the Windows Server 2008 Server with the ADRMSADMIN account created earlier and granted the relevant Permissions

Open the Server Manager and select "add role"

We can see the top-ranking Active Directory Rights Management Services. we installed it and checked

We can see that the components on which ad rms depends are automatically listed for installation, which is very convenient!

Start Installation

You can also choose whether to install the support for federated identity authentication, which can implement the ad rms function for other organizations that have established a trust relationship but have not deployed ad rms.

Create an ad rms cluster. Next Step

If you select the background database, you can directly create a Windows internal database on the ad rms server. This database has many limitations and cannot be remotely controlled. Therefore, if you choose to use this database, the ad rms cluster can only accommodate one ad rms authentication server.

Connect to a dedicated SQL Server 2008 Server and select the default instance.

Note that if the firewall is enabled on the remote database server, you need to open the 1433,445 database connection to access the regular port.

Click "verify" and "Next" to click.

Enter the ad RMS service account and password

Configure the ad RMS cluster key storage mode. This key is required when disaster recovery of the ad rms server and other ad RMS instances are added to the cluster.

Set the ad RMS cluster password to protect the cluster key.

Select an ad RMS cluster website and select the default website to create a virtual directory

Set the cluster URL. If you have a certificate server in your environment, you can apply for a certificate to use SSL encrypted connection.

We recommend that you select this method when implementing ad rms in the production environment.

In the test environment, I chose to use unencrypted connections.

Here I didn't use the service name of AD RMS as the internal address, but started a new FQDN.

You only need to add the corresponding a record to DNS.

Name the server licensor certificate and keep the default value. Next Step

Select Automatic SCP Registration

Install Web Server role

Keep the default value.

Confirm to start Installation

Wait patiently. The installation is in progress...

After the installation is complete, you are prompted to log out of the ad rms installation account and log on again.

After you log on again, you can directly manage ad rms in the console. In the ad RMS console, you can configure trust policies, exclude policies, and create permission policy templates.

The basic configuration of the ad rms server is complete.

========================================================== ============

We return to the client and use the CTO of a common domain user to log on.

The first operation is to add the URL address of the ad rms cluster to the Local intranet trust site.

Create an Office word 2007. The cto user wants to obtain the effect that cfo can view the authorized file but cannot modify, copy, and print the file, other users cannot view

As in the preceding step, click "prepare" --- "restrict permission" --- "Restrict access"

The client queries SCP to find the ad rms cluster and downloads the permission account certificate (RAC)

Next, select the user you want to authorize and what permissions you want to grant, just like those for the IRMS instance.

The difference is that we don't need to use Windows Live ID anymore, but the email address of the domain user.

The permission has been set. You can see the "Restrict Access" prompt in the document.

Next, log on to the client with the cfo account

Open the document that has been added with access restrictions. A dialog box asking for user identity creden is displayed.

Enter the cfo account and password

The following message is displayed: "The permissions for this document are currently restricted". Therefore, you must connect to the ad rms server to verify your identity and download RAC.

The document is opened by cfo. You can see the cfo permission for this document.

Switch to use cso to log on to the client.

When cso logs on to the client and accesses files,

First, the user identity creden are required.

The cso user gets feedback that the document is not allowed to open creden

Click "yes" to request additional permissions by email to the permission setter. Click "no" to open the document, click "Change User" to change the identity of another user to perform operations on the document. Of course, you must have the account and password of the user, and whether the user has the permission to view the user remains unknown, ad rms is really safe...

I will not demonstrate the use of Federated identity authentication and operations in the AD RMS console. This article is just a reference, the purpose is to let everyone know that there is such a powerful information security solution. if you are interested in understanding ad rms, take a closer look at the ad rms help file or go to the Microsoft Technet website.

URL: http://technet.microsoft.com/zh-cn/library/cc771234 (WS.10). aspx

Summary:

After the practice of EFS, REM, and ad rms, I believe you have some plans and considerations for how to protect the security of important documents in the domain environment, so my goal is achieved.

However, this series is not over yet, and there is another Microsoft Product: BitLocker. Let's continue learning next...

Source: http://mrfly.blog.51cto.com/151750/195005