Active Directory Rights Management Services (AD RMS ) : Part 12 ( Best Practices from Microsoft IT )
the below information is a bit old – from 2009 – but still the same concept apply
By thoroughly evaluating and deploying an RMS server infrastructure and using the IRM client technology in Office Enterprise , Microsoft IT learned several valuable lessons that can be applied as best practices in most other AD RMS/IRM deployment plans. Microsoft IT learned some of these lessons and best practices during deployment, and some as outcomes of the deployment. They can be divided into three general categories: deployment, security, and administration.
Microsoft IT derived the following lessons and best practices from its experience in deploying AD RMS and IRM.
To take full advantage of the technology, users must be told that the service exists and taught how to properly use it. An organization can educate users by creating self-help training content and knowledge base articles, developing a dedicated intranet Web site for posting training materials and frequently asked questions (FAQ), and regularly advertising and discussing the service addition with employees during the deployment. Success in informing the user base on where to find the information needed to properly use the service will minimize the effect on the organization’s help desk.
Run a Pilot
An organization should introduce AD RMS to the enterprise in a pilot deployment project with a limited set of users in a small, controlled area. During the pilot, the organization should test all of the desired enterprise-usage scenarios, including any planned templates.
After successful completion of the first pilot, if the organization expects the size of the eventual rollout to include a very large number of users, it should conduct a second pilot to a larger (but still closely monitored) group of users. After identifying and considering scaling issues, the organization should begin the rollout to the rest of the organization, as resources and time permit. Employees running versions of Microsoft Office older than Office Professional Edition 2003 or editions of Microsoft Office that do not support IRM directly can use RMA as needed to read rights-protected e-mail and documents prior to their own upgrade to IRM-enabled versions of Microsoft Office. This capability must be specifically enabled in the Rights Management policies applied to the documents, so the organization should set it up in the policy templates at least during the deployment period.
At Microsoft, Microsoft IT sent rights-protected e-mail to successively larger groups of consumers simultaneously, to stress test the RMS licensing infrastructure. Microsoft IT considered the deployment of RMS and IRM officially complete when it successfully sent a rights-protected e-mail message to the company All Staff distribution group, and all valid consumers were able to read it.
Consider Network Bandwidth
An organization should carefully consider network bandwidth constraints before adding new services to the existing core IT services. It is likely that the network was designed with different assumptions, necessitating the careful management of the risk of business disruption. Microsoft IT’s experience in deploying RMS technology with a new server infrastructure and license distribution demonstrated that the Microsoft corporate network bandwidth was not significantly affected.
Deploy All RMS Servers with a Failover Option
All servers supporting AD RMS in a forest should be deployed with at least two servers to support server failover in case of catastrophic hardware failure. This advice also includes the AD RMS transaction logging servers, which are used with every AD RMS transaction.
Choose the Best Client Deployment Model
Enterprises need to determine whether they want to deploy AD RMS clients by using a software deployment tool such as System Center Configuration Manager 2007, by using GPO, or by chaining the AD RMS client to another deployment. This is what Microsoft IT did with the Office Professional Edition 2003 deployment. Or you can deploy it when deploying Windows Vista clients that already include the AD RMS client. Microsoft IT knew that only about 75 percent of the computers in the enterprise were connected to the System Center Configuration Manager platform (the rest consisted of test computers, secondary portable computers, and computer labs used within the company), so deploying the AD RMS client as an independent package would not cover the remaining computers. Microsoft IT does not use GPO to deploy software bits to clients; the use of GPO is reserved for distributing policies. Instead, Microsoft IT uses System Center Configuration Manager 2007 for automating software distribution.
All Microsoft staff use Office Enterprise as their business productivity application suite. As such, Microsoft IT added the provision to install and activate the RMS client to the installation script of Office Professional Edition 2003 from the Microsoft IT software distribution servers. As the staff later upgraded to Microsoft Office 2007 running on Windows Vista, this provision became unnecessary.
Use Configuration GPO to Enforce Corporate Settings
Within Microsoft, users of Microsoft Office might install it from distribution servers not managed by Microsoft IT (such as those used internally by the Microsoft Office development team), bypassing the custom Microsoft IT installation scripts that routed all IRM document licensing requests to the main corporate forest. As a result, Microsoft IT was forced to use a GPO to deploy a change in the client registry. This change revised a registry key setting on client computers that were outside the Microsoft IT standard to override the default AD RMS service discovery setting, which pointed to AD DS in the user’s logon forest, which in turn (by default) referred the user to the AD RMS servers located in that same forest.
Address User Rights
Windows XP requires the logged-on user account to have administrator rights to install software. If an organization mandates that its employee users cannot have administrator rights, it can use a software deployment tool such as System Center Configuration Manager 2007 to install application and certificate files in a different user context than the logged-on user. System Center Configuration Manager can then effectively mimic an administrator logon and complete the installation. Because Windows Vista includes an AD RMS client, this operation is not necessary unless a newer version of the AD RMS client must be deployed.
Automatically Retrieve Use License for Outlook
Microsoft IT uses Office Outlook 2007 in cached mode, which means Office Outlook 2007 does not need to maintain a constant connection with the Exchange Server 2007 server to send and retrieve e-mail. Exchange Server 2007 includes a component called the prelicensing agent, which allows for the distribution of access licenses together with protected content delivered to Office Outlook or Office Outlook Mobile clients. Microsoft IT modified its Office Enterprise 2007 installation script to update the registry key that controls whether client computers automatically retrieve use licenses for Office Outlook e-mail messages.
Enabling these setting prevents the appearance of a dialog box—which asks the user if he or she wants Office Outlook to automatically retrieve the use license for all rights-protected e-mail messages received—at the first time a rights-protected e-mail message or document attachment is sent to that e-mail client. Microsoft IT preset the automatic use-license download, which is a best practice that the Microsoft Office 2007 product group recommends.
Consolidate Licensing Across Forests
With Active Directory infrastructures encompassing multiple forests, an organization should use an AD RMS Certification load-balanced cluster in one forest to serve publishing and licensing requests for the entire enterprise. This action simplifies administration tasks and minimizes troubleshooting work when all publication licenses come from the same source. The organization should deploy registry keys to users from other forests to point them to this cluster. It should use AD RMS clusters on the other forests only for expansion of distribution lists and account activation.
Microsoft derived the following security lessons and best practices from its experience in implementing and managing AD RMS and IRM.
Use LDAP Signing to Help Secure Network Communications
Communications between AD RMS and the global catalog should be digitally signed. Signing Lightweight Directory Access Protocol (LDAP) traffic helps guarantee that the packaged data comes from a known source and that it has not been tampered with. Windows Server 2003 and Windows Server 2008 enable LDAP signing and encrypting by default. Organizations should use Windows Server 2008 for their Active Directory servers to implement this best practice.
Do Not Use SQL Server Authentication Mode
For the highest level of security, an organization should not configure the SQL Server database servers on the AD RMS infrastructure to support SQL Server authentication. In SQL Server authentication mode, credentials are passed in plaintext in the connection string, so SQL Server should be configured to support only Windows authentication.
Enforce Access Restrictions
An organization should ensure that only those personnel who need to administer AD RMS have:
- Membership in the Administrators or AD RMS Service Group local groups on the AD RMS server.
- The Log on Locally permission on the AD RMS servers.
- Terminal Services user access on the Remote Desktop Protocol (RDP) connection configuration on the AD RMS servers.
In addition, the organization should ensure that the discretionary access control lists (DACLs) that are configured for the servers restrict access to only essential personnel.
To support group expansion across forests, AD RMS automatically assigns read access to directory services to all authenticated users who have domain credentials. To increase security, the organization should remove this access from the DACL and replace it with each service account that is in the different forests.
Help Secure SQL Server Databases
Allowing unprotected database communications is a high security risk. To help prevent malicious users from capturing or modifying logged data, an organization should help secure SQL Server databases by configuring either SSL or Internet Protocol security (IPsec) to provide encrypted channels.
Do Not Deploy Any Additional Services on AD RMS Servers
After provisioning AD RMS on a server, an organization should not use this server to run any Web sites or additional services. If services other than the AD RMS services run on AD RMS servers, conflicts that can result in security issues may occur. Isolating AD RMS on its own dedicated servers helped Microsoft IT predict and manage workload. Isolation also prevented the introduction of software incompatibilities that may have compromised the integrity or functionality of the AD RMS service.
Create a Dedicated User Account to Use as the AD RMS Service Account
For security reasons, an organization should create a special user account for use as the AD RMS service account. The organization should not use this account for any other purpose and should not give the account any additional permissions. It should add the AD RMS Service Group to the IIS_WPG group on the domain controller. Membership in the IIS_WPG group is required for running the AD RMS application pool (_DRMSAppPool1).
Use an HSM to Help Protect Private Keys
Instead of using software encryption, an organization should use a Hardware Security Module to help protect AD RMS private keys. Using an HSM improves the security of private keys by keeping private keys in tamper-resistant hardware and never exposing them to software-based attacks.
Use Groups to Manage Access to AD RMS Administration
An organization should add members to the AD RMS Enterprise Administrators, AD RMS Auditors, or AD RMS Template Administrators groups, identifying those domain users or domain Global groups that are responsible for administering AD RMS, instead of adding them to the local Administrators group in the AD RMS server.
Note: If AD RMS is running on a domain controller, an organization must add the AD RMS service account to the Domain Admins group. The organization should not add the AD RMS service account to the Enterprise Admins group.
For even higher security, the organization should remove the domain users from the local Users group on the AD RMS servers, and then add the users and groups who are members of the AD RMS Service group to the local Guests group.
Microsoft IT derived the following lessons and best practices from its experience in managing and administering AD RMS and IRM.
Centralize Servers in a Single Location
It is a best practice to centralize AD RMS server deployment as much as possible (within the known constraints of link reliability and network bandwidth). Centralizing the AD RMS servers simplified server administration duties for Microsoft IT.
Prepare for AD RMS Server Monitoring Issues
The Active Directory Rights Management Services Management Pack is a System Center Operations Manager management pack that manages the logical parts of AD RMS that an operator or administrator is interested in monitoring, configuring, or reporting on. The management pack includes monitoring capabilities on AD RMS Deployment, AD RMS Web Services, and AD RMS Logging Service.
In the information reported by the management pack, color indicates health states:
- Green: Normal operation.
- Yellow: Degraded operation.
- Red: Failure.
Each health state is related to an operation or the type of functionality that a managed entity is designed to perform. Detection rules detect health states.
Although the Active Directory Rights Management Services Management Pack can detect transitions to specific health states, not all rules in the management pack have been designed to take advantage of the State feature of Microsoft Operations Manager. In these cases, transitions to specific health states are exposed only through the generation of alerts, and the relevant health state change is not reflected on the AD RMS Role and related State Views.
For more information about the Active Directory Rights Management Services Management Pack, refer to the Monitoring Scenarios page in the Windows Server 2008 Technical Library at http://technet.microsoft.com/en-us/library/cc468596.aspx.
For more information about the errors and events that AD RMS records, refer to the Events and Errors page for AD RMS in the Windows Server 2008 Technical Library at http://technet.microsoft.com/en-us/library/cc771924.aspx.
Monitor the Size of the Logging Message Queue
An organization should use System Monitor to regularly monitor the size of the outbound logging message queue. If the queue size grows substantially, the organization should verify that the logging listener service is operating correctly. If a malicious user causes the logging listener service to stop, the outbound logging message queue will grow and eventually exceed the disk space of the AD RMS server. If this occurs, the server will deny requests.
Manage Growth in the Logging Database
Every AD RMS licensing request that the Microsoft IT AD RMS servers receive is logged in the AD RMS SQL Server database. The usage of RMS and IRM within Microsoft during the pilot and initial full deployment stages was generating growth in the logging database of about 1 GB per week, with a projection of 1 GB per day after actual usage estimates were realized. To reduce the volume of data to be logged, Microsoft IT later changed the logging configuration so that only critical events and necessary performance data were recorded by default. Microsoft IT enables higher logging settings only when necessary for research or troubleshooting purposes.
To aggregate logging data from the different AD RMS clusters, Microsoft IT developed a series of scripts and created a secondary, separate database to serve as a logging database archive. The scripts pull out from each cluster the data that is most relevant for usage reporting and store it in a single centralized database. Microsoft IT also implemented a script that keeps only the past 30 days of raw data on a rolling basis within the live AD RMS logging database. Any older data is archived to the Microsoft IT–developed database.
The “request duration” record for each AD RMS transaction is one of the best performance indicators, because it gives an overall indication of the load and efficiency of the servers and of the user experience. AD RMS also provides Windows performance counters that record the average number of transactions processed during the past second, and the number of long-running transactions. Microsoft IT collects the performance counters only during research or troubleshooting activities, with no permanent storage for historical counters.
Microsoft IT uses SQL Server Reporting Services to automatically produce—daily and on demand—reports of AD RMS usage, status, and performance. Among the most useful reports are request volume by type, frequency and distribution of licensing errors by type, and average request duration by hour. Microsoft IT uses these reports daily to assess the health and performance of the AD RMS infrastructure and to plan proactive maintenance and expansion.
Develop Policy Templates
AD RMS templates, such as those that Microsoft IT created for use with Office Enterprise 2007, enable enterprises to define what types of official, global AD RMS policies they want their staff to use as publishers of confidential content. Templates can be made to help protect company-confidential content, attorney/client privileged content, business partner content, and more. The IT group of any large enterprise organization should involve the corporate legal and security teams in brainstorming what is needed to enforce corporate communication policies.
Perform Frequent Backups of the Configuration Databases
The configuration databases store information that is vital to the functioning of AD RMS. In addition, the load-balanced AD RMS cluster configuration database stores the key pairs for the entire installation. If an organization performs regular backups, it can quickly restore AD RMS if a database server fails.
Any enterprise deploying AD RMS should have, at a minimum, a log-shipped secondary (warm standby backup) server available in case the shared disk drive storage in the load-balanced AD RMS cluster has a catastrophic failure. A warm standby server will enable the IT team to recover AD RMS service with a minimum of delay. Microsoft IT backs up its logs every three minutes, so in a worst-case scenario, the databases can be restored to within three minutes of failure, minimizing the effect of a service outage.
Expired content does not delete itself—it only locks out the consumer. The publisher and members of the Super User distribution group can still open the content.
Customized AD RMS Templates Available from Microsoft IT
The IRM-enabled applications in the corresponding editions of Microsoft Office support the use of preconfigured, default, rights-setting policy templates to help enterprises define the most commonly needed standardized sets of rights for safeguarding documents.
For example, with Office Outlook e-mail, the only default assignable IRM setting is read-only. Through an AD RMS template, customizable rights beyond the default can be applied. All of the AD RMS–enabled applications in Office support the same policy templates.
Microsoft IT offers users at Microsoft five AD RMS templates to help protect Microsoft Office e-mail messages and documents. All of these templates define the intended audience, based on the use of specific company distribution groups and the specific rights provided to that audience. The templates are identified as follows:
1. Microsoft Confidential
2. Microsoft Confidential Read Only
3. Microsoft FTE Confidential
4. Microsoft FTE Confidential Read Only
5. Do Not Reply All
With the first two templates, the distribution group used is the Microsoft All Staff distribution group. This group includes all Microsoft full-time employees (FTEs), contractors, and vendor staff. Any person not included in this distribution group, such as people outside the company, cannot open content protected through this template. The second template modifies the first template with the application of restrictive read-only rights.
The third and fourth templates use the Microsoft FTE-only distribution group. Any person not included in this distribution group—such as contractor and vendor staff, along with anyone outside the company—cannot open any content protected through this template. The fourth template applies the restrictive read-only rights to the FTE distribution group.
Finally, when the Do Not Reply All template is applied to a message, its recipients cannot use the Reply All function, preventing large volumes of response traffic to messages sent to many recipients.
The master version of a rights policy template resides in the AD RMS database and is always used when a use license is created so that the most recent policy set by the AD RMS administrator is enforced. Each template created must be exported to each AD RMS client computer that needs to use the template. These local versions of the templates do not need to be updated every time the AD RMS administrator updates the template, because the AD RMS server uses its own copy when evaluating the rights specified in the template. However, templates still need to be available locally for a user to select them when performing offline publishing, as in the case of Microsoft Office applications.
If the feature that requires a new use license with every access is used with a template, rights policies can be dynamically changed after the document has been published or sent in e-mail. This way, the company retains the option to further restrict or loosen control on one or more users at any time.
AD RMS topology for the main corporate forest
for the complete case study please visit