Shulou(Shulou.com)06/03 Report--

Blog directory

What is AD RMS?

1. Introduction to AD RMS

2. Overview of AD RMS Cluster

3. Introduction of AD RMS client

4. Why does the AD RMS environment need IIS?

5. Why does the AD RMS environment need a database?

II. Deploy AD RMS services

1. The environment is as follows:

2. Environmental analysis:

3. Problem analysis:

4. Case implementation:

What is AD RMS? 1. Introduction to AD RMS

RMS (Rights Management Services, rights management service) has existed in Windows 2003 for the purpose of providing maximum security protection technology for enterprise information data.

In Windows server 2016, the RMS service has been enhanced, it has been built into the operating system as a common service, and is officially named AD RMS (Active Directory Rights Management Service). It works with AD RMS-enabled applications into trees to prevent unauthorized use of digital information. AD RMS is suitable for organizations that need to protect sensitive and proprietary information. AD RMS strengthens an organization's security policy by providing protection of information through persistent usage policies, which remain with the information wherever it is moved.

2. Overview of AD RMS Cluster

An AD RMS cluster is defined as a single server running AD RMS, or a set of servers that share AD RMS publishing and authorization requests from AD RMS clients. When you set up the first AD RMS server in the Active Directory forest, it becomes an AD RMS cluster, and you can set up more servers and add them to the AD RMS cluster at any time.

There are two types of clusters in AD RMS: root clusters and authorized clusters only.

The first server in an AD RMS installation is often referred to as the root cluster. The root cluster processes the active directory Domain Services (AD DS) on which it is installed, and all certificates and authorization requests for the domain. For complex environments, in addition to the root cluster, you can also create an authorization-only cluster. However, it is recommended that you use a root cluster and then add more AD RMS servers to this cluster.

3. Introduction of AD RMS client

The AD RMS client is provided with the Windows 10 and Windows server 2016 operating systems. If you use Windows xp, Windows 2000, or Windows server 2003 as the client operating system, you can download a compatible version of the AD RMS client from the microsoft download Center.

4. Why does the AD RMS environment need IIS?

Because the client communicates with the AD RMS server through the HTTP or HTTPS protocol, the deployment of the AD RMS server must also install IIS.

5. Why does the AD RMS environment need a database?

The database is used to store information such as configuration and policy of AD RMS. You can use either SQL Server or AD RMS's built-in database.

2. Deploy AD RMS service 1. The environment is as follows:

2. Environmental analysis:

This case prepares the domain environment ahead of time, and the client prepares office 2016 in advance. I won't say much here. If you need it, you can comment on it or trust me privately. In addition, to reduce costs, instead of using a separate SQL server server, you use the built-in database that comes with AD RMS.

I will use two server 2016 and two Windows 10s here.

DC1 installs the domain environment (I installed it in advance, so I won't take a screenshot here), then add certificate services, domain accounts and two general client accounts.

DC3 joins the domain and installs IIS and RMS services.

Windows 10 installs office 2016 in advance to verify the use of permissions.

3. Problem analysis:

To successfully deploy and maintain AD RMS, you need to understand how it works. The basic process from the file owner creating the protected file to the user who wants to access the file through authentication to the protected file is as follows:

1) when the user bob performs the work of protecting the file for the first time, he will first obtain a CLC (client license certificate) from the AD RMS server, through which the subsequent file protection work can be performed.

2) the user bob needs to use the AD RMS client application to create the file and perform the work of protecting the file at the same time, including setting up the users and permissions that can use the file. At the same time, according to these permission policies, the release license is generated, and the release license contains the permissions and conditions for the use of the file.

3) the AD RMS client encrypts the original file with a symmetric key.

4) the AD RMS client adds the symmetric key to the publishing license and encrypts it with the public key of the AD RMS server.

5) when the file receiver tom opens the file with the AD RMS client, if it does not already have a RAC (privilege account certificate) on its computer, it will obtain a RAC from the AD RMS server.

6) the AD RMS client sends a request for a license to the AD RMS server, including RAC and a publishing license encrypted by the AD RMS server's public key (which contains a symmetric key).

7) after receiving the request, the AD RMS server uses its own private key to decrypt and issue the license to get the permission policy and symmetric key.

8) the AD RMS server encrypts the authority policy and symmetric key with tom's public key, generates a license, and then sends it to the recipient tom user.

9) the recipient tom decrypts the license with his own private key, obtains the permission policy and symmetric key, and then decrypts the original file and opens the file according to the definition of permission policy.

4. Case implementation:

The DC1_AD server is deployed as follows:

Log in to the AD server and configure the IP address, gateway and DNS

Add an organizational unit named ADRMS to the domain controller, create a new user to manage the ADRMS service as adrms, set the account to never expire, and add it to the domain admins group

Create two ordinary users, tom and bob, and add an email address for later verification of AD RMS

Open the Server Manager window and click add roles and Features.

In the before you start interface of the add roles and Features Wizard, click the next button.

In the installation Type interface, keep the default, and click the next button. (I will not take screenshots one by one by default in the next step.)

In the Server selection interface, keep the default, and click the next button.

Select the Active Directory Certificate Services check box in the Select Server role interface, which will pop up a prompt box, and then click the add Features and next buttons.

Select the Certificate Authority web enrollment check box in the role Services interface, which will pop up a prompt box, and then click the add Features and next buttons.

Start the installation of AD Certificate Services

After the installation is complete, start configuring the certificate service and click the next button by default in the credentials interface.

Select the Certificate Authority and Certificate Authority web enrollment check boxes in the role Services interface, and then click the next button.

In the set Type interface, select the Enterprise CA check box and click the next button.

When the certificate configuration is complete, we need to run cmd and press a "gpupdate / force" command to update the policy (same with the DC3_RMS server)

At this point, the DC1_AD server deployment is complete, and the DC3_RMS server deployment is started.

The DC3_RMS server is deployed as follows:

Log in to the DC3_RMS server, configure IP address and DNS to join the domain

Join the domain

Successfully joined the benet domain and restarted the computer

Run cmd and click "gpupdate / force" to update the policy.

Install ASP.net4.6 function, Windows internal database and message queue (I won't take screenshots of the previous default steps, I can do it myself)

Add an IIS (web) server, then apply for a certificate and install it by default.

Open the IIS Manager

Click on the server certificate

Select create domain certificate

Create a certificate

Specify the online certification authority and remember the name to restart the computer.

Add AD RMS service

Configure AD RMS

Just select a new root cluster

Select this server to use the Windows internal database

Specify domain users

Specify encryption mode

Keep the default next step, create a cluster password

Keep the default next step, specify the cluster address, that is, the address where you just applied for the domain certificate

Installation is complete, restart the computer

The two servers have been deployed, and after the client joins the domain, you can create a document to set permissions.

The client deployment is as follows:

Configure the two clients with office installed with IP address and DNS to join the domain

Successfully join the domain and restart the computer. I will not take screenshots for the same operation of the win10_02 client. The IP address of win10_02 can be configured as 192.168.100.40 (self-planning)

After joining the domain restart, log in with the local administrator, then join the domain account to the local administrator privileges, disable the local administrator login, and the domain account has the right to manage the current computer.

Add domain accounts to local administrator privileges

Disable the local administrator account

Log out of the computer and log in to the domain with bob. (the second client has the same configuration. Just change bob to tom. Log out with tom login domain. I won't take a screenshot here.)

When the deployment of the two clients is complete, start setting AD RMS permissions, create an word document, start setting permissions, and connect to the rights management server, the so-called DC3_AD RMS server

Log in to the account and enter the password to obtain the template and set permissions.

Select restrict access and set permissions

I will only give tom read permission. I will go to the client of the tom account to see the effect.

Go to other options and you can see that bob has full control of permissions, while tom only gives read permissions

Save documents, create shared folders, share word documents with tom,tom to access shared files, download access, and you will see that tom only has read access to word documents.

Tom login

You will find that there are only read permissions.

I use the third-party screenshot tool. If the screenshot tool is run by the administrator, the screenshot directly captures the black screen, which is enough to prove the refinement and precise control of permissions by RMS.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.