RMS: Protecting Your Assets.

Learning about ADRMS. Finally....

2009-10-30T14:01:00Z

I know it was about a year ago, I promised that I would put up some training materials for ADRMS. Well I will be teaching some support engineers at Microsoft about ADRMS, and how to support it. Part of this class (which will be available to customers at some point) contains lab materials. I recorded myself going through most of the lab materials, and explaining what I was doing along the way, so I could time them, and make sure the environment was working properly.

I screwed up a couple times during them, and the audio lags a bit in the demos (I used Demo Builder), but if you are self-loathing and want to watch me go through this lab environment and be annoyed by my voice for a few hours, here they are.

First Demo:
Doing it all wrong - So to train CSS engineers, you need to be able to show them how someone can completely screw up an environment, so they know how to help people back out of it, and get into a 'best business' state. So I show you how to screw up your environment in this one, including how to activate a MOSS server against RMS...even though you will need to re-do it once we fix things.

Second Demo:
Why this is wrong - In this demo we discuss why setting up your environment as previously discussed is "bad", and show some examples.

Third Demo:
Correcting the problem - In this demo. I show how to back out of this bad state, and still be able to open content created against the old installation, while working with new content.

Fourth Demo:
Correcting the other problems - In this demo I show you how to clean up other problems you may have left over from the incorrectly deployed environment. We fix your MOSS environment in this one.

Fifth Demo:
RMS Templates - In this demo, I show you how to create RMS Templates, discuss why you should use templates, and how to deploy them. I also show how to speed up your demo environment, with a GPO setting one of the PG members gave me, that corrects a certificate chaining issue you'll have when using RMS in an environment with no internet access.

Sixth Demo:
Other ADRMS Features - In this demo I discuss RAC policies, Exclusion Policies, Security Policies, and the other creepy things that exist in ADRMS.

Seventh Demo:
ADRMS Super Users - In this demo we discuss super users, how to set it up, and why you would need them.

Eighth Demo:
ADRMS and Exchange 2010 - In this demo I show you how to IRM Enable Exchange 2010, to allow OWA IRM functionality, as well as Transport Rules. It is still in beta, but you can download it from the MSDN and start playing with it. I don't cover *all* of the IRM functionality like journaling, and E-discovery, but we cover the activation.

Ninth Demo:
ADRMS and ADFS Integration - In this demo I show how to setup an ADFS trust with another forest, and setup ADRMS to use this trust do users in forests with no ADRMS server, can create and consume content with your organization. I run into a few problem with this lab, because I forgot to add the 'fast' GPO setting, and one of my user rights on the RMS server blew chunks...but hey...you need to know what to do right?

I need to add two more to complete this. Group Expansion Across Forests, and Windows Mobile. I'll be adding those next week.

Hope this helps someone.

I just registered IPCGodz.com so if you can get to it today, it should be ok within 24 hours.

Thanks.

Jason

Free Bulk Protection Tool - Get it while it's hot.

2009-10-30T12:17:00Z

Congratulations to the bulk protection tool team for getting this tool delivered ahead of schedule.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd

This tool can be used to perform E-Discovery of content for litigation or audit purposes, safeguard existing sensitive information on company shares, and also works in conjunction with the File Classification Infrastructure (FCI) feature in Windows Server 2008 R2 to classify and protect company sensitive information. Customers have been asking for this for ...well... as long as I can remember.

So go get it, and try it out.

Have Fun.

-Jason

Managing your ADRMS database

2009-10-26T12:41:00Z

For all those interested in best practices for ADRMS Performance and Logging, check out this technet section.

http://technet.microsoft.com/en-us/library/dd941633(WS.10).aspx

-Jason

Nothing to do with RMS - Protect your home machines.

2009-10-21T20:27:00Z

For anyone that didn't know Microsft has released a *free* Anti-Virus, Anti-Spyware/Malware application that you can stick on all of your home machines.

I am running it on all of mine at home, and it works great. The best kind of AV product is one you don't know is there....until you need it.

http://www.microsoft.com/security_essentials/

Check it out.

-Jason

Do you know how to get a message directly to the ADRMS product group?

2009-06-09T17:49:00Z

For those of you that don't know, the ADRMS development team actually has their own blog. They have been posting articles out there with some good information, and it is an 'official' ADRMS blog, unlike mine, which is just a bunch of crazy ramblings I've put together in the early morning hours so I have a public repository of things I need to remember. Plus, I'm not allowed at the local stand-up comedy club anymore. Those people just don't appreciate the humor of someone installing ADRMS on a Domain Controller, that only my audience here does.

Plus...when you make comments on their blog, it actually goes to the team that is writing and designing the product. If there is something you want to see in the product, or something you don't like and would like to see changed, or if you just want to write a long story about how ADRMS helped you survive your horrific life-altering ordeal in the Australian outback, you can rest assured that the team responsible for ADRMS will be reading it. Not that I don't love those stories, and all of the comments and questions I get, but now you have *two* places to ask, and as I always say 4-1/2 heads are better that 2-1/4.

ADRMS Team Blog

UPDATE: Rather than waste a whole new post to tell people this I'll post it here. I just put *all* of the click-through demos I have in my previous click-through post. http://blogs.technet.com/rmssupp/archive/2009/02/04/click-through-demos-they-re-the-cats-pajamas.aspx . You're welcome.

-Jason

Obama Say's: Cyber Security is top Priority. Cyber Czar TBA.

2009-05-29T18:24:00Z

So....it appears that President Obama has been reading my blog...

O.K. I made that part up, but it was pretty exciting to watch his speech today on cyber security (..not sure when I turned into a total nerd).

The whole speech I was just saying to myself "ADRMS would prevent that...ADRMS would prevent that...ADRMS can do that...ADRMS would cover that", and even a few "Forefront Security would prevent that". Heck they'd solve 90% of their problems if they went and visited microsoft.com/security, or microsoft.com/ida.

I wonder who the new 'Cyber Czar' will be. I don't know that I'd like to have that job. You've got 10,000,000 hackers that will attack you non-stop to make a point. In fact, I'd be willing to gamble that shortly after the announcement, you'll see something like "Cyber Czars e-mail hacked" in the news. I'd almost be willing to gamble that the hacker community will know who the new Czar is, before the new Czar does. (Unless of course they are already using ADRMS..then the odds are in favor of the Czar.). <g>

So my tip for the day to the president and his staff. Make sure you secure all of your e-mails and data regarding this announcement with ADRMS (you should be doing it for everything anyways), and make sure the people exchanging this data are using secure systems with good passphrases and/or secure smart cards. You *really* don't want the hacker community announcing things related to your cyber security plans before you do. That would be a BAD THING®. There is even a few ADRMS solutions for your blackberry, although you really need to start thinking about getting yourself a Windows Mobile phone.

Gimme a call...I might know some people that can hook you up. ;)

-Jason

Daily Wacky Environment Solution: One-Way trust AND ADRMS using ADFS

2009-05-28T23:28:00Z

Consider this scenario.
Customer has two forests.

Resource Forest (RFCOM) - Houses resources like RMS and MOSS.
Account Forest (AFCOM) - House all of the user accounts.

Situation: Customers wants to have *one* RMS cluster housed in the resource forest. Has a one way trust where the resource forest trusts the account forest (for some other applications including MOSS auth (although I think MOSS will work with ADFS as well)). Wants to use ADFS to do SSO to ADRMS server to get content served by MOSS server in the resource forest.

Problem: In order to use ADFS with ADRMS there typically needs to be *no* trust between forests. The way that the RMS client works, is that it will try to obtain a RAC via the standard Windows Auth pipeline (https://rms.rfcom.com/_wmcs/certification/certification.asmx). If this fails, it will use the ADFS token pipeline (https://rms.rfcom.com/_wmcs/certificationexternal/certification.asmx), and pass the ADFS server specified in the FederationHomeRealm registry key. The RMS server *has to* reside in the same forest with MOSS since there is no ADFS pipeline for service accounts.

If there is a one way trust then the user will legitimately be able to get to the Windows Auth Pipeline through IIS. This is a problem, because the return code is 200 (which means OK), although the RMS server will reject the request from a user in another forest to this pipeline, because it expects to find the user in its own forests AD. This puts the RMS client in a bad state. It simply thinks the RMS server has rejected the request, and cries about it with an error message.

So we have a few options.

Solution 1: Remove the one-way trust. If you remove the one-way trust, then IIS will not authenticate the user to the Windows Auth certification pipeline, and the RMS client will automatically roll over to the ADFS tokenized pipeline.

Solution 2: (The one we used). We went to the properties of C:\Inetpub\wwwroot\_wmcs\certification\certification.asmx, and added an ACE to the security tab for the 'AFCOM\Domain Users' group, and gave it explicit *deny* permissions. This forces all clients in the AFCOM forest to rollover to the ADFS certification pipeline.

Solution 3: Setup a RMS cluster in the account forest, and then export the SLC from the AFCOM forests RMS server, into the RFCOM forests RMS server as a TUD (Trusted User Domain).

Anyways, option 2 worked for this customer. Any forests that he now adds to his forest that have a one way trust, he just needs to add a deny ace to the certification.asmx file for the 'domain users' group of that forest. We also added an SCP to the account forest with the cluster URL of the resource forest, so that all of the clients in the account forest would auto-discover the ADRMS service without needing registry overrides.

ADRMS is a pretty flexible product. Even though every single possible environment situation isn't documented, doesn't mean that with a little playing around you can't get just about any situation to work (within the support boundaries...and sometimes outside of them. <-- I didn't just say that. :)).

-Jason

To CRL or not to CRL. That is the question.

2009-05-22T17:48:00Z

I recently got a call from a customer having problems opening content from the internet using the Passport Trust option of RMS. Looking at the DebugView Logs RMS was returning an error code of 8004CF3B. So I look up the error in my handy-dandy technet:

http://msdn.microsoft.com/en-us/library/bb204613(VS.85).aspx

E_DRM_NO_CONNECT. Hmmmm...

So I had him try to access the licensing pipeline URL from the machine, and...it connects no problem. <<There's something on the wing....SOME...THING!!!>>

Certificate looks good, but it is a... internal CA cert.... Hmmmm...

Let's disable CRL in I.E.s settings (Tools>Internet Options>Advanced>Security | Uncheck both certificate revocation validation options).

Wallah..it works. So, morale of the story. Vista doesn't like it when you use an internal CA certificate, externally, when you have these options checked, and you are trying to use RMS. Use a Verisign or GoDaddy cert instead. XP doesn't seem to be bothered.

Whodathunkit?

-Jason

UPDATE: A buddy of mine, Barclay, pointed out that the other option is to expose your CRL Distribution point externally. Duh!!

Foxit makes their reader more foxy with IRM capabilities.

2009-05-20T18:24:00Z

Welcome to the party Foxit!!!

http://www.foxitsoftware.com/announcements/2009487743.html

http://www.foxitsoftware.com/rms/

I expect we will see alot more of this from alot more vendors soon. The trend is showing that customers are no longer *requesting* their application providers protect their content. They are *demanding* it. If you are writing software that allows customers to create sensitive data, be warned. You should definitely get on the IRM integration bus before you get run over.

Long live Jimmy!!

ARE YOU IRM EXPERIENCED???

http://www.microsoft.com/windowsserver2008/en/us/ida-information-protection.aspx

Trippy Tip: Use the live translator link at the top of my blog to translate this post to a different language. You will get a split screen page. Turn your speakers up and enjoy the Jimmy Hendrix Experience!!!

What is the RMS Lifecycle?

2009-05-08T22:48:00Z

Ever wonder when support for *your* version of RMS will officially end?

Well we all know that RMS V1 /w no SP has already expired...*but* did you know that RMS V1 SP1 also has expired, and that you need to upgrade to SP2 to be in full support?

http://support.microsoft.com/gp/lifesupsps

Windows Rights Management Services Service Pack 1	18-Apr-2005	13-Jan-2009
Windows Rights Management Services Service Pack 2	22-Nov-2006	Not Applicable See Note	Support ends either 12 or 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. Visit the Lifecycle page to find the support timelines for your particular product.

ADRMS on Windows 2008 falls under the Operating System lifecycle, since it is a role in the operating system.

Now you know. All of you slackers need to update your V1 SP1 installs to SP2, ASAP. :D

-Jason

Single Forest, Single Domain seeks NON-Universal group to share many bytes of RMS data with

2009-05-08T17:41:00Z

O.K. So I get asked this question a lot. "I've got one forest with a single domain. Do I still need to use a universal group?"

The answer is 'you don't technically have to'. Here is the deal. As we all know Universal groups are the only groups that replicate their membership across the forest. Let's say you have a forest 'foo.com' with a domain 'domain.foo.com'. Now you RMS protect a message and send it to a group. How does RMS deal with this?

Well RMS is going to grab the first 5 GCs that respond to the request, and cycle through them for EUL validation. So let's say you have a Security group called SecGroup1@domain.foo.com that mail is being sent to that joe@domain.foo.com is a member of, and rms grabs these 5 GCs.

GC1.domain.foo.com
GC2.domain.foo.com
GC3.domain.foo.com
GC4.domain.foo.com
GC.foo.com

What do you think will happen when RMS queries each of these GCs for the membership of SecGroup1?

GC1.domain.foo.com - Good
GC2.domain.foo.com - Good
GC3.domain.foo.com - Good
GC4.domain.foo.com - Good
GC.foo.com - Fail

So your user has a 1 in 5 chance of getting an EUL, when a message is sent to a security group in domain.foo.com.

What are your options?

Well you've really got 3. The first is leave it alone, and take your chances at the wheel. OK. Maybe that's not the best option. The next option is to make that group a universal group. The membership will get replicated to GC.foo.com, and you now have 5 in 5 chance of getting an EUL. The last option, which not many people know about is that you can tell RMS which GCs it should query. You would set the following key:

HKLM/Software/Microsoft/DRMS/1.0/ <--Change the 1.0 to 2.0 for WS2008 ADRMS
REGSZ: GC
VALUE: Comma delimited list of GC FQDNs (i.e. GC1.domain.foo.com,GC2.domain.foo.com,GC3.domain.foo.com,GC4.domain.foo.com)

Now you have a 4 in 4 chance of getting an EUL using a security group, or another domain local group.

Now, if you have multiple domains in your forest, you need to use universal groups...period.

I need a nap.

-Jason

Update: Nap music added to this post. :D

Translation of Rights. Straight from the help files...somewhere....

2009-04-30T18:03:00Z

I've often wondered if we ever had documentation that explains what the rights you assign to a template actually translate to. I've travelled to the deepest, darkest corners of Microsoft searching for answers. Armed with a map of the mother ship, and the 'Staff of Ra', and with no lack of dangerous boobie traps and poisonous snakes, the tomb that held these ancient scripts for so long was revealed....and now I bring them to you. (Thanks Jim!!).

Active Directory Rights Management Services (AD RMS) rights provide the means for controlling how a user can access, use, and redistribute rights-protected content. Some rights are enforced exclusively by AD RMS-enabled applications or browsers, while others are enforced primarily by the AD RMS client (although applications can still apply their own interpretation of the right). The rights enforced by the AD RMS client control how license information is used, such as whether the license can be used to re-encrypt previously decrypted content. Rights that control how content is used are interpreted and enforced by AD RMS-enabled applications, such as Microsoft Office applications. For example, Microsoft Office applications enforce the View right by allowing a user to decrypt and view the contents of a protected document if the user has been granted the View right.

The following table lists the rights that are available by default when you create a rights policy template and gives a brief description of how the right is enforced by the AD RMS client and interpreted by common AD RMS-enabled applications.

Note
AD RMS-enabled applications can interpret these rights differently. This is intended as a general description for how these rights are typically used. Consult the documentation of the specific application for information on how these rights are enforced.
Right	Description
Full control	If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user.
View	If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content.
Edit	If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right.
Save	If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right.
Export (Save As)	If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file.
Print	Typically, when this right is granted, the application will allow the user to print protected content.
Forward	Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message.
Reply	Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message.
Reply All	Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message.
Extract	Typically, when this right is granted, the application will allow the user to copy and paste information from protected content.
Allow Macros	Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document.
View Rights	If this right is granted, the AD RMS client allows a user to view the user rights that are assigned by the license.
Edit Rights	If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license.

I don't know your private key password!!!

2009-03-23T17:00:00Z

There seems to be an influx of cases lately, where an administrator has either 'lost', or inherited an RMS environment that they don't know the private key password for.

Let me assure you, I don't know it either. You can go to the security tab in your RMS admin console and reset it to a password you know, but before you do this 'BACK UP YOUR SLC AND PUBLISHING CERTIFICATE'.

So...if you get stuck with an environment that you do *not* know the private key password for do *NOT* uninstall RMS, and re-install a new environment without *first* exporting the SLC, and publishing certificate. If you delete everything without backing up these keys, and don't know the private key password ...'I CAN'T HELP YOU!!'. Even if you have a back-up of the database....'I CAN'T HELP YOU!!!'. You will lose all of your data and ...."I CAN'T HELP YOU!!!'.

There is no secret fix, magic command, or ritualistic dance that I can perform to restore your environment, unless you have backed up the database *and* original RMS server. If you didn't you should lay down on the floor and play dead until your boss goes home for the day, and then see if anyone has an older backup of the system hidden somewhere, and if not, some good quality resume paper.

Hopefully I've made the message clear, on the importance of backing up those keys, and outlined your options if you don't heed this advice. :D

-Jason

Free At Last, Free At Last, Oh Lawd, I'm Free At Last!!! End of Support for RMS V1 SP0

2009-03-11T04:37:00Z

Announced today. RMS V1 with no Service Pack is dead, muerta, gone, kaput! Support has officially ended.

From: http://blogs.msdn.com/rms/default.aspx

End of support for Windows Rights Management Services V1.0

March 23, 2009 will bring a close to support for Windows Rights Management Services V1.0 as part of the Microsoft Lifecycle Policy. Microsoft will retire public and technical support, including security updates, by this date.

As of this date users will no longer be able to activate or re-activate clients, and may be unable to produce or use Rights-Protected content unless they upgrade to a newer version of Windows Rights Management Services Client. This includes Windows Rights Management Services Client V1.0 SP2, or the Windows Rights Management Services Client available as part of Windows Vista or Windows Server 2008. When users attempt to activate Windows Rights Management Services Client V1.0 using Microsoft Office they will receive the following error message “This service is temporarily unavailable. Ensure that you have connectivity to the server. This error could be caused because you are offline, your proxy settings are preventing your connection, or you are experiencing intermittent network issues.” Users attempting to activate via other RMS enabled applications may receive different error messages.

Microsoft is retiring support for this product because it is outdated and can expose customers to security risks.

We recommend that customers who are still running Windows Rights Management Services Client V1.0 upgrade to a newer version as soon as possible. Windows Rights Management Services Client V1.0 SP2 can be downloaded from the following links.
Windows Rights Management Services Client V1.0 SP2 client (x86)
Windows Rights Management Services Client V1.0 SP2 client (x64)

Windows Rights Management Client V2.0 is also available as part of the Windows Vista and Windows Server 2008 operating systems. Information about Windows Vista is available at http://www.microsoft.com/windows/windows-vista/default.aspx. Information about Windows Server 2008 is available at http://www.microsoft.com/windowsserver2008

We recommend that customers who are still running Windows Rights Management Services V1.0 servers upgrade to a newer version such as Windows Rights Management Services with Service Pack 2 as soon as possible.

I feel like I'm saying goodbye to an old friend....a friend that use to steal my money, and eat my food that is!

-Jason

Setting up RMSv1 on Windows 2003 x64 - Feel the burn with me.

2009-02-22T06:27:00Z

So I have as late been working on an issue involving someone trying to install RMS v1 on Windows 2003 x64 Standard Edition. Of course RMS v1 came in only a 32-bit flavor, but you could get it to run in WOW mode on x64 (With 2008 ADRMS comes in all the flavors of the OS). I don't know exactly why we are having issues (hopefully I'll figure it out this week), but I just went through a little test to make sure I'm not crazy (well...you know what I mean), and recorded it.

Here is the text of the file I was using in the demo:

1.) Make sure .NET 1.1, IIS and MSMQ are installed
2.) Allow IIS to run in WOW mode – cscript %SystemDrive%\inetpub\AdminScripts\adsutil.vbs set w3svc/AppPools/Enable32bitAppOnWin64 1
3.) Install and enable ASPNET – %windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i -enable
4.) Allow ASP.NET 1.1 - cscript %systemroot%\system32\iisext.vbs /EnApp "ASP.NET v1.1.4322"
5.) Set default website version - %windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe –s /w3svc/1/root

Here is the demo for your viewing pleasure. (Just unzip the files, and open the .html file)

RMS X64 Demo

P.S. I'll update this post with whatever I did to fix the 'problem' I ran into in the video. (Now you *have to* watch it or you won't know what I'm talking about.)

..and I already know 'I SHOULD HAVE USED A FQDN FOR THE CLUSTER URL!!' Don't judge me!!!

- Jason

RMS: Protecting Your Assets.

Learning about ADRMS. Finally....

Free Bulk Protection Tool - Get it while it's hot.

Managing your ADRMS database

Nothing to do with RMS - Protect your home machines.

Do you know how to get a message directly to the ADRMS product group?

Obama Say's: Cyber Security is *top* Priority. Cyber Czar TBA.

Daily Wacky Environment Solution: One-Way trust AND ADRMS using ADFS

To CRL or not to CRL. That is the question.

Foxit makes their reader more foxy with IRM capabilities.

What is the RMS Lifecycle?

Single Forest, Single Domain seeks NON-Universal group to share many bytes of RMS data with

Translation of Rights. Straight from the help files...somewhere....

I don't know your private key password!!!

Free At Last, Free At Last, Oh Lawd, I'm Free At Last!!! End of Support for RMS V1 SP0

Setting up RMSv1 on Windows 2003 x64 - Feel the burn with me.

Obama Say's: Cyber Security is top Priority. Cyber Czar TBA.