Deploying Windows Rights Management Services

Course Overview

This three-day instructor-led course is designed to provide students with the knowledge and skills necessary to deploy and manage Windows Rights Management Services for the protection of digital information in a Windows Server 2003 environment. Significant focus is placed on understanding the underlying architecture and security concepts of the Rights Management Services platform. Topics also include interoperability between organizations, defining and deploying policies, and management of the RMS Server as well as using some of the applications included in the Rights Management Services Toolkit.

Audience

A technical hands-on course for administrators, systems engineers, security specialists and implementers who will deploy Microsoft Windows Rights Management Services. The technical content of this course will allow students to understand and get hands on experience installing, configuring and managing Rights Management Services on Windows Server 2003.

Skills Gained

After completing this course, students will gain the skills to:

Explain the RMS architecture and infrastructure

• Explain RMS and its relationship to desktop applications
• Install RMS on Windows Server 2003
• Understand RMS configuration such as trust policies and rights policies
• Interoperate with other organizations' RMS deployments
• Understand the integration of RM-enabled applications such as MS Office 2003
• Understand the management of a RMS deployment

Prerequisites

Before attending this course, students must have:

A good understanding of Windows Server 2000 and/or 2003 and Active Directory.

• A general knowledge of Public Key Infrastructure (PKI) concepts and SQL Server 2000 is also helpful.

Course Outline

Module 1: Why Rights Management?

Microsoft Windows Rights Management Services (RMS) provides core services to help protect enterprise data. This module introduces the Windows RMS, the business drivers behind RMS, and the technology that is used in an RMS deployment.

Lessons

Rights Management Overview

• Public Key Technology Overview

After completing this module, students will be able to:

Describe business reasons for using RMS.

• Explain what RMS does to protect enterprise data.
• Describe usage scenarios that can benefit from an RMS implementation.
• Describe the components and technology that supports an RMS implementation.
• Describe how RMS utilizes a public key technology to protect information.

Module 2: RMS Architecture

This module covers the basic architecture and concepts of the Windows Rights Management Services product. This module also explains all the prerequisite software and services that must be in place in order for the Rights Management environment to function. Finally, a discussion is presented on how various Active Directory designs can impact your RMS design and deployment.

Lessons

Introduction to RMS

• RMS Components

Lab A: Verifying Active Directory

Client Side Components

• RMS Architecture and Active Directory

After completing this module, students will be able to:

Describe how RMS works including how the publishing and use licenses are used in a RMS environment.

• Describe the RMS Infrastructure components.
• Describe the RMS client-side components.
• Describe how Active Directory contributes to the RMS infrastructure.

Module 3: RMS Installation and Provisioning

This module covers the steps necessary to successfully install and provision RMS server.

Lessons

Installing RMS Server

Lab A: Creating the RMS Service Account

Provisioning RMS Server

• Provisioning Configuration Overview
• Configuring Offline Enrollment
• Configuring the RMS Service Connection Point
• Best Practices: Server Installation

Lab B: Installing and Provisioning RMS

After completing this module, students will be able to:

Describe the hardware and software requirements in order to install RMS Server.

• Describe the steps required to successfully install RMS Server.
• Define and describe the RMS Server provisioning process.
• Explain the various configuration options available for provisioning an RMS Server.
• Install and provision RMS.

Module 4: Rights Management Client

This module covers all of the steps and components necessary for a user to interact with Windows Rights Management Services. This module also covers RM Client deployment and configuration. It also explains the Information Rights Management (IRM) features in Office 2003 and how to manage those features through Group Policy. For users that want to participate in an RMS environment to read protected content, but who do not have Office 2003, the Rights Management Add-on for IE (RMA) will be discussed.

Lessons

RM Client Components

• Machine Activation
• User Certification

Lab A: Installing the RMS Client

Integrating Microsoft Office 2003 and IRM

• Rights Management Add-on for Internet Explorer
• Best Practices: RM Client Deployment

Lab B: RMS Application Deployment

After completing this module, students will be able to:

Understand the components that make up the RM client.

• Explain the process of machine activation.
• Explain the process of user certification in an RMS environment.
• Describe the features of Microsoft Office 2003 that relate to IRM.
• Describe the Rights Management Add-on for Internet Explorer.
• Install the RMS client
• Manage and deploy RMS-enabled applications using Group Policy.

Module 5: Content Protection and Consumption

This module explains the process of protecting content using RMS as well as the consumption process. It covers the concepts of Publishing Licenses and Use Licenses. This module also discusses how these operations differ in both online and offline modes.

Lessons

Content Protection Requirements

• Publishing RMS-Protected Content
• Consuming RMS-Protected Content
• Offline Protection

Lab A: Creating and Consuming by Using Word 2003

LAB B: Creating and Consuming by Using Outlook 2003

LAB C: Consuming Content by Using the Rights Management Add-On for Internet Explorer

LAB D: Using Active Directory Security Groups

After completing this module, students will be able to:

Describe the requirements related to protecting content using RMS.

• Describe the process of publishing RMS content.
• Describe the process of consuming RMS content.
• Describe how RMS content can be protected off-line.
• Create and consume RMS-protected content using Microsoft Word.
• Create and consume RMS-protected email using Microsoft Outlook.
• Create and consume RMS-protected content using Microsoft Excel.
• Implement RMS using Active Directory Security Groups.

Module 6: Rights Policy Templates

This module discusses Rights Policy Templates. This module provides an introduction to Rights Policy Templates and the process of distributing Rights Policy Templates. It also addresses the policies that make up a Rights Policy Template, including Users and Groups, Expiration Policy and Extended Policy. Also covered are: Applying Rights Policy Templates and retiring Rights Policy Templates.

Lessons

Overview of Rights Policy Templates

• Creating Rights Policy Templates
• Distributing Rights Policy Templates
• Working with Rights Policy Templates
• Best Practices

Lab A: Creating and Using Rights Policy Template

LAB B: Modifying Existing Templates

LAB C: Assigning Different Rights to Different Users

After completing this module, students will be able to:

Describe how Rights Policy Templates are used in the RMS environment.

• Explain how to define a Rights Policy Template.
• Explain how to distribute a Rights Policy Template.
• Describe some of the management tasks related to Rights Policy Templates.
• Create and distribute Rights Policy Templates.
• Assign rights to different users using Rights Policy Templates.
• Modify existing templates.

Module 7: Managing Trust

In this module, we will cover some of the elements of Trusted User Domains, Trusted Publishing Domains and the related trust decisions. We will address the kinds of trust relationships that an RMS deployment can have with other RMS deployments as well as with other components of the same infrastructure.

We will also cover the Exclusion policies which may be defined by an Administrator. This module will also include an over view of how Revocation works and when an administrator may choose to revoke trusted entities.

And finally we will take a look at the Super Users group and how this group may be used to recover protected content.

Lessons

Overview of Managing Trust

• Trusted User Domains

LAB A: Defining Trusted User Domains

Configuring Exclusion Policies

• Revocation Overview
• The Super Users Group

LAB B: Excluding Users and Applications

LAB C: Configuring the Super Users Group

After completing this module, students will be able to:

Describe trust policies related to trusted user domains and trusted publishing domains.

• Describe exclusion policies related to lockbox version, Windows version, RAC exclusion, and application exclusion.
• Explain how revocation works.
• Describe the Super Users group and how it related to RMS.
• Define trusted user domains.
• Exclude user and applications.
• Utilize the Super Users group.

Module 8: Deploying and Maintaining RMS Infrastructure

In this module we will examine adding Servers to your RMS infrastructure as well as the details of managing clusters. This will include replacing RMS Servers, decommissioning RMS Servers, unprovisioning and uninstalling RMS servers. We will also look at the essentials of the logging settings and disaster recovery.

Lessons

Adding Servers to the RMS Infrastructure

• Subordinate Licensing Servers
• Managing Clusters
• RMS Logging
• RMS Disaster Recovery

After completing this module, students will be able to:

Calculate the number of required RMS servers.

• Describe how to add servers to an existing RMS root cluster.
• Describe how to add Subordinate Licensing Servers.
• Describe how to Replace, Decommission, Unprovision, and Uninstall RMS servers.
• Explain the RMS Logging function.
• Describe procedures used in RMS disaster recovery.

Module 9: Troubleshooting

This module will focus on troubleshooting some RMS operations. We will look at common issues and the tools available to help diagnose and troubleshoot these issues.

Lessons

Troubleshooting RMS

• RMS Administration Toolkit

LAB A: Using RMS Toolkit Applications

After completing this module, students will be able to:

Describe troubleshooting procedures related to various RMS functions such as Domain Name System (DNS) issues, Service Connection Point (SCP) issues, Provisioning, Internet access, client certification, and consuming content.

• Describe the various tools available in the RMS Administration Toolkit.

Module 10: Extranet Considerations

In this module examples are discussed of how companies may choose to extend their RMS infrastructure outside the boarders of their corporate network. This module examines the permissions required for extranet clients to access the RMS pipelines as well as some firewall options.

Lessons

Integrating an Extranet with RMS

• RMS and Firewall Options

After completing this module, students will be able to:

Describe the various extranet scenarios that can use RMS.

• Describe the need for access to the licensing pipeline from the extranet scenario.
• Describe the process related to RMS Service Discovery for Extranet clients.
• Describe how RMS can be implemented in a perimeter network and Intranet scenario.
• Describe how ISA Server can be used to provide RMS services to extranet clients.

Deploying Windows Rights Management Services / MS2827 (M2827, MOC 2827)