Section 3 - Chapter 16 Flashcards

Question

AD RMS - Client Licensor Cert (CLC)

Answer 1

RAC requests CLC, computer must be online Once obtained, can apply policies offline CLC has public and private key and AD RMS cluster's public key

Answer 2

Created first time AD RMS enable app used on a client Creates a lockbox on computer to correlate machine cert with user's profile Machine cert has public key for computer, private key is in lockbox

Answer 3

Created when user saves content in rights protected mode Lists users who can use content, conditions of use and rights to content Publishing license includes symmetric content key and public key of the cluster

Answer 4

Assigned to user who opens rights protected content, tied to RAC, lists rights to content Use license has symmetric key for decrypting, encrypted with the public key of user

Answer 5

Standard, Enterprise or Datacenter

Answer 6

``` Do not install on DC Installs IIS, .NET Framework, Message Queuing and RSAT Create or Join AD RMS cluster Select db config Locate server that hosts db Validate db instance Specify Service Account Config AD RMS cluster key storage Select AD RMS cluster web site Specify Cluster Address, use SSL Connection Specify cluster address (FQDN) and port Choose a Server Authentication Cert for SSL Name the Server Licensor Cert Register AD RMS Service Connection Review IIS info Select Web Server Install ```

Answer 7

Can update, migration easier Add new servers, decommission old Before: Backup config db Export SLC Export and Install CSP Key on each server After: Update CNAME record for cluster (add new, remove old) Run AD RMS console to check cluster Test AD RMS connectivity from client

Answer 8

ADRmsInstall and ADRMSAdmin Run import for modules Import-Module Adrms Import-Module AdRmsAdmin

Answer 9

Server, Properties, Cluster URL tab - enable extranet URLs Point to IIS installation, register URLs in DNS, use SSL for http, https connections, create virtual directories to host data

Answer 10

Config proxy settings and install Federation Support Config trust policies with other clusters Trusted user domains - process requests for clusters in different forests, import Server Licensor Cert from other cluster into your cluster Trusted publishing domain - issue use licenses for protected content from other cluster, import publishing clusters SLC and private key to your cluster

Answer 11

Must config proper periods for org

Answer 12

Config exclusion policies

Answer 13

Any server that is member of cluster, Properties, Server Cert Tab, Export Cert, select location to save .bin file to

Answer 14

Mandatory: Specify duration of rights account certs Optional: Enable certification for mobile devices Enable certification for server services Authenticate clients through smart cards

Answer 15

Any server member of cluster, Rights Account Cert Policies Change Standard RAC Validity Period Standard RAC Tab - Change Standard RAC Validity Period Temporary RAC Tab - Change

Answer 16

Can be created for: users, applications, lockbox version and Win OSs Any server member of cluster, Exclusion Policies, Users Enable User Exclusion link Exclude User link can exclude by email address or public key assigned to user Select exclusion method - locate user account or type public key

Answer 17

AD RMS includes account in db create a store procedure in SQL server to auto remove account when deleted or a script that runs on a scheduled basis Create a Super Users Group - users that have full access to all content to recover or modify data, usually a Universal group Server, Security Properties, Change Super Users Settings link, Enable Super Users, Change Super User Group link, specify group

Answer 18

Create Template Specify Location Config Offline Folder Settings Users that have access to only pre-created content do not require access to policy templates Server, Rights Policy Templates, Create Distributed Rights Policy Template link, Specify Name and language, add user rights, specify expiration, specify extended policy, specify revocation policy

Answer 19

Select user or group for access to template Select user and assign rights Grant Owner (Author) Full Control Right With No Expiration (default) Rights Request URL - gives users the ability to request additional rights by going to URL

Answer 20

# Choose Enable Users to View Protected Content Using a Browser Add-On Require A New User License Every Time Content is Consumed (disable client-side caching) If You Would Like To Specify Additional Information For Your AD RMS Enabled Apps - usually reserved for developers

Answer 21

Require Revocation check box Specify URL where revocation is published http or https// Refresh Interval for Revocation List (Days) - specify File Containing Public Key Corresponding To the Signed Revocation List - specify file

Answer 22

Configuration db Logging db - Message Queuing sends events to here Directory Services db - users and their data, accessed by LDAP

Answer 23

AD DS Service Connection Point In complex multi forest deployments - registry overrides are placed directly on client computers URLs in the issuance licenses for the content

Answer 24

Operations: accessing network resources, querying AD DS, looking up info on database To change service account - rc server name, change service account

Answer 25

Trust Policies - trusted user domains & trusted publishing domains Rights Policy Templates - rules and conditions applied to the content protected by using the template Rights Account Cert Policies - change standard or temporary validity period Exclusion Policies - user, application or lockbox exclusions Security Policies - super users, cluster key password reset, and decommissioning (removes AD RMS from org) Reports - statistics, health and troubleshooting reports

Answer 26

General Tab - current cluster connection point, admin contact Cluster URLs - Intranet & Extranet, Licensing & Certification AD RMS Servers - servers in cluster Server Cert - Server Licensor Cert (SLC), export cert .bin file Proxy Settings - access to external networks Logging - enable: logging service uses Message Queuing to send log messages to logging db SCP - provides clients the cert URL for forest, shows current and can change

Answer 27

rc Trusted Policies to add MS Federated Gateway Services rc Trusted User Domains to import a domain or trust Windows Live ID, rc Enterprise to export this domain Can select trusted users by all email domains or specific email domains rc Trusted Publishing Domain to import a domain, rc Contoso DRM to export this domain

Answer 28

rc to Manage or archive rights policy templates rc, Properties - specify file location for stored templates and enable export rc Template to: create, archive, copy or view rights summary Rc, Properties - ID Info tab, User Rights tab, Expiration Policy tab, Extended Policy tab, Revocation Policy tab

Answer 29

rc Users or Applications- enable/disable user exclusion, exclude user rc Lockbox - enable/disable exclusion

Answer 30

rc Super Users or Decommission - enable/disable

Answer 31

Server Licensor Cert (SLC) - represents the server cluster, used to sign other identity certs and by clients to encrypt materials for the server to decrypt Security Processor Cert (SPC) - identifies client machines, used to encrypt elements stored locally Rights Account Cert (RAC) - issued to user at first authentication against cert URL of cluster, used for future identification, by server to encrypt licenses sent to user and by client to sign CLC Client Licensor Cert (CLC) - obtained during client activation, used to sign publishing licenses embedded in encrypted docs Publishing Licenses - used to express rights over a document Use License - expresses the rights one user has over one doc

Answer 32

XrML format - expresses complex lists of rights As opposed to a X.509 format which attests one claim about one subject

Answer 33

Full Control, View, Edit, Save, Export (Save As), Print, Forward, Reply, Reply All, Extract, Allow Macros, View Rights, Edit Rights