Results 1 to 3 of 3

Thread: Active Directory Rights Management Services (AD RMS)

  1. #1
    Join Date
    Aug 2005

    Active Directory Rights Management Services (AD RMS)

    In the market there are several technologies for the protection of the documents more or less efficient, more or less complex and more or less expensive. What to take for the company depends primarily on the specific needs and also by the technical resources / finance available. In Windows Server 2008, RMS is already included and has been renamed to Active Directory Rights Management Services to reflect a higher level of integration with Active Directory.

    The Active Directory Rights Management Services (AD Rights Management Services, RMS) to create an infrastructure for rights to award documents. These are file system independent, so keep in front, even when the user about the document on a per (ex-) shifts FAT formatted USB stick. They are also fine granulated than is possible solely by access permissions on files and folders in Active Directory would be: only by access rights, for example, could not prevent a person entitled to a document passed on to the unauthorized.

    With the RMS can set usage policies, such as opening, modifying, printing, forwarding or other actions by the creator of the document or an authorized person and centrally organized as templates. Also, their use is not limited to files and information, but can also be applied to other content, such as web pages or emails.

    Deploying ADRM is a highly sensitive procedure. If you have completed correctly, customers can find themselves in an irreversible condition and unusable in the future. The risk of hundreds of thousands of content items is protected over time in a deployment not completed in accordance with best practices can put all this content at risk. ADRM novice users the choice to follow the online documentation is also at risk because of their knowledge of the Guide which is a validated single-server installation in a specific test environment, not recommended for deployment in production. Pro Advisory will follow this scenario a Support CSS setup of Active Directory under revision. This review aims to understand the needs and deployment of the size of the new RMS. The support engineer will then work with the RMS client should configure and make sure that all features and scenarios you are working now.

    Why it is Needed
    • ACL-based systems such as EFS and encryption, for example, are not effective if the file is moved from the NTFS partition (copied to a floppy, CD, USB pen).
    • Password-protected documents can be easily cracked.
    • If you check READ ONLY rights to a document, copying and pasting content into another document cannot be blocked.
    • If the device that contains the documents is lost or stolen, the content can be accessible to everyone.
    • RMS makes the exchange of documentation to internal company more secure.
    • RMS is FIPS compliant.
    • It’s a service that requires no additional cost for the license.

    To achieve this, use the RMS of a client-server model: the user gets the data is encrypted, the server provides the key with the corresponding permissions are enabled. For this to work, operating system functions alone are not enough, the applications used to create the data that are processed or read must also support RMS. The purpose of this SDK is provided for Vista / Server 2008 component of the Windows SDK , and the required client functionality are available from Vista / Server 2008.

    Adequate support for older operating systems only helped to his feet to be a must: The RMS SDK for Windows 2003/XP to be found here , the client here .
    If you want to use RMS with Microsoft Office is important to note that only the VL Professional Plus and Enterprise editions are RMS-enabled, as the consumer version of Office Ultimate accordingly it must be. A company-wide deployment of RMS is thus perhaps even again expensive if the operating system requirements - Vista / Windows 7 and Windows Server 2008 (R2) - are fully met.


    RMS is a server role and is activated according to the server console. It has a number of dependencies, such as IIS and Message Queuing. They also support the AD Federation Services , the Role of parallel installation wizard with the invention. The latter is mandatory if you want to set up a distributed on multiple servers RMS cluster. For database you can use the Windows internal or connect to a SQL server.

    Services in AD RMS

    • With NTFS permissions, documents can be protected from unauthorized access.
    • With the Encrypting File System (EFS) can be stored documents are encrypted.
    • MIME mails (plus attachments) in transit is encrypted with S, the same is true for TLS (Transport Layer Security).
    • Rights management services were originally to be purchased separately via download Feature Pack, the Windows Rights Management Services said. In Windows Server 2008, this product is included and integrated into the Active Directory has been family.

    Maybe you have the Office 2007 applications already restrict rights in the menu item or in the Office 2003 - the application icon in the toolbar discovered authorization and wondered what purpose it serves. The 2003/2007-Office Word, Excel, PowerPoint and Outlook are originally prepared for the Rights Management Services, and this icon leads to a dialog for setting document permissions

  2. #2
    Join Date
    Aug 2005

    Re: Active Directory Rights Management Services (AD RMS)

    Functions of AD RMS
    • A user wants to protect, document, requires a certificate Licensor CertificateLicensor Active Directory Certificate. This is issued by the RMS server. This certificate will be generated once. It must not be reissued for each document to be protected.
    • The application of the user encrypts the file with a generated symmetric key. This symmetric key is encrypted with the public key of the RMS server. It can only be decrypted by the RMS server. Generated by the publishing license application publishing license Active Directory Rights Management Services License publishing receives this encrypted symmetric key and the information about the access rights you want to grant other users. The publishing license is bound to the encrypted document. Now it's about the end of the decryption of the document to another user - has come into possession of the encrypted document - whatever.
    • The first condition is that the user is in possession of RMS certificate and that his identity is established: that he is so authenticated in Active Directory. Alternatively, dedicated "foreign domains" (partner companies, etc.) or Windows Live IDs will be familiar.
    • If the user wants to open an RMS-protected document, the application (if they can deal with RMS) a license LicenseUse Use Active Directory License ask the RMS server. This requirement is given the public key of the certificate of the user and the license to the document attached Publishing.
    • The RMS server checks whether the user is authorized to open the document and that information is encrypted in the Publishing License stored with the document is attached. Remember: The publishing license has been encrypted with the public key of the RMS server, therefore it can decode it with his private key. the user is authorized to access the document, encrypts the RMS server the symmetric key using the public key of the user and adds further instructions (such as document may not be printed, etc.) are added.
    • The generated Use License will be sent to the user. Since this with the public key of the user is encrypted, the Use License, even if intercepted, cannot be abused.
    • The RMS-enabled application (e.g. Word, Excel, and PowerPoint) can now view the document. Depending on the rights granted he can also change print and save, etc.

    • In terms of security, only the RMS does not guarantee the highest degree of protection as the PKI technology, but makes it more complicated and discourages any attempts at intrusion.
    • It does not protect documents from photos, voice recordings and screen capturing tools other than Microsoft.


    The core system consists of a server (RMS licensing server) that manages the licenses to the publishing and consuming (and access protection) documents and a SQL server that manages the three databases created by RMS: Configuration, Directory Services, and Logging. The loss of the licensing server does not compromise the functionality of the RMS service while the loss or damage to the RMS database involves a sometimes irreversible damage in document retrieval. For this reason it is strongly advisable to keep the RMS and the SQL database on different servers. Depending on the network structure, the licensing server can be deployed on various locations in the case of slow lines, an excessive workload, etc.

    RMS is implemented at the level of forest in AD then all domains shall be eligible for this service. Two forest services can use the same RMS establishing a trust relationship.

    How does AD RMS Work

    Before deploying the AD RMS I will recommend you to first understand that how does this entire process work. AD RMS is a server role in Windows Server 2008 that enables the creation of information security solutions to protect email messages, documents, and content of the Intranet in your organization. AD RMS protects digital information by creating protected content through persistent rights and licenses. What is persistent? Assigning NTFS permissions of the simple fact, our documents will be protected, but their possible move could reset these permissions (e.g. to send the document as an e-mail) Instead, the AD RMS-protected content will retain its rights in the event of move or copy, either in the intranet, whether it is published on the Internet.
    • Protection of e-mail (via Outlook).
    • Rights to file (office documents, XPS, CAD).
    • Protect the contents of the intranet (Office documents published on SharePoint).

    1. In a network that exploits the potential of a service are three parties involved RMS: RMS Server, which allows you to assign licenses and rights, the 'Author: the person who created the material to be protected and the Recipient, or the end user, which will be the user of this material.
    2. AD RMS Server is the server license. This role assigns licenses and certification services. Remember the User ID, certificates and account activity logs in SQL Server. The RMS server does not maintain storage identifiers or records relating to files that were not encrypted.
    3. The author receives a client certificate from the RMS server the first time that requires the protection of the document.
    4. Using an 'application' RMS-compliant ", an author creates a file and defines a set of usage rights and conditions for that document. At this point will generate a publishing license that will contain the policies of use. The application encrypts the document with a symmetric key that is then encrypted with the public key. The key is in the publishing license and the publishing license is tied to the file. Only the author can issue licenses to decrypt this file
    5. The author distributes the file. The document may be distributed in any way: sent via email, FTP, or copied to removable media. Will always keep the rules set by the author through RMS. At this point the recipient receives the file and opens it with an 'application' RMS-compliant. " If the recipient does not have a user certificate, the server shall issue an RMS. The same document shall notify the RMS application with the URL of the RMS server to contact.
    6. The application then sends a request for a license to the RMS server that issued the license for the publication of protected information. The request includes the certificate of recipient (recipient), including its public key, and the publishing license on the encrypted file.
    7. No request is then sent to the client of the document.
    8. The Windows RMS licensing server validates the request of the 'target user, check that the recipient has a user name, and creates a license. During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the recipient's public key, and adds the encrypted session key for the license. This step ensures that only recipient can decode the symmetric key and thus decrypt the protected file.


    Microsoft RMS with Windows 2003 already existed, and had the version number 1.0. This component is free and must be downloaded separately. Currently the latest version of RMS 1.0 is Service Pack 2. Microsoft RMS 2.0 name change, Windows Active Directory RMS and is only available for Windows 2008 when the first version is so only for 2003. During the items that will be written on the subject, we see that the version 2.0 as a new installation. AD RMS will allow a company to actively protect these documents and sensitive information. This protection is to give rights to a document or email, regardless of the location of the document. Indeed, on a share you know the NTFS permissions, but what if a document is sent by mail to a colleague ... the latter has now and can print, forward, edit, etc. With the RMS user send a sensitive document may define if the corresponding right to print, forward, edit, and all other actions which may affect the confidentiality of this document. This can also work with users outside a company. We'll explore this role, and information services for Microsoft RMS are free.

  3. #3
    Join Date
    Aug 2005

    Re: Active Directory Rights Management Services (AD RMS)

    Procedure :

    To install RMS, you must go in the addition of role and select "Active Directory Rights Management Services.

    Additional components are required, they are proposed to be installed. Confirm the installation.

    When creating the first server, only the first option is available. It will be possible to add other servers later to ensure high availability services using the second option.

    The wizard will offer you to select a database. If the use of RMS within the company does not require high availability, a small organization or only for lab use the integrated database is sufficient. If need advanced, high availability, then use an SQL server. In this case, it will provide the information of SQL Server. It will be possible to change this setting later with an additional tool that we board later.

    RMS services require the use of a service account. The account must be a standard account with no specific duties. If however, you decided to install on a DC, then it will take a member of the Domain Admin account. Finally, the account used must not be the account that you be logged in to install RMS.

    Now, you will be asked how the stored security key required to sign certificates. It is possible to use a specific material or a specific service or cryptography to store is centrally using a password.

    In my case, having no material HSM I will use the encryption password. I am invited to specify it here.

    AD RMS requires the use to install IIS Web Services. We must indicate that the website will be used. If you want to dedicate the website, and not use the Default Web Site then it will create the site first.

    Connecting to Web Services can be performed using SSL, which I recommend. In this case we must ensure that they have already installed the server certificate in IIS. The button Validate will verify that the settings are ok. Enter here a friendly name of certificate RMS.

    As stated above, RMS requires Active Directory because the RMS will create a connection point (SCP). To save the CPA requires that the user currently logged on to the installation of RMS is a member of the group Enterprise Admin. Additional IIS components you are recalled here, confirm with Next. You a summary are displayed, before confirming the installation.

    At the end of installation it is not necessary to reboot the server. However it will make a closing and then opening the session to consider the changes. This is mainly due to changes in group membership in AD.


    To operate the RMS server must have the following components:
    • Windows Server 2003
    • Active Directory
    • SQL Server 200x
    • ASP.Net
    • Message Queuing
    • IIS
    • RMS Server SP2 (only for the 2003 version, the 2008 version is already included)
    • For the operation of the RMS client requirements are as follows:
    • Office 2003 Professional 2007 - to publish documents (publish)
    • Office 2003, 2007 Standard - access to documents (consumption)
    • RMS Client SP2 (only for Office 2003)
    • RMS add-on (for Internet Explorer 6.0) - provides access to secure documents without Office installed.

    The distribution of the RMS client can be made through GPOs, SMS or manually.

    RMS is very functional, relatively easy to implement and above all is a service that does not involve any additional cost in terms of licenses. To claim a project of this type in a company where the management or imply a "small" distortion of the network this is not always a simple undertaking. The presentation should leverage on key aspects of security and must be supported by a well-made demo to show the practical use and benefits for the company to those who are not technically knowledgeable. To change certain habits can sometimes be more complicated than implementing a system like RMS.

    Rights Management Services solution strengthens the security restrictions for documents and other content based on business rules such as "do not send email", "do not print," not save locally. " The application then encodes the content and the publishing license. All content and rights remain encrypted during the process, ensuring their safety while they are moved. When a recipient opens rights-protected content, it sends a request to a rights management server to validate user credentials and its rights of use. The service also supports scenarios such return (round-trip), through which you can edit and upload new versions that preserve the rights management restrictions.

    Full integration with Open Text ECM Suite enables organizations to rapidly deploy Rights Management Services with ease and protect all information assets stored in Open Text Enterprise Library, also allows you to establish the comparability of policies for access to files from the levels of security exist. Since this is a shared service of the ECM suite, the services for the management of rights are also available in any application in the organization of content.

    The protections include the Microsoft Office 2003 and 2007 as well as all other file formats, including PDF, HTML, those for technical drawings, image files, ZIP, files and more. In addition, users will be able to read and protect your content displayed on your BlackBerry Smartphone. The organizations will be able to protect and control content no matter where they are, and meet even more needs of regulatory compliance in information security, such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and other similar provisions in the world.

Similar Threads

  1. Replies: 2
    Last Post: 02-02-2013, 03:41 AM
  2. Active Directory Web Services (ADWS)
    By SKREECH in forum Active Directory
    Replies: 1
    Last Post: 21-05-2011, 05:08 AM
  3. Active Directory Sites and Services cleanup
    By ChrisAFC in forum Active Directory
    Replies: 1
    Last Post: 18-05-2011, 01:32 AM
  4. Replies: 5
    Last Post: 22-05-2010, 07:33 AM
  5. Active Directory Domain Services Is Currently Not Available?
    By Buriim in forum Windows Vista Network
    Replies: 3
    Last Post: 07-09-2008, 05:47 PM

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Page generated in 1,718,679,933.63695 seconds with 17 queries