Active Directory Rights Management Service (RMS)

10/10/2010 4:20:16 PM
If you were to poll 100 corporations, you would probably find out that 99 out of 100 companies have probably had a confidential e-mail or document leave their environment and fall into the hands of someone it was not originally intended. Microsoft recognized this issue several years back and began working on a product named Rights Management Server (RMS). RMS is a great product and is in use at many companies, but the price of the product often put it out of reach for many companies. With Windows Server 2008, Microsoft has rebranded and incorporated the product in the operating system itself. As industry and governmental restrictions continue to increase, as well as the penalties for mishandling information, providing a technology such as RMS (or AD RMS in 2008) essentially became a demand on the part of customers. Although Microsoft is including the server portion in Windows Server 2008, don’t be fooled—there is still a Client Access License (CAL) for Rights management. The three main functions of AD RMS are:
  • Creating rights-protected files and templates: Trusted users can create and manage protection-enhanced files using common authoring tools (including Office products such as Word, Excel, and Outlook), as well as templates from AD RMS-enabled applications.

  • Licensing rights-protected information: Certainly, the key component of RMS. Issues a special certificate, known as a rights account certificate, used to identify trusted objects, such as users and groups, which have the authority to generate rights-protected content.

  • Acquiring licenses to decrypt rights-protected content and applying usage policies: As the name implies, RMS works with Active Directory to determine if users have a required rights account certificate in order to access rights-protected content.

As stated earlier, RMS has been around for some time, but there have been a number of advancements since the product was released. Let’s take a look at some of these features.

What’s New in RMS

We mentioned early on that probably the most substantial change from earlier versions of RMS is the fact that it is no longer a separate product from Windows Server. Besides the fact that this significantly reduces the barrier to entry to use such a technology, it has also improved the installation and management of the product. At this stage, you should be familiar with how we install roles. In fact, the RMS installation also takes care of the prerequisites—such as IIS, Message Queuing—during the installation process. Isn’t it exciting to know that installing the RMS role is just as simple? We will get to the installation and configuration of RMS later in this section. First though, let’s look at three other areas where improvements have been made over the older product:

  • Self-Enrollment: In previous versions of RMS, an RMS server was forced to connect (via the Internet) to the Microsoft Enrollment Service in order to receive a server licensor certificate (SLC), which gives RMS the rights to issue licenses (and its own certificates). In Windows Server 2008, Microsoft has eliminated this need by bundling a self-enrollment certificate into Windows Server 2008, which signs the SLC itself.

  • Delegation of Roles: AD RMS now gives you the flexibility to delegate certain RMS roles out to other users/administrators. There are four RMS roles: AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS Template Administrators, and AD RMS Auditors. The RMS Service Group essentially holds the service account used by RMS. Enterprise Administrators has full control of all settings and policies—much like an Active Directory Enterprise Administrator. As the name implies, a Template Administrator has rights to create, modify, read, and export templates. Auditors have rights to only view RMS information, as well as logs and report generation.

  • Integration with Federation Services: We will be covering AD FS in the next section, but this allows for the ability to share rights-protected documents with external entities.

RMS vs. DRMS in Vista

Digital Rights Management (DRM) is a tricky topic, particularly when couched in the common terms of the movie makers versus the general public. Since that discussion is intensely personal and very controversial, I want to steer clear of making any statements that endorse or condemn DRM—it is your decision whether or not to use it. The key differentiator between RMS and DRM is that DRM is generally used by content manufacturers (music companies, movie companies, and so on), whereas RMS is intended more for corporations that want to protect company-sensitive data.

With DRM, content consumers intend to make sure their wishes are met when producing and distributing content—and it’s hard to argue with that goal. If you write the next Great American Novel, or you’ve painted “What the Mona Lisa Did Next,” you’re justified in releasing it only for what you consider to be appropriate recompense, or withholding it from the public until you are satisfied with your remuneration.

The objection to DRM (except from those who insist that all information, all art, and all content “wants to be free”) comes from putative content consumers who are concerned that their own ability to consume the content is unnecessarily restricted—they may want to view the movie they purchased on a different screen, or add subtitles to it so that they can watch it with a deaf relative.

Too much DRM protection on content means that the content is no longer acceptably usable by your targeted consumers—if your goal is to sell content to those consumers, clearly this is a losing proposition. You don’t make money by killing piracy, unless you make money by selling more products as a result.

For publicly available content, however, some protection may remind otherwise-honest consumers that the content they are viewing is not completely licensed to them, distribution rights have not been granted, and the content is only intended to be accessed through the method or media purchased. Disappointing for the consumer who bought a DVD, intending to watch it on a remote device, but not totally unsurprising. (If there is a market for watching movies on remote devices, maybe a smart company will come along and exploit it by licensing content for distribution in that way.)

Configuring RMS

Another day, another role. As you can imagine, we’re going to be using Server Manager to deploy Rights Management Server. In order to make this work, a number of things will be in play. During the installation process, we will need to configure a certificate (via IIS), and install and complete the configuration of the RMS server role. Let’s begin by configuring the certificate.


Configuring Rights Management Server

Select Start | Administrative Tools | Internet Information Services (IIS) Manager. We installed the IIS role earlier in this chapter.

Double-click the server name.

In the details pane, double-click Server Certificates.

Click Create Domain Certificate.

In the Common name field, type the FQDN name of your server (Figure 1).

Figure 1. Creating a Domain Certificate

In the Organization field, enter a company name.

In the Organization Unit field, enter a division.

In the City/locality field, enter your city.

In the State/province field, enter your state, and then click Next.

Review the Online Certification Authority page, and click Select.

Select your Certificate Authority (Figure 2), and then click OK.

Figure 2. Selecting a Certificate Authority

In the Friendly name field, enter the NetBIOS name of this server (Figure 3), and click Finish.

Figure 3. Entering a Friendly Name

Now, let’s install the role.

Choose Start | Administrative Tools | Server Manager.

Scroll down to Role Summary, click Add Roles.

When the Before You Begin page opens, click Next.

On the Select Server Roles page, click Active Directory Rights Management Services.

In the Add Roles Wizard, click Add Required Role Services, and then click Next.

Click Next on the Active Directory Rights Management Services page.

Click Next on the Select Role Services page.

Click Next on the Create Or Join An AD RMS Cluster page.

Click Next on the Set Up Configuration Database page.

On the Specify Service Account page, click Specify to choose an account, and then click Next. This cannot be the same account you are using to install RMS.

Click Next on the Set Up Key Management page.

On the Specify Password for AD RMS Encryption page (Figure 4), enter a password and then click Next.

Figure 4. The AD RMS Encryption Page

Click Next on the Select Web Site page.

Review the information on the Specify Cluster Address page (Figure 5), click Validate, and then click Next.

Figure 5. Specifying a Cluster Address

Verify that Choose An Existing Certificate For Secure Socket Layer (SSL) Encryption is selected on the Choose A Server Authentication Certificate For SSL Encryption page (Figure 6), choose your server name, and then click Next. SSL provides secure communications on the Internet for such things as Web browsing, e-mail, Internet faxing, instant messaging, and other data transfers.

Figure 6. Setting SSL Encryption

Click Next on the Specify a Friendly Name for the Licensor Certificate.

Click Next on the Set up Revocation page.

Click Next on the Register This AD RMS Server In Active Directory page.

Click Next on the Web Server page.

Click Next on the Select Role Services page.

Review the confirmation page, and then click Install.

When the installation is complete, click Close.

Next, we need to set up the RMS cluster settings. In this case, clusters are used as a single server—or set of servers—that share AD RMS publishing and licensing requests. Let’s walk through configuring the cluster settings.

Choose Start | Administrative Tools | Active Directory Rights Management Services.

Select your server.

Right-click the server and choose Properties.

Move to the SCP tab and select Change SCP. Click OK. The SCP is the service connection point that identifies the connection URL for the service to the clients.

Click Yes in the Active Directory Rights Management Services dialog.

Right-click the server name, and then click Refresh.

Close the window.

At this stage, the server setup is complete. If you wanted to test the RMS functionality, you could create a document in Word or Excel 2007 and set the permissions by clicking the Office ribbon and preparing access restrictions.

  •  Active Directory Lightweight Directory Service (LDS)
  •  Windows Server 2003 : Securing and Troubleshooting Authentication
  •  Windows Server 2003 : Managing User Profiles
  •  Windows Server 2003 : Creating Multiple User Objects
  •  Windows Server 2003 : Creating and Managing User Objects
  •  Understanding Application Domains
  •  Building and Deploying Applications for Windows Azure : Activating the Storage Account Account
  •  Deploying Applications to Windows Azure
  •  Building and Deploying Applications for Windows Azure : Creating a Demo Project
  •  Network Programming with Windows Sockets : Datagrams
  •  Network Programming with Windows Sockets : An Alternative Thread-Safe DLL Strategy
  •  Network Programming with Windows Sockets : A Thread-Safe DLL for Socket Messages
  •  Network Programming with Windows Sockets : In-Process Servers
  •  Network Programming with Windows Sockets : A Socket-Based Server with New Features
  •  Network Programming with Windows Sockets : A Socket-Based Client
  •  Network Programming with Windows Sockets : A Socket Message Receive Function
  •  Exchange Server 2010 : Operating Without Traditional Point-in-Time Backups
  •  Exchange Server 2010 : Performing Backup and Recovery for Mailbox Server Roles
  •  Exchange Server 2010 : Performing Backup and Recovery for Non-Mailbox Server Roles
  •  Exchange Server 2010 : Backup and Disaster Recovery Planning
    Top 10
    Summarize Small Liquid Cooling System (Part 5)
    Samsung Galaxy Camera - An Android Compact 21X Shooter (Part 4)
    Samsung Galaxy Camera - An Android Compact 21X Shooter (Part 3)
    Samsung Galaxy Camera - An Android Compact 21X Shooter (Part 2)
    Samsung Galaxy Camera - An Android Compact 21X Shooter (Part 1)
    Summarize Small Liquid Cooling System (Part 4)
    Summarize Small Liquid Cooling System (Part 3)
    Summarize Small Liquid Cooling System (Part 2)
    Summarize Small Liquid Cooling System (Part 1)
    ASUS Orion Pro - Jack Of Both Trades
    Most View
    Computing Yourself Fit (Part 3)
    Microsoft ASP.NET 4 : Single-Value Data Binding
    Samsung Series 9 Premium Notebook - Lightweight Champion
    iPhone 3D Programming : Holodeck Sample (part 3) - Handling the Heads-Up Display
    Visual Studio 2010 : Understanding Solutions and Projects (part 1)
    Oracle Coherence 3.5 : Planning Your Caches - Anatomy of a clustered cache
    Laptop For All Budgets (Part 1)
    Windows Vista : Scripting and Automation - Object References (part 1) - How to Run Applications, How to Access the, How to Manipulate Files Registry
    Lenovo ThinkPad Tablet 2 (Part 1)
    A Case For Quality (Part 2) - Cocon – Handmade Case for iPad 2, Booqpad – Agenda for iPad 2/3
    Tips & Tricks : Print Your Own Greeting Cards
    SQL Server 2008 : Managing Query Performance - Adding Hints Through Plan Guides
    SQL Injection : Code-Level Defenses - Encoding Output
    Visual Studio Team System 2008 : Command Line (part 2)
    ASP.NET AJAX : Timed Refreshes
    Run Software In A Protective Sandbox
    Solutions For Mac’s Problems – Part 2
    Managing SharePoint Data : Writing a List Definition and List Instance
    SQL Server 2008 : Monitoring Your Server - Monitoring Your CPU
    Using Windows Phone 7 Technologies : Understanding Orientation and Movement