If you were to poll 100 corporations, you would
probably find out that 99 out of 100 companies have probably had a
confidential e-mail or document leave their environment and fall into
the hands of someone it was not originally intended. Microsoft
recognized this issue several years back and began working on a product
named Rights Management Server (RMS). RMS is a great product and is in
use at many companies, but the price of the product often put it out of
reach for many companies. With Windows Server 2008, Microsoft has
rebranded and incorporated the product in the operating system itself.
As industry and governmental restrictions continue to increase, as well
as the penalties for mishandling information, providing a technology
such as RMS (or AD RMS in 2008) essentially became a demand on the part
of customers. Although Microsoft is including the server portion in
Windows Server 2008, don’t be fooled—there is still a Client Access
License (CAL) for Rights management. The three main functions of AD RMS
are:
Creating rights-protected files and templates:
Trusted users can create and manage protection-enhanced files using
common authoring tools (including Office products such as Word, Excel,
and Outlook), as well as templates from AD RMS-enabled applications. Licensing rights-protected information: Certainly, the key component of RMS. Issues a special certificate, known as a rights account certificate, used to identify trusted objects, such as users and groups, which have the authority to generate rights-protected content. Acquiring licenses to decrypt rights-protected content and applying usage policies:
As the name implies, RMS works with Active Directory to determine if
users have a required rights account certificate in order to access
rights-protected content.
As
stated earlier, RMS has been around for some time, but there have been
a number of advancements since the product was released. Let’s take a
look at some of these features.
What’s New in RMS
We
mentioned early on that probably the most substantial change from
earlier versions of RMS is the fact that it is no longer a separate
product from Windows Server. Besides the
fact that this significantly reduces the barrier to entry to use such a
technology, it has also improved the installation and management of the
product. At this stage, you should be familiar with how we install
roles. In fact, the RMS installation also takes care of the
prerequisites—such as IIS, Message Queuing—during the installation
process. Isn’t it exciting to know that installing the RMS role is just
as simple? We will get to the installation and configuration of RMS
later in this section. First though, let’s look at three other areas
where improvements have been made over the older product:
Self-Enrollment:
In previous versions of RMS, an RMS server was forced to connect (via
the Internet) to the Microsoft Enrollment Service in order to receive a
server licensor certificate (SLC), which gives RMS the rights to issue
licenses (and its own certificates). In Windows Server 2008, Microsoft
has eliminated this need by bundling a self-enrollment certificate into
Windows Server 2008, which signs the SLC itself. Delegation of Roles:
AD RMS now gives you the flexibility to delegate certain RMS roles out
to other users/administrators. There are four RMS roles: AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS Template Administrators, and AD RMS Auditors.
The RMS Service Group essentially holds the service account used by
RMS. Enterprise Administrators has full control of all settings and
policies—much like an Active Directory Enterprise Administrator. As the
name implies, a Template Administrator has rights to create, modify,
read, and export templates. Auditors have rights to only view RMS
information, as well as logs and report generation. Integration with Federation Services:
We will be covering AD FS in the next section, but this allows for the
ability to share rights-protected documents with external entities.
RMS vs. DRMS in Vista
Digital
Rights Management (DRM) is a tricky topic, particularly when couched in
the common terms of the movie makers versus the general public. Since
that discussion is intensely personal and very controversial, I want to
steer clear of making any statements that endorse or condemn DRM—it is
your decision whether or not to use it. The key differentiator between
RMS and DRM is that DRM is generally used by content manufacturers
(music companies, movie companies, and so on), whereas RMS is intended
more for corporations that want to protect company-sensitive data.
With
DRM, content consumers intend to make sure their wishes are met when
producing and distributing content—and it’s hard to argue with that
goal. If you write the next Great American Novel, or you’ve painted
“What the Mona Lisa Did Next,” you’re justified in releasing it only
for what you consider to be appropriate recompense, or withholding it
from the public until you are satisfied with your remuneration.
The
objection to DRM (except from those who insist that all information,
all art, and all content “wants to be free”) comes from putative
content consumers who are concerned that their own ability to consume
the content is unnecessarily restricted—they may want to view the movie
they purchased on a different screen, or add subtitles to it so that
they can watch it with a deaf relative.
Too
much DRM protection on content means that the content is no longer
acceptably usable by your targeted consumers—if your goal is to sell
content to those consumers, clearly this is a losing proposition. You
don’t make money by killing piracy, unless you make money by selling
more products as a result.
For
publicly available content, however, some protection may remind
otherwise-honest consumers that the content they are viewing is not
completely licensed to them, distribution rights have not been granted,
and the content is only intended to be accessed through the method or
media purchased. Disappointing for the consumer who bought a DVD,
intending to watch it on a remote device, but not totally unsurprising.
(If there is a market for watching movies on remote devices, maybe a
smart company will come along and exploit it by licensing content for
distribution in that way.)
Configuring RMS
Another
day, another role. As you can imagine, we’re going to be using Server
Manager to deploy Rights Management Server. In order to make this work,
a number of things will be in play. During the installation process, we
will need to configure a certificate (via IIS), and install and
complete the configuration of the RMS server role. Let’s begin by
configuring the certificate.
.
1. | Select Start | Administrative Tools | Internet Information Services (IIS) Manager. We installed the IIS role earlier in this chapter.
| 2. | Double-click the server name.
| 3. | In the details pane, double-click Server Certificates.
| 4. | Click Create Domain Certificate.
| 5. | In the Common name field, type the FQDN name of your server (Figure 1).
| 6. | In the Organization field, enter a company name.
| 7. | In the Organization Unit field, enter a division.
| 8. | In the City/locality field, enter your city.
| 9. | In the State/province field, enter your state, and then click Next.
| 10. | Review the Online Certification Authority page, and click Select.
| 11. | Select your Certificate Authority (Figure 2), and then click OK.
| 12. | In the Friendly name field, enter the NetBIOS name of this server (Figure 3), and click Finish.
|
Now, let’s install the role.
1. | Choose Start | Administrative Tools | Server Manager.
| 2. | Scroll down to Role Summary, click Add Roles.
| 3. | When the Before You Begin page opens, click Next.
| 4. | On the Select Server Roles page, click Active Directory Rights Management Services.
| 5. | In the Add Roles Wizard, click Add Required Role Services, and then click Next.
| 6. | Click Next on the Active Directory Rights Management Services page.
| 7. | Click Next on the Select Role Services page.
| 8. | Click Next on the Create Or Join An AD RMS Cluster page.
| 9. | Click Next on the Set Up Configuration Database page.
| 10. | On the Specify Service Account page, click Specify to choose an account, and then click Next. This cannot be the same account you are using to install RMS.
| 11. | Click Next on the Set Up Key Management page.
| 12. | On the Specify Password for AD RMS Encryption page (Figure 4), enter a password and then click Next.
| 13. | Click Next on the Select Web Site page.
| 14. | Review the information on the Specify Cluster Address page (Figure 5), click Validate, and then click Next.
| 15. | Verify that Choose An Existing Certificate For Secure Socket Layer (SSL) Encryption is selected on the Choose A Server Authentication Certificate For SSL Encryption page (Figure 6), choose your server name, and then click Next.
SSL provides secure communications on the Internet for such things as
Web browsing, e-mail, Internet faxing, instant messaging, and other
data transfers.
| 16. | Click Next on the Specify a Friendly Name for the Licensor Certificate.
| 17. | Click Next on the Set up Revocation page.
| 18. | Click Next on the Register This AD RMS Server In Active Directory page.
| 19. | Click Next on the Web Server page.
| 20. | Click Next on the Select Role Services page.
| 21. | Review the confirmation page, and then click Install.
| 22. | When the installation is complete, click Close.
|
Next,
we need to set up the RMS cluster settings. In this case, clusters are
used as a single server—or set of servers—that share AD RMS publishing
and licensing requests. Let’s walk through configuring the cluster
settings.
1. | Choose Start | Administrative Tools | Active Directory Rights Management Services.
| 2. | Select your server.
| 3. | Right-click the server and choose Properties.
| 4. | Move to the SCP tab and select Change SCP. Click OK. The SCP is the service connection point that identifies the connection URL for the service to the clients.
| 5. | Click Yes in the Active Directory Rights Management Services dialog.
| 6. | Right-click the server name, and then click Refresh.
| 7. | Close the window.
|
At
this stage, the server setup is complete. If you wanted to test the RMS
functionality, you could create a document in Word or Excel 2007 and
set the permissions by clicking the Office ribbon and preparing access
restrictions.
|
