programming4us
programming4us
SECURITY

Windows Server 2008 : Transport-Level Security - Active Directory Rights Management Services

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
Active Directory Rights Management Services (AD RMS) is a Digital Rights Management (DRM) technology that allows for restrictions to be placed on how content is managed, transmitted, and viewed. RMS uses PKI technology to encrypt content such as documents and email messages, and only allows access to view said content if restrictions are placed on the content, such as disabling the ability to print, cut/paste, and/or forward information.

AD RMS in Windows Server 2008 R2 is the next iteration of the Windows Rights Management Server technology that has been developed over a period of several years. In addition to retaining existing functionality, it adds tighter integration with Active Directory Domain Services (AD DS) and greater scalability.

Understanding the Need for AD RMS

Many organizations are faced with the problem of defining how their intellectual property can be managed after it has been distributed. Several high-profile leaks of sensitive internal emails from major corporations have exposed the need to manage and restrict how email that contains sensitive corporate information is disseminated.

The problem stems from the fact that computer systems have historically been good at restricting information to unauthorized individuals, but as soon as an authorized individual gains access to that data, those organizations have traditionally lost control over what is done with the content. Authorized individuals have copied documents offsite, emailed sensitive information, had their laptops stolen, and have found a myriad of other ways to lose control of an organization’s confidential information.

Active Directory RMS was designed to give the control back to an organization. It allows enforcement personnel the ability to restrict how a document is transmitted, printed, copied, or when it expires. Integration with Active Directory Domain Services allows the content to be only decrypted by individuals stipulated in the policies as well.

Note

Changes to RMS-protected documents are not reflected unless the document itself is “republished” and the client does not have the use license cached in conjunction with a local copy of the RMS-protected document. If the original use license has not expired, users will continue to have access to protected documents that have either not been republished or have been moved from the location of the newly published document.


AD RMS also includes a role service known as Identity Federation. Installing this service allows an organization to share rights-protected content with other organizations.

Understanding AD RMS Prerequisites

Before installing AD RMS, the following prerequisites must be satisfied:

  • Create a service account for RMS within AD DS. The service account must be different from the account that is used to install RMS.

  • The AD RMS server must be a domain member within the domain of the user accounts that will use the service.

  • An AD RMS root cluster for certification and licensing must be created.

  • A fully qualified domain name resolvable from the locations where RMS files will be consumed needs to be set up. For example, rms.companyabc.com can be set up for clients to be able to connect to the AD RMS server to validate their RMS rights.

  • A server running SQL Server must be available to store the AD RMS databases. It is highly recommended to use an alternate server than the one where AD RMS is installed.

Installing AD RMS

Installation of AD RMS can be performed using the Server Manager utility, by adding the AD RMS role to the server. The process of adding the AD RMS role is as follows:

1.
Open Server Manager (Start, All Programs, Administrative Tools, Server Manager).

2.
In the Nodes pane, select Roles, and then click the Add Roles link in the tasks pane.

3.
Click Next at the welcome page.

4.
On the Select Server Roles page, check the box for Active Directory Rights Management Services. If prompted to add additional services and features such as IIS or the Message Queuing Service, choose to add the Required Role Services, and then click Next to continue.

5.
Review the Introduction page, and click Next to continue.

6.
On the Select Role Services page, shown in Figure 1, select which components to install. In this case, only the core AD RMS role service is installed. Click Next to continue.

Figure 1. Installing AD RMS.

7.
On the AD RMS Cluster page, choose to Create a New AD RMS Cluster, and click Next to continue.

8.
On the Select Configuration Database page, choose whether to install the limited Windows Internal Database service (not recommended) or to create an RMS database on a separate server running SQL Server 200x.

9.
On the Specify Service Account page, shown in Figure 2, choose which service account will be used for RMS by using the Specify button. It cannot be the same account that is used to install AD RMS.

Figure 2. Specifying the RMS Service Account.

10.
On the subsequent page, select Use AD RMS Centrally Managed Key Storage, and click Next.

11.
Enter a strong password when prompted, and click Next to continue.

12.
Confirm which IIS website (Default Web Site for a dedicated build) will hold the AD RMS web services, and click Next to continue.

13.
Type the FQDN that will be used for the AD RMS service. For this example, enter rms.companyabc.com, and then click the Validate button. The FQDN must already be set up to resolve to the IP address of the IIS website on the RMS server. Click Next to continue.

Note

Using an SSL certificate for an HTTPS connection to the RMS server is recommended, and can be enabled from this wizard.

14.
If using SSL to protect the IIS website, select the certificate.

15.
Enter a descriptive name for the RMS cluster, and click Next to continue.

16.
On the AD RMS Service Connection Point Registration page, click Next to register the Service Connection Point (SCP) in AD DS.

17.
If installing IIS at the same time, accept the defaults for setup by clicking Next, and then clicking Next again.

18.
Click Install to finalize the installation wizard. It might take a while for the installation to complete.

19.
Click Finish when the wizard is complete. Restart the server and log back on to complete the install.

Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
programming4us
 
 
programming4us