Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS), formerly known simply as Rights Management Services, is designed to extend the reach of your internal network to the outside world. However, this time, the extension applies to intellectual property.

Use the buttons below to navigate through the lesson

In the first days of computing, software manufacturers went to great lengths to protect their software from theft. Even today, some vendors require the use of hardware keys for their software to run. Others have resorted to a Web-based approval and validation process. For example, with the release of Windows Vista, Microsoft introduced a new licensing scheme, one option of which is a Key Management Server (KMS), to validate the licensed versions of Microsoft Windows you use.

AD RMS enables you to protect your intellectual property through the integration of several features. In fact, in addition to a direct integration with Active Directory Domain Services (AD DS),AD RMS can also rely on both Active Directory Certificate Services (AD CS) and Active Directory Federation Services (AD FS).

AD CS can generate the public key infrastructure (PKI) certificates that AD RMS can embed in documents. AD FS extends your AD RMS policies beyond the firewall and supports the protection of your intellectual property among your business partners.

Understanding AD RMS

As mentioned earlier, AD RMS is an updated version of the Microsoft Windows Rights Management Services available in Microsoft Windows Server 2003. With this release, Microsoft has included several new features that extend the functionality included in AD RMS. However, the scenarios you use to deploy AD RMS remain the same.

AD RMS works with a special AD RMS client to protect sensitive information. Protection is provided through the AD RMS server role, which is designed to provide certificate and licensing management. Information, configuration and logging is persisted in a database. In test environments, you can rely on the Windows Internal Database (WID) included in Windows Server 2008, but in production environments, you should rely on a formal database engine such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008 running on a separate server.

This will provide the ability to load balance AD RMS through the installation of multiple servers running this role. WID does not support remote connections; therefore, only one server can use it. Internet Information Services (IIS) 7.0 provides the Web services upon which AD RMS relies, and the Microsoft Message Queuing service ensures transaction coordination in distributed environments. The AD RMS client provides access to AD RMS features on the desktop. In addition, an AD DS directory provides integrated authentication and administration. AD RMS relies on AD DS to authenticate users and verify that they are allowed to use the service.

The first time you install an AD RMS server, you create an AD RMS root cluster by default. A root cluster is designed to handle both certification and licensing requests. Only one root cluster can exist in an AD DS forest. You can also install licensing-only servers, which automatically form a licensing cluster. Clusters are available only if you deployed the AD RMS database on a separate server. Each time you add a new AD RMS server with either the root or the licensing role, it is automatically integrated into the corresponding existing cluster. Microsoft recommends that you rely on the root role more than on the licensing-only role for two reasons:

  • Root clusters handle all AD RMS operations and are, therefore, multifunctional.
  • Root and licensing-only clusters are independent; that is, they cannot share load balancing of the service. If you install all your servers as root servers, they automatically load balance each other.

After the infrastructure is in place, you can enable information-producing applications such as word processors, presentation tools, e-mail clients, and custom in-house applications to rely on AD RMS to provide information protection services. As users create the information, they define who will be able to read, write, modify, print, transfer, and otherwise manipulate the information. In addition, you can create policy templates that can apply a given configuration to documents as they are created.

Usage rights are embedded directly within the documents you create so that the information remains protected even if it moves beyond your zone of authority. For example, if a protected document leaves your premises and arrives outside your network, it will remain protected because AD RMS settings are persistent. AD RMS offers a set of Web services, enabling you to extend it and integrate its features in your own information-producing applications. Because they are Web services, organizations can use them to integrate AD RMS features even in non- Windows environments.

New AD RMS Features

  • AD RMS is now a server role that is integrated into Windows Server 2008. In previous releases, the features supported by AD RMS were in a package that required a separate download. In addition, the Server Manager installation provides all dependencies and required component installations as well. Also, if no remote database is indicated during installation, Server Manager will automatically install Windows Internal Database.
  • As with most of the Windows Server 2008 server roles, AD RMS is administered through a Microsoft Management Console (MMC). Previous versions provided administration only through a Web interface.
  • AD RMS now also includes direct integration with Active Directory Federation Services, enabling you to extend your rights management policies beyond the firewall with your partners. This means your partners do not need their own AD RMS infrastructures and can rely on yours through AD FS to access AD RMS features. In previous releases, you could rely on only Windows Live IDs to federate RMS services. With the integration of AD RMS and AD FS, you no longer need to rely on a third party to protect information.

However, to use federation, you must have an established federated trust before you install the AD RMS extension that integrates with AD FS, and you must use the latest RMS client—the Windows Vista client or the RMS client with SP2 for versions of Windows earlier than Windows Vista.

  • AD RMS servers are also self-enrolled when they are created. Enrollment creates a server licensor certificate (SLC), which grants the server the right to participate in the AD RMS structure. Earlier versions required access to the Microsoft Enrollment Center through the Internet to issue and sign the SLC. AD RMS relies on a self-enrollment certificate that is included in Windows Server 2008. Because of this, you can now run AD RMS in isolated networks without requiring Internet access of any kind.
  • Finally, AD RMS includes new administration roles so that you can delegate specific AD RMS tasks without having to grant excessive administration rights.

Four local administrative roles are created:

  • AD RMS Enterprise Administrators, which can manage all aspects of AD RMS. This group includes the user account used to install the role as well as the local administrators group.
  • AD RMS Template Administrators, which supports the ability to read information about the AD RMS infrastructure as well as list, create, modify, and export rights policy templates.
  • AD RMS Auditors, which enables members to manage logs and reports. Auditors have read-only access to AD RMS infrastructure information.
  • AD RMS Service, which contains the AD RMS service account that is identified during the role installation.

AD RMS publishing process

  1. User is trusted and receives rights account certificate (RAC).
  2. User creates content with AD RMS–enabled application.
  3. User relies on policy template to assign rights to content.
  4. AD RMS issues a publishing license to content, and content is encrypted.
  5. Other users use AD RMS–enabled applications to view content.
  6. AD RMS–enabled application requests use license from AD RMS servers.
  7. User rights are verified; if authorized, license is issued; if not, access is denied.
  8. User license is assigned to content for its entire lifetime (online and offline).

AD RMS Installation Scenarios

Single server deployment

Install AD RMS on a single server. This installs the WID as the support database. Because all the components are local, you cannot scale this deployment to support high availability. Use the single server deployment only in test environments. If you want to use this deployment to test AD RMS beyond the firewall, you will have to add appropriate AD RMS exceptions.

Internal deployment

Install AD RMS on multiple servers tied to an AD DS directory. You must use a separate server to host the AD RMS database; otherwise, you will not be able to load balance the AD RMS role.

Extranet deployment

When users are mobile and do not remain within the confines of your network, you must deploy AD RMS in an extranet a special perimeter network that provides internal services to authorized users.
In this scenario, you will need to configure appropriate firewall exceptions and add a special extranet URL on an external-facing Web server to allow external client connections.

Multiforest deployment

When you have existing partnerships that are based on AD DS forest trusts, you must perform a multiforest deployment. In this case, you must deploy multiple AD RMS installations, one in each forest. Then, assign a Secure Sockets Layer (SSL) certificate to each Web site that hosts the AD RMS clusters in each forest. You must also extend the AD DS forest schema to include AD RMS objects. However, if you are using Microsoft Exchange Server in each forest, the extensions will already exist. Finally, your AD RMS service account, the account that runs the service, will need to be trusted in each forest.

Licensing-only server deployment

In complex forest environments, you might want to deploy a licensing-only AD RMS cluster in addition to the root cluster. In this case, you must first assign an SSL certificate to the Web site hosting the AD RMS root cluster and then install the root cluster. After you meet these conditions, you can install licensing only servers.

AD RMS Certificates

Server licensor certificate (SLC)

The SLC is a self-signed certificate generated during the AD RMS setup of the first server in a root cluster. Other members of the root cluster will share this SLC. If you create a licensing-only cluster, it will generate its own SLC and share it with members of its cluster. The default duration for an SLC is 250 years.

Rights account certificate (RAC)

RACs are issued to trusted users who have an e-mail-enabled account in AD DS. RACs are generated when the user first tries to open rights protected content. Standard RACs identify users in relation to their computers and have a duration of 365 days. Temporary RACs do not tie the user to a specific computer and are valid for only 15 minutes. The RAC contains the public key of the user as well as his or her private key. The private key is encrypted with the computer’s private key.

Client licensor certificate (CLC)

After the user has a RAC and launches an AD RMS–enabled application, the application automatically sends a request for a CLC to the AD RMS cluster. The client computer must be connected for this process to work, but after the CLC is obtained, the user can apply AD RMS policies even offline. Because the CLC is tied to the client’s RAC, it is automatically invalidated if the RAC is revoked. The CLC includes the client licensor public key, the client licensor private key that is encrypted by the user’s public key, and the AD RMS cluster’s public key. The CLC private key is used to encrypt content.

Machine certificate

The first time an AD RMS–enabled application is used, a machine certificate is created. The AD RMS client in Windows automatically manages this process with the AD RMS cluster. This certificate creates a lockbox on the computer to correlate the machine certificate with the user’s profile. The machine certificate contains the public key for the activated computer. The private key is contained within the lockbox on the computer.

Publishing license

The publishing license is created when the user saves content in a rights-protected mode. This license lists which users can use the content and under which conditions, as well as the rights each user has to the content. This license includes the symmetric content key for decrypting content as well as the public key of the cluster.

Use license

The use license is assigned to a user who opens rights-protected content. It is tied to the user’s RAC and lists the access rights the user has to the content. If the RAC is not available, the user cannot work with rights-protected content. It contains the symmetric key for decrypting content. This key is encrypted with the public key of the user.