By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.

For information about AD RMS, see the Active Directory Rights Management Services TechCenter page at http://technet.microsoft.com/en-us/windowsserver/dd448611.aspx.

What is AD RMS?

An AD RMS system includes a Windows Server 2008– or Windows Server 2008 R2–based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista and Windows 7 operating systems. Deploying an AD RMS system provides the following benefits to your organization:

  • Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as "confidential - read only" that can be applied directly to the information.
  • Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
  • Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

AD RMS combines the features of Rights Management Services (RMS), developer tools, and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.

Benefits of Deploying AD RMS

Organizations of all sizes are challenged to protect valuable digital information against careless mishandling and malicious use. The increasing incidences of information theft and the emergence of new legislative requirements to protect data underscore the need for better protection of digital content. The growing use of computers to create and work with these types of sensitive information, the introduction of extensive connectivity through private and public networks (including the Internet), and the appearance of increasingly powerful computing devices have made protecting organizational data an essential security consideration.

Types of digital content can include dynamic, database-driven reports on an information portal, confidential e-mail messages, strategic planning documents, military defense reports, and other sensitive files. This section describes some basic reasons why you might want to deploy AD RMS to protect content.

Vulnerable Organizational Information

Organizations create and use a broad assortment of valuable content that they want and need to protect. The following list provides examples of content that you can protect by using AD RMS:

  • Traditional digital files and information. Typical examples of traditional digital files and information are e-mail communications, project-related documents, confidential reports, marketing plans, and product overviews. Information workers share these documents regularly through e-mail messages, conferencing applications, disk shares, and server-based or peer-to-peer systems. This category can also include other sensitive content, such as employee performance reviews and personal records that users might need or want to maintain in a secure, readily available state.
  • Proprietary organizational information. Senior management uses this information to administer, monitor, and direct an organization's activities. This proprietary content might include an organization's sales and market share reports, financial performance information, and strategic forecasts and overviews. Improper distribution or use of such content might cause significant damage to an organization, either in the competitive market or in a court of law.

Deploying AD RMS can be an important part of a security strategy to protect this vulnerable content.

Enhanced Network Security

Protecting digital content is a difficult and ongoing task. Typically, organizations work to secure digital files and information by using perimeter-based security methods. Firewalls can limit access to the corporate network, and discretionary access control lists (DACLs) can restrict access to specific data. In addition, organizations can use encryption and authentication technologies and products (such as public key infrastructure [PKI] and Kerberos), to help secure e-mail while it is in transit, as well as to help ensure that the intended recipients are the first recipients to open the messages.

These methods help organizations control access to sensitive content. However, recipients are still free to do whatever they want with the content that they receive. After the user is authenticated and the content is decrypted, no restrictions control what can be done with the content or where it can be sent. Perimeter-based security methods cannot enforce business rules that control how people use and distribute the content outside the network perimeter, or after the perimeter is breached.

If you rely on individual discretion and responsibility for the manner in which digital content is shared and used, an unacceptable degree of risk might be introduced into this network security model. Even accidental security breaches can cause serious harm. For example, users could mistakenly forward sensitive e-mail messages or documents to recipients who have potentially malicious intent.

In addition to the threats of theft and mishandling, a growing list of legislative requirements adds to the ongoing task of protecting digital content. For example, many organizations must comply with Securities and Exchange Commission (SEC) fair disclosure codes, which address the problem of selective disclosure of certain information to inside investors. Similarly, the finance, healthcare, and legal sectors are increasingly challenged by the need to better protect digital content because of emerging legislative standards.

Without an end-to-end software solution such as AD RMS in place to effectively control the use of digital content no matter where it goes, the content can too easily end up in the wrong hands, whether maliciously or accidentally.

Better Protection for Digital Content

Digital content must be better protected. Although no form of information will ever be invulnerable to unauthorized use, and no single approach will shield data from misuse in all cases, the best defense is a comprehensive solution that safeguards information.

As an essential part of an organization's security strategy, a solution for better information protection should provide the means to control how content is used and distributed beyond simple access control. A solution for better information protection should:

  • Help protect an organization's records and documents on the company intranet, as well as from being shared with unauthorized users.
  • Help keep that content secure and tamper-resistant.
  • Expire content based on time requirements when appropriate, even when that content is sent over an extranet to other organizations.

AD RMS provides all of these capabilities. For more information, see How AD RMS works.

Features in AD RMS

By using Server Manager, you can set up the following components of AD RMS:

  • Active Directory Rights Management Services. The Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the AD RMS components used to publish and consume rights-protected content.
  • Identity Federation Support. The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services.

Hardware and software considerations

AD RMS runs on a computer running the Windows Server 2008 or Windows Server 2008 R2 operating systems. When the AD RMS server role is installed, the required services are installed, one of which is Internet Information Services (IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.

The following table describes the minimum hardware requirements and recommendations for running Windows Server 2008– and Windows Server 2008 R2–based servers with the AD RMS server role.

Requirement Recommendation
One Pentium 4 3 GHz processor or higher Two Pentium 4 3 GHz processors or higher
512 MB of RAM 1024 MB of RAM
40 GB of free hard disk space 80 GB of free hard disk space

 

Note:  A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.

To assist with your hardware considerations, use testing in a lab environment, data from existing hardware in a production environment, and pilot roll-outs to determine the capacity needed for your server.

The following table describes the software requirements for running Windows Server 2008– and Windows Server 2008 R2–based servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.

Software Requirement
Operating system Windows Server 2008 or Windows Server 2008 R2, except for Windows Web Server 2008 or Windows Web Server 2008 R2
File system NTFS file system is recommended
Messaging Message Queuing
Web services Internet Information Services (IIS).
ASP.NET must be enabled.
Active Directory or Active Directory Domain Services AD RMS must be installed in an Active Directory domain in which the domain controllers are running Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.
Database server AD RMS requires a database server, such as Microsoft SQL Server 2005, and stored procedures to perform operations.
Client software

The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-protected content, Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required. For additional security, AD RMS can be integrated with other technologies such as smart cards.

Windows Vista and Windows 7 include the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows Server 2008.

For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management Services topic on the Windows Server 2008 Technical Library (http://technet.microsoft.com/en-us/library/cc771789.aspx).