What Are Active Directory Right Management Services Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Active Directory Right Management Services is a safety technical that used on Microsoft Windows to protect information that uses encryption and a form of selective functionality denial for limiting access to documents like corporate e-mail, web pages and word documents. It enabled applications to protect the digital information from unauthorized use. So that the content owners can set permission that which user can print, open, forward, modify or take actions with the information.

An AD RMS system is includes at Windows Server® 2008 R2-based server that running the AD RMS server role that handles certificates and licensing, a database server, and the AD RMS client.

1.2 What's new in the Active Directory Right Management Services?

For the Windows Server® 2008, the Active Directory Rights Management Services (AD RMS) have includes new features. This new features were not available in Microsoft® Windows® Rights Management Services. These all new features were designed for ease the administrative overhead of AD RMS and to extend its use outside of your organization.

Active Directory Rights Management Services (AD RMS) is a kind of technology that can protect the information with the application that activate by AD RMS to protect the digital information be unauthorized use. So the content owners can define the receiver how to use the information such as who can open, modify, print, forward or use E-mail or file to other activities.

The company can create custom use right template such as only can be used directly as financial report, product description, customer data and E-mail information of the information such as "confidentiality - read-only" templates.

AD RMS built in Windows Server 2008 system compared with the RMS that under in Window Server 2003, AD RMS had greater improvements and ascend. For example, no need separate download can direct be installed, no need connect to Microsoft to register anymore and so on.

How the process of the AD RMS server and client systems process? For the first step to issue a user license to apply the content of AD RMS. Once the user has issued an account certificate through the RMS server, the user can protect content. This document let the RMS protection becomes easier. The characteristic of RMS is built-in to Microsoft's application products, such as Microsoft Office Word and Microsoft Office Excel. The RMS server is binding the rights of information content and encryption content to prevent unauthorized access. When the user attempt to view or use other ways to use the protected files, the RMS server will make the sound, and check the user's authority to issued decrypt and permission.

Before the Window Server 2008, an external user must have a local user account only can enter to the RMS protected contents but after the simplified external account management, it is not necessary now.

The new features of Active Directory Right Management Services include:

Inclusion of AD RMS in Windows Server 2008 is as a sever role that installs the ADRMS components used to publish and to consume the rights-protected content.

Allow integration with Active Directory Federation Services (AD FS). The identity federation support role services is an optional role services and it allows uses Active Directory Federation Services to consume rights-protected contents.

Can do the administration through a Microsoft Management Console that also called as MMC.

Self-enrollment of AD RMS servers.

Ability to delegate responsibility by means of new AD RMS administrative roles

2.0 Active Directory Right Management Services (AD RMS)

AD RMS have consists of a server and a client component. The server component consists of multiple web services that run on Microsoft server like Windows Server 2008. The client component can run on either a client or server operating system. It contains functions that can enable the application to decrypt and encrypt the content. Besides that, it also can retrieve the templates and acquire licenses and certificates from a server and other related tasks.

So, we can create AD RMS-enabled application by using the AD RMS SDK. The applications enable the end-users to protect, store, publish, consume and retrieve content.

AD RMS Server

The server component of AD RMS is implemented by a set of web services that run on Internet Information Services also called as IIS. At the starting with Windows Server 2008, we can install and configure the AD RMS by added it as role.

(Ref: http://msdn.microsoft.com/en-us/library/cc530396(v=VS.85).aspx)

AD RMS Client

The AD RMS client has implemented in Msdrm.dll. It exposes functionality that enables the users to create, publish and consume the encrypted content. An AD RMS-enabled application can leverage the client to perform the task that show as following:

Send a request to an AD RMS activation service to issue a machine certificate. It identifies a computer that signing it into the AD RMS certificate hierarchy.

Send a request to an AD RMS activation service to issue a rights account certificate that have signs an Active Directory user account into the AD RMS certificate hierarchy. After that, associates the user with a specific computer.

Encrypt the content and let it available for authorized and authenticated users.

Acquire an end-user license for a user, decrypt the content. After that, enforce the rights enumerated in the license.

AD RMS Applications

We use the AD RMS SDK to create applications that enable user to protect and consume the content. The content is safeguard by using encryption. We must decrypt the content before it can be consumed. In the AD RMS infrastructure, the decryption and encryption need public and private keys and utilize multiple certificates and licenses. The certificates and licenses are issued and signed by AD RMS web services running on the AD RMS server.

2.1Who should use Active Directory Right Management Services?

AD RMS is designed to help to let the content can be more secure and regardless of wherever the content that with rights-protected might be moved to

Which user needs to use the AD RMS?

IT planners and analysts who are evaluating enterprise rights management products.

IT professionals responsible for supporting an existing RMS infrastructure

IT security architects who are interested in deploying information protection technology that provides protection for both data at rest and in motion can review this section and additional documentation about AD RMS.

2.2 The benefits and limitation for an organization that using AD RMS system:


Safeguard sensitive information.

The AD RMS system can help to protect the sensitive information. For example, an applications like email clients, word processors, or line-of-business application can let AD RMS-enabled to help safeguard the sensitive information. The user can set permission to define who can be forward, print, modify, or take actions with the information. The organizations can create custom usage policy templates like confidential - read only that can direct apply into the information.

Persistent protection.

Except safeguard sensitive information, AD RMS also augments existing perimeter-based security solution like firewalls and access control lists (ACLs). For better information protection that been locking by the usage rights within the document itself and also controlling how the information already be used even after it has been opened by intended recipients.

Flexible and customizable technology.

Independent software vendors (ISVs) and developers can use AD RMS-enable any application or enable other servers for example like content management systems or portal servers that running on Windows or other operating systems, to work with AD RMS for protect the sensitive information. ISVs have been enabled to integrate the information protection into server-based solutions.


For the terms of security, only the RMS does not guarantee the highest degree of protection as the PKI technology. But it more complicated and discourages any attempts at instruction.

It does not protect documents from photos, screen capturing tools and voice recordings.

2.3 What does Active Directory Right Management Services do?

AD RMS provides services to enable the creation of information protection solutions. So It will be work with any AD RMS-enabled application to persistent usage policies for sensitive information. Just like what mention before, the content like e-mail, intranet websites, and documents can be protected by AD RMS. AD RMS provides a set of core functions that let user to add information protection to the functionality of existing applications.

For an AD RMS system, that includes both server and client components that perform the following process:

Licensing rights-protected information.

An AD RMS system issues rights account certificates that which have identify the trusted entities like users, services and group that can publish the rights-protected content. If the trust has been established, then the users can assign the usage rights and conditions to the content that they want to protect. These usage rights specify that who can be access the rights-protected content and what they can take action with it. A publishing license will be creating once the content is protected. This license binds the specific usage rights to a given piece of content. The purpose is let the content can be distributed. For example, users can send the documents with rights-protected to other users without the content losing its rights protection.

Acquiring licenses to decrypt rights-protected content and applying usage policies

Users who have been granted a rights account certificate that can access the rights-protected content by using an AD RMS-enabled client application that allows users to view and work with rights-protected content. When the users attempt to access rights-protected content, requests are sent to AD RMS to access. If a user try to consume the protected content, the AD RMS licensing service on the AD RMS cluster will issues a unique use license that can interprets, reads, and applies the usage rights and conditions specified in the publishing licenses. The usage rights and conditions are persistent and automatically applied to everywhere that the content goes.

Creating rights-protected files and templates.

Users who are trusted the entities in an AD RMS system they can use that to create and manage the files with protection-enhanced by using the familiar authoring tools in an AD RMS-enabled application. The AD RMS-enabled application have incorporates AD RMS technology features. For additional, the AD RMS-enabled applications can use centrally defined and officially authorized usage rights templates to help users efficiently apply a predefined set of usage policies.

AD RMS relies on Active Directory Domain Services also is AD DS to verify that the user attempting to consume the rights-protected content is authorized to do so. So when registering the AD RMS service connection point (SCP) during installation, the installing user account must have Write access to the Services container in AD DS.

Finally, all configuration and logging information is stored in the AD RMS Logging Database. In a test environment, you can use the Windows Internal Database, but in a production environment, we recommend using a separate database server.

3.0 Configuration

3.1 Before the installation of AD RMS

Before we install the Active Directory Rights Management Services (AD RMS) on Windows Server 2008 R2, we must meet the several requirements first:

In the same Active Directory Domain Services (AD DS) we install the AD RMS server as a member server as the user accounts that consuming the rights-protected content.

Create a domain user account with no any additional permission that can be used as the AD RMS service account.

For install AD RMS we need to select the user account with the following restrictions:

The user account that installing AD RMS must be different with the AD RMS service account.

During the installation, if we want to register the AD RMS service connection, the user account that installing AD RMS must be a member of the Active Directory Domain Services Enterprise Admins Group or equivalent.

For the users who are using the external database server for the AD RMS databases, the user account installing AD RMS must have the right to create a new database. So if that Microsoft SQL Server 2005/2008 is used by user, then the user account must be a member of the System Administrators database role or other equivalent with that.

Lastly, is the user account which installing the AD RMS must have access to the query of the AD DS domain.

Reserve a URL for the AD RMS clusters that available throughout the lifetime of the AD RMS installation. Make sure the reserved URL is different from the computer name.

3.2 Hardware and Software consideration

AD RMS runs on a computer that running the Windows Server 2008 R2 operating system. When the AD RMS server role is installed, the required services are installed, one of which is Internet Information Services (IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.

The table that have been show as following describes the minimum hardware requirements and recommendations to run the AD RMS sever role with Windows Server 2008 R2-based servers:

The following table note out the software requirements to run the AD RMS sever role with Windows Server 2008 R2-based servers:

3.3 AD RMS Step-by-Step Guide

About The Guide

This guide is leads the users the process of setting up a working Active Directory Rights Management Services infrastructure in a test environment. During the process, we create an Active Directory domain and install a database server. Besides that, we also need to install the AD RMS server role, configure the AD RMS-enable client computer and configure the AD RMS cluster.

The purpose of an AD RMS deployment is able to protect the information. Once AD RMS protection is add in to a digital file, the protection will stays with the file. So, by the default, only the owner is able to remove the protection from the file.

The owner can grants the rights to others, let them have permission to perform actions on the behind an AD RMS deployment.

Deploying AD RMS in a Test Environment

Before doing this step-by-step guide, we need to confirm that we have a working AD RMS infrastructure. We can test and verify AD RMS functionality as follows:

Need to restrict the permissions on a Microsoft Office Word 2007 document

Need have an authorized user that can open and work with the document

Need have an unauthorized user that attempt to open and work with the document

The following figure shows the configuration of the test environment:

Step 1: Setting up the Infrastructure

Before prepare the AD RMS test environment in the CPANDL domain, we must complete the following tasks:

Configure the domain controller (CPANDL-DC)

Configure the AD RMS database computer (ADRMS-DB)

Configure the AD RMS root cluster computer (ADRMS-SRV)

Configure the AD RMS client computer (ADRMS-CLNT)

The following table is a reference when we are setting up the appropriate operating systems, computer names, and network settings that required to done the steps in the guide.

Configure user accounts and groups

In this section you create the user accounts and groups in the CPANDL domain.

First, add the user accounts shown in the following table to Active Directory or AD DS.

Use the information that show at following table to create the user accounts.

Once the user accounts have been created, Active Directory Universal groups should be created and these users added to them. The following table lists the Universal groups that should be added to Active Directory. Use the procedure following the table to create the Universal groups.

Step 2: Installing and Configuring AD RMS on ADRMS-SRV

To install and configure AD RMS, we must add the AD RMS server role.

Windows Server 2008 has the option to install the AD RMS as a server role by Server Manager. The installation and configuration of AD RMS also are handled by Server Manager. The root cluster is the first server in an AD RMS environment. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment.

Registering the AD RMS service connection point (SCP) requires the installing user account be a member of the Active Directory Enterprise Admin group.

Access to the Enterprise Admin group should be granted only while AD RMS is being installed. Once the installation is finished, then the cpandl\ADRMSADMIN account should be removed from the group.

To add ADRMSADMIN to the Enterprise Admins group

1. Log on to CPANDL-DC ƒ  log in as cpandl\Administrator account or another user account in the Domain Admins group.

2. Start ƒ Administrative Tools ƒ Active Directory Users and Computers.

3. In the console tree, expand cpandl.com ƒ  Users ƒ  Enterprise Admins.

4. Members ƒ Add.

5. Type [email protected], and then click OK.

Install and configure AD RMS as a root cluster.

To add the AD RMS Server Role

1. Log on to ADRMS-SRV as cpandl\ADRMSADMIN.

2. Start ƒ  Administrative Tools ƒ  Server Manager.

3. If the User Account Control dialog box appears, confirm action then click Continue.

4. Roles Summary ƒ  Add Roles ƒ Add Roles Wizard.

5. Read the Before You Begin section, and then click Next.

6. Select Server Roles ƒ  Active Directory Rights Management Services check box.

7. The Role Services page appears. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed. Click Add Required Role Services ƒ  Next.

8. Read the AD RMS introduction page ƒ  click Next.

9. Select Role Services ƒ  select Active Directory Rights Management Server ƒ  Next.

10. Click the Create a new AD RMS cluster option, click Next.

11. Click the Use a different database server option.

12. Click Select, type ADRMS-DB in the Select Computer dialog box, click OK.

13. In Database Instance, click Default, and then click Validate.

14. Click Next.

15. Click Specify, type CPANDL\ADRMSSRVC, type the password, click OK, click Next.

16. Make sure that the Use AD RMS centrally managed key storage option is selected, click Next.

17. Type password in the Password box and in the Confirm password box, click Next.

18. Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be Default Web Site.

19. Click the Use an SSL-encrypted connection (https://) option.

20. In the Fully-Qualified Domain Name box, type adrms-srv.cpandl.com, click Validate. If validation succeeds, the Next button becomes available. Click Next.

21. Click the Choose an existing certificate for SSL encryption option, click the certificate that has been imported for this AD RMS cluster, click Next.

22. Enter a name that will help you identify the AD RMS cluster in the Friendly name box, click Next.

23. Make sure that the Register the AD RMS service connection point now option is selected, click Next to register the AD RMS service connection point (SCP) in Active Directory.

24. Read the Introduction to Web Server (IIS) page, click Next.

25. Keep the Web server default check box selections, click Next.

26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.

27. Click Close.

28. Log off the server, and then log on again to update the security token of the logged-on user account. A user must be a member of that group to administer AD RMS.

Your AD RMS root cluster is now installed and configured.

Further management of AD RMS is done by using the Active Directory Rights Management Services console.

To open the Active Directory Rights Management Services console

Start ƒ  Administrative Tools ƒ  Active Directory Rights Management Services.

From the console can configure trust policies, configure exclusion policies, and create rights policy templates.

Step 3: Verify the Functionality of AD RMS on ADRMS-CLNT

The AD RMS client is included in the default installation of Windows Vista and Windows Sever 2008. For the previous version's client are available to download some earlier versions of the Windows operating system.

Before we can consume rights-protected content, we must add the AD RMS cluster URL to the Local Intranet security zone.

Now, add the AD RMS cluster URL to the Local Intranet security zone for all the users who will consume the rights-protected content.

The steps to add AD RMS cluster to Local Intranet security zone:

First, log on to the AD RMS-CLNT as Nicole Holiday (cpand\NHOLLIDA)

Start ƒ  All Programs ƒ  Internet Explorer ƒ  Tools ƒ  Internet Options.

ƒ  Security tab ƒ  Local intranet ƒ  Sites ƒ  Advanced

In the Add this website to zone, type https://adrms-srv.cpandl.com and click Add.

Click Close.

Repeat the steps from 1 until 7 for Stuart Railson and Limor Henig.

To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document so that members of the CP&L Engineering group are able to read the document but unable to change, print, or copy.

You will then log on as Stuart Railson, verifying that the proper permission to read the document has been granted, and nothing else.

Then, you will log on as Limor Henig. Since Limor is not a member of the Engineering group, he should not be able to consume the rights-protected file.

To restrict permissions on a Microsoft Word document

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).

2. Start ƒ  All Programs ƒ  Microsoft Office ƒ  Microsoft Office Word 2007.

3. Type CP&L engineering employees can read this document, but they cannot change, print, or copy it on the blank document page.

4. Microsoft Office Button ƒ  Prepare ƒ  Restrict Permissionƒ Restricted Access.

5. Click the Restrict permission to this document check box.

6. In the Read box, type [email protected], and click OK

7. Click the Microsoft Office Button, click Save As, and save the file as \\ADRMS-DB\Public\ADRMS-TST.docx.

8. Log off as Nicole Holliday.

Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

To view a rights-protected document

1. Log on to ADRMS-CLNT as Stuart Railson (cpandl\SRAILSON).

2. Start ƒ  All Programs ƒ  Microsoft Office ƒ  Microsoft Office Word 2007 ƒ  Microsoft Office Button ƒ  Open

3. In the File name box, type \\ADRMS-DB\Public\ADRMS-TST.docx, click Open.

The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your permission."

4. Click OK.

The following message appears: "Verifying your credentials for opening content with restricted permissions…".

5. When the document opens, click the Microsoft Office Button. Print option is not available.

6. Close Microsoft Word ƒ Log off

Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.

To attempt to view a rights-protected document

1. Log on to ADRMS-CLNT as Limor Henig (cpandl\LHENIG).

2. Start ƒ  All Programs ƒ  Microsoft Office ƒ  Microsoft Office Word 2007.

3. Microsoft Office Button ƒ  Open ƒ  \\ADRMS-DB\Public\ADRMS-TST.docx

The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your permission."

4. Click OK.

5. The following message appears: "You do not have credentials that allow you to open this document. You can request updated permission from [email protected] Do you want to request updated permission?"

6. Click No, close Microsoft Word.

Finally, we have successfully deployed and demonstrated the functionality of AD RMS. We use the simple scenario of applying restricted permissions to a Microsoft Word 2007 document. Besides that, we also can use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing


Active Directory Rights Management Services is an information protection technology.

It can be worked with the enabled applications to help safeguard the digital information from unauthorized use.

The administrators can manage their AD RMS client deployment with using different methods and technologies. That needs to depend on their environments. The client and applications can be configured by using standard tools like Group Policy Objects to meet their specific needs.

The overall best practice for AD RMS client deployment and configuration is to plan and test well, using a lab or test environment before deployment.

By the following advice that given in this assignment and using the information provided to properly configure the AD RMS client according to the environment needs. So, user should be able to obtain a seamless AD RMS deployment that can enable users to apply the protection easily for their documents with their company's information protection needs.