Active Directory Rights Management Services (AD RMS), formerly known simply as Rights Management Services, is designed to extend

the reach of your internal network to the outside world. However, this time, the extension applies to intellectual property. In the first days of computing, software manufacturers went to great lengths to protect their software from theft. Even today, some vendors require the use of hardware keys for their software to run. Others have resorted to a Web-based approval and validation process. For example, with the release of Windows Vista, Microsoft introduced a new licensing scheme, one option of which is a Key Management Server (KMS), to validate the licensed versions of Microsoft Windows you use. AD RMS enables you to protect your intellectual property through the integration of several features. In fact, in addition to a direct integration with Active Directory Domain Services (AD DS),AD RMS can also rely on both Active Directory Certificate Services (AD CS) and Active Directory Federation Services (AD FS). AD CS can generate the public key infrastructure (PKI) certificates that AD RMS can embed in documents. AD FS extends your AD RMS policies beyond the firewall and supports the protection of your intellectual property among your business partners.

Understanding AD RMS
As mentioned earlier, AD RMS is an updated version of the Microsoft Windows Rights Management Services available in Microsoft Windows Server 2003. With this release, Microsoft has included several new features that extend the functionality included in AD RMS. However, the scenarios you use to deploy AD RMS remain the same. AD RMS works with a special AD RMS client to protect sensitive information. Protection is provided through the AD RMS server role, which is designed to provide certificate and licensing management. Information, configuration and logging is persisted in a database. In test environments, you can rely on the Windows Internal Database (WID) included in Windows Server 2008, but in production environments, you should rely on a formal database engine such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008 running on a separate server. This will provide the ability to load balance AD RMS through the installation of multiple servers running this role. WID does not support remote connections; therefore, only one server can use it. Internet Information Services (IIS) 7.0 provides the Web services upon which AD RMS relies, and the Microsoft Message Queuing service ensures transaction coordination in distributed environments. The AD RMS client provides access to AD RMS features on the desktop. In addition, an AD DS directory provides integrated authentication and administration. AD RMS relies on AD DS to authenticate users and verify that they are allowed to use the service. The first time you install an AD RMS server, you create an AD RMS root cluster by default. A root cluster is designed to handle both certification and licensing requests. Only one root cluster can exist in an AD DS forest. You can also install licensing-only servers, which automatically form a licensing cluster. Clusters are available only if you deployed the AD RMS database on a

separate server. Each time you add a new AD RMS server with either the root or the licensing role, it is automatically integrated into the corresponding existing cluster. Microsoft recommends that you rely on the root role more than on the licensing-only role for two reasons:

Root clusters handle all AD RMS operations and are, therefore, multifunctional. Root and licensing-only clusters are independent; that is, they cannot share load balancing of the service. If you install all your servers as root servers, they automatically load balance each other.

After the infrastructure is in place, you can enable information-producing applications such as word processors, presentation tools, e-mail clients, and custom in-house applications to rely on AD RMS to provide information protection services. As users create the information, they define who will be able to read, write, modify, print, transfer, and otherwise manipulate the information. In addition, you can create policy templates that can apply a given configuration to documents as they are created. Usage rights are embedded directly within the documents you create so that the information remains protected even if it moves beyond your zone of authority. For example, if a protected document leaves your premises and arrives outside your network, it will remain protected because AD RMS settings are persistent. AD RMS offers a set of Web services, enabling you to extend it and integrate its features in your own information-producing applications. Because they are Web services, organizations can use them to integrate AD RMS features even in nonWindows environments.

New AD RMS Features

AD RMS is now a server role that is integrated into Windows Server 2008. In previous releases, the features supported by AD RMS were in a package that required a separate download. In addition, the Server Manager installation provides all dependencies and required component installations as well. Also, if no remote database is indicated during installation, Server Manager will automatically install Windows Internal Database. As with most of the Windows Server 2008 server roles, AD RMS is administered through a Microsoft Management Console (MMC). Previous versions provided administration only through a Web interface. AD RMS now also includes direct integration with Active Directory Federation Services, enabling you to extend your rights management policies beyond the firewall with your partners. This means your partners do not need their own AD RMS infrastructures and can rely on yours through AD FS to access AD RMS features. In previous releases, you could rely on only Windows Live IDs to federate RMS services. With the integration of AD RMS and AD FS, you no longer need to rely on a third party to protect information.

However, to use federation, you must have an established federated trust before you install the AD RMS extension that integrates with AD FS, and you must use the latest RMS clientthe Windows Vista client or the RMS client with SP2 for versions of Windows earlier than Windows Vista.

AD RMS servers are also self-enrolled when they are created. Enrollment creates a server licensor certificate (SLC), which grants the server the right to participate in the AD RMS structure. Earlier versions required access to the Microsoft Enrollment Center through the Internet to issue and sign the SLC. AD RMS relies on a self-enrollment certificate that is included in Windows Server 2008. Because of this, you can now run AD RMS in isolated networks without requiring Internet access of any kind. Finally, AD RMS includes new administration roles so that you can delegate specific AD RMS tasks without having to grant excessive administration rights.

Four local administrative roles are created:

AD RMS Enterprise Administrators, which can manage all aspects of AD RMS. This group includes the user account used to install the role as well as the local administrators group. AD RMS Template Administrators, which supports the ability to read information about the AD RMS infrastructure as well as list, create, modify, and export rights policy templates. AD RMS Auditors, which enables members to manage logs and reports. Auditors have read-only access to AD RMS infrastructure information. AD RMS Service, which contains the AD RMS service account that is identified during the role installation.

AD RMS publishing process

1. 2. 3. 4. 5. 6. 7. 8. User is trusted and receives rights account certificate (RAC). User creates content with AD RMSenabled application. User relies on policy template to assign rights to content. AD RMS issues a publishing license to content, and content is encrypted. Other users use AD RMSenabled applications to view content. AD RMSenabled application requests use license from AD RMS servers. User rights are verified; if authorized, license is issued; if not, access is denied. User license is assigned to content for its entire lifetime (online and offline).

AD RMS Installation Scenarios

Single server deployment
Install AD RMS on a single server. This installs the WID as the support database. Because all the components are local, you cannot scale this deployment to support high availability. Use the single server deployment only in test environments. If you want to use this deployment to test AD RMS beyond the firewall, you will have to add appropriate AD RMS exceptions.

Internal deployment

Install AD RMS on multiple servers tied to an AD DS directory. You must use a separate server to host the AD RMS database; otherwise, you will not be able to load balance the AD RMS role.

Extranet deployment
When users are mobile & dont remain within confines of your network, you must deploy AD RMS in an extranet a special perimeter network that provides internal services to authorized users. In this scenario, you will need to configure appropriate firewall exceptions and add a special extranet URL on an external-facing Web server to allow external client connections.

Multiforest deployment
When you have existing partnerships that are based on AD DS forest trusts, you must perform a multiforest deployment. In this case, you must deploy multiple AD RMS installations, one in each forest. Then, assign a Secure Sockets Layer (SSL) certificate to each Web site that hosts the AD RMS clusters in each forest. You must also extend the AD DS forest schema to include AD RMS objects. However, if you are using Microsoft Exchange Server in each forest, the extensions will already exist. Finally, your AD RMS service account, the account that runs the service, will need to be trusted in each forest.

Licensing-only server deployment

In complex forest environments, you might want to deploy a licensing-only AD RMS cluster in addition to the root cluster. In this case, you must first assign an SSL certificate to the Web site hosting the AD RMS root cluster and then install the root cluster. After you meet these conditions, you can install licensing only servers.

AD RMS Certificates
Server licensor certificate (SLC)
The SLC is a self-signed certificate generated during the AD RMS setup of the first server in a root cluster. Other members of the root cluster will share this SLC. If you create a licensing-only cluster, it will generate its own SLC and share it with members of its cluster. The default duration for an SLC is 250 years.

Rights account certificate (RAC)

RACs are issued to trusted users who have an e-mail-enabled account in AD DS. RACs are generated when the user first tries to open rights protected content. Standard RACs identify users in relation to their computers and have a duration of 365 days. Temporary RACs do not tie the user to a specific computer and are valid for only 15 minutes. The RAC contains the public key of the user as well as his or her private key. The private key is encrypted with the computers private key.

Client licensor certificate (CLC)

After the user has a RAC and launches an AD RMSenabled application, the application automatically sends a request for a CLC to the AD RMS cluster. The client computer must be connected for this process to work, but after the CLC is obtained, the user can apply AD RMS policies even offline. Because the CLC is tied to the clients RAC, it is automatically invalidated if the RAC is revoked. The CLC includes the client licensor public key, the client licensor private key that is encrypted by the users public key, and the AD RMS clusters public key. The CLC private key is used to encrypt content.

Machine certificate
The first time an AD RMSenabled application is used, a machine certificate is created. The AD RMS client in Windows automatically manages this process with the AD RMS cluster. This certificate creates a lockbox on the computer to correlate the machine certificate with the users profile. The machine certificate contains the public key for the activated computer. The private key is contained within the lockbox on the computer.

Publishing license
The publishing license is created when the user saves content in a rights-protected mode. This license lists which users can use the content and under which conditions, as well as the rights each user has to the content. This license includes the symmetric content key for decrypting content as well as the public key of the cluster.

Use license
The use license is assigned to a user who opens rights-protected content. It is tied to the users RAC and lists the access rights the user has to the content. If the RAC is not available, the user cannot work with rights-protected content. It contains the symmetric key for decrypting content. This key is encrypted with the public key of the user.

How To Install Active Directory Rights Management Services

AD RMS is not supported and does not run in Server Core installations of Windows Server 2008. However, AD RMS is a good candidate for virtualization under Hyper-V, especially in test environments. Keep this in mind when you plan and prepare your AD RMS deployment. In the following lesson you will perform AD RMS install on a single server. This installs the WID as the support database. Because all the components are local, you cannot scale this deployment to support high availability. Use the single server deployment only in test environments. If you want to use this deployment to test AD RMS beyond the firewall, you will have to add appropriate AD RMS exceptions. Right click Roles. Select Add Roles. Click Next. Select Active Directory Rights Management Services. Click Add Required Role Services. Click Next. Select Active Directory Rights

Management Services. Do not choose the Identity Federation Support option at this time. You cannot install this option until the AD FS federation relationship has been created. Click Next. Select Create A New AD RMS Cluster option, and then click Next. As this is a single server installation, select Use Windows internal Database on this server and click Next. Click Specify. Type in the Username and password and click OK. Type in the Username and password and click OK. Click Next. Select Use AD RMS centrally managed key storage, then click Next. You can also choose to protect the AD RMS cluster key by using a cryptographic storage provider because it is a more secure protection method. You will need to select the storage provider and then install this certificate on each new AD RMS server before you can add them to the root cluster. Assign a complex password and click Next. select the Web site where you want to install the AD RMS Web services, and click Next. If you did not prepare the Web site beforehand, the name of the Web site will be Default Web Site. Select Use an SSL encrypted connection (https://) Type in the Fully Qualified Domain Name, click Validate. Once validated click Next. Select Create a self signed certificate for SSL encryption. If you did not install the certificate prior to setup, you can click Import to import the certificate now. You can also use a self-signed certificate, or, if you did not obtain the certificate prior to installation, you can select the third option, to choose encryption later. Note, however, that you will not be able to complete your installation until you obtain and install this certificate if you choose the last option. Self-signed certificates should be used for test environments only. In a production environment, use a proper SSL certificate issued from a commercial certification authority. Click Next. Type in a meaningful name and click Next. The name should enable you to quickly identify which server the certificate is for. Select Register The AD RMS Service Connection Point Now, and then click Next. Click Next to install the IIS options. Click Next. Click Install. The installation has completed you may now close all open dialogue boxes.

How To Configuring AD RMS

AD RMS configuration, unlike Windows Rights Management Services, is performed through the MMC. This console is integrated in Server Manager but is also available as a standalone console through Remote Server Administration Tools (RSAT). Each of the tasks you need to perform to finalize your configuration is available through this console.

Creating an Extranet URL

When you want to extend your AD RMS infrastructure to mobile users or teleworkers outside your internal network, you must configure an extranet URL. Use the following procedure;These URLs must point to a valid IIS installation in the extranet and should be permanent. Proper DNS registration should also be implemented for these URLs. Use SSL encryption for the

communication through Secure HTTP or HTTPS connections. Finally, remember to create the appropriate virtual directories to host the AD RMS data. Expand Active Directory Rights Management. Right click servername and click Properties. Click Cluster URLs. Select Extranet URLs. Type in the valid URLs, then click OK.

Exporting the Server Licensor Certificate

To work with either trusted publishing domains or trusted user domains, you must export the server licensor certificate from your root cluster or from the root cluster to be trusted. Certificates are exported to be used in establishing trusts. In the Server Certificate Tab click Export Certificate. Type in a filename and click Save. Click OK.

Preparing AD RMS Certificates

Certificates are created by default during the installation of AD RMS. However, you must configure appropriate certificate duration based on your rights-protection policies. Four activities can be performed in terms of certificate administration:

Specify the duration of rights account certificates. Enable certification for mobile devices. Enable certification of server services. Authenticate clients through smart cards.

Of these, the one you must absolutely set is the validation period for the RAC. Others are optional operations that depend on your rights-protection policies. Note that standard RACs are valid for 365 days by default, and temporary RACs last only 15 minutes. You might want to extend the duration of a temporary RAC, but be careful about extending the validity of a standard RAC. Click Change standard RAC validity period. Set a suitable period (Days). Then click Temporary RAC tab. Set a suitable period (Days). Then click Temporary RAC tab. Set a suitable period (Minutes). Then click OK. Set a suitable period (Minutes). Then click OK.

Preparing Exclusion Policies

When you decide the scope of your rights-protection policy implementation, you can configure exclusion policies or policies that will exclude users and computers from participating in your AD RMS implementation. You can create exclusion policies for four entities: users, applications, lockboxes, and Windows operating systems.

When you do so, the list of the specified exclusion members is included in the use license for the content. You can remove an excluded entity from an exclusion list, but remember that if you remove the entity from the list, it will no longer be added to the use licenses. Existing content, however, will already contain it because use licenses are issued only once, by default. Because of this, keep three items in mind when preparing exclusion lists:

Assign only exclusions that will be as permanent as possible. If you change your mind, wait until existing use licenses have expired before removing entities from an exclusion list. Rely on exclusion lists if the credentials of one of the supported entities, such as a user, have been compromised, and your rights protected content is at risk.

Expand Exclusion Policies. Right click Users and select Enable User Exclusion. Click Exclude User. You can exclude a user either through the e-mail address or through the public key assigned to the user. The first is for users included in your AD DS directory, and the second is for external users who might not have an account in your AD DS directory. If you exclude users in your AD DS directory, make sure you exclude a group so that it is easier to manage as time goes on. Click Browse. Locate the User or group to be excluded and click OK. Click Finish.

Preparing Accounts and Access Rights

To ensure that your users can work with AD RMS, you must prepare their accounts. When you do so, AD RMS includes the account within its own database. However, when you remove an account, AD RMS disables the account but does not automatically remove it from its database. Because of this, the database can become large and contain obsolete data. To protect against this, either create a stored procedure in SQL Server that will automatically remove the account when you delete it or create a script that will do so on a scheduled basis. These users can recover or modify any data that is managed by your AD RMS infrastructure and can, therefore, recover data from users who have left the organization. You should usually assign a Universal Group from your directory to this role. Prepare the Universal Group before enabling Super Users in AD RMS. Select Security Policies and click Change super user settings. Select Security Policies and click Change super user settings. Select Enable Super Users. Select Change super user group. Type the e-mail address of a mail-enabled universal distribution group from your forest or use the Browse button to locate it. Locate the group and click OK. Click OK. Members of this group will now have access to all AD RMS content. Select these members very carefully and ensure that they are completely trustworthy. In fact, you might prefer to keep the Super Users group disabled and enable it only when you need it for security purposes.

Creating a Rights Policy Template

To facilitate the rights-protection application by your users, prepare policy templates. These templates will save considerable time for your users and ensure that you maintain the standards you set in your rights-protection policies. You must perform several activities with policy

templates. First, you must create the template. Next, you must specify a location for the template. Locations are usually shared folders contained within your network. However, for users to rely on the template to create content, they must have access to it. Offline users will not have access to the templates unless you configure the offline folder settings for the shared folder so that the content of the folder will automatically be available locally to the user. In addition, relying on offline folders will ensure that when you modify, add, or update templates, they will automatically be updated on the client computer the next time the user connects to the network. Offline folders, however, will not work for external users who do not have access to your internal network. Expand Active Directory Rights Management and click Rights Policy Templates. Click Create Distributed Rights Policy Templates. Click Add. Choose language for template. Type in name and description for the template and click Add. Click Next. Click Add to select the user or group that will have access to the template. Selecting Anyone will enable any user to request a use license for the content. Click OK. First select the user and then assign the rights to that particular user or group in the Rights For User pane. You can also create a custom right for the user. First select the user and then assign the rights to that particular user or group in the Rights For User pane. You can also create a custom right for the user. Note that the Grant Owner (Author) Full Control right with no expiration option is selected by default. In the Rights Request URL, type the appropriate URL. Then click Next. Then click Next. On the Specify Expiration Policy page, select one of the three available options and type a value in days. If you need to ensure that content expires automatically after a number of days, select Expires After The Following Duration (Days), and type the number of days. Click Next.

Specify Extended Policy

On the Specify Extended Policy page, you can assign the following settings: 1. Choose Enable Users to view protected content, using a browser add-on. This enables users who do not have AD RMSenabled applications to view protected content by automatically installing the required add-on. 2. Select Request A New Use License Every Time Content Is Consumed (Disable ClientSide Caching) if you need authentication against the AD RMS servers each time content is consumed. Note that this will not work for offline users. 3. Select If You Would Like To Specify Additional Information For Your AD RMSEnabled Applications, You Can Specify Them Here As Name-Value Pairs if you need to add specific data to the protected content. This option is usually reserved for developers, however. Select the appropriate option. Then click Next.

Specify Revocation Policy

On the Specify Revocation Policy page, you can enable revocation by selecting the Require Revocation option and then:

1. Selecting Location Where The Revocation List Is Published (URL or UNC) and typing the value for the location of the revocation file. Keep in mind that if you use a URL and you have both internal and external users, the URL should be accessible from both network locations. 2. Selecting Refresh Interval For Revocation List (Days) and typing the number of days the revocation list will be maintained. This determines when users must update their revocation list when viewing content. 3. Selecting File Containing Public Key Corresponding To The Signed Revocation List. If required tick Require revocation and then select the appropriate option. Then click Finish. Template has been created.