Active Directory Right

Management Service (AD

RMS) – Part 01
FEBRUARY 21, 2018 BY DISHAN M. FRANCIS NO COMMENTS
Microsoft had taken their first approach to information rights management
(IRM) by introducing Windows Right Management Service with Windows
Server 2003. This was fully compliant with The update version of Windows
Right Management was renamed as Active Directory Rights Management
Services and re introduced with Windows Server 2008. It continued to grow
with features and included with every new windows server versions after that.
Microsoft also released Azure RMS (included in Azure Information Protection)
which can use in Hybrid-Cloud environment to protect data.
However, AD RMS is not the solution for all the Data security requirements. In
an infrastructure, there is other things attached to data security. First step of
the protection is to decide who have access to corporate network and
resources. This fall under perimeter defense and Hardware/Software firewalls
can use to define rules to manage traffic come in to corporate network and
traffic goes out from corporate network. Modern Layer-7 Firewalls and Next
Generation Firewalls allows not only to manage connections but go further on
analysis traffic based on applications, user accounts (AD integrated). If users
are allowed to use Internet, it also can bring threats to corporate data. It can
be via viruses, malware, phishing emails etc. Similar threats can be eliminate
using Layer 7 firewalls or Proxies. The next step on Data Protection is to
controlled the data access for users and groups in the corporate network. This
is done by using NTFS and Access Control Lists (ACLs). These helps to
control who have access to what data and resources. The challenge is to
protect data once users and groups have access to it. As an example,
REBELADMIN Inc. does have Sales Department. CEO creates a word document
which includes last year total sales and save it in a network folder. The only
people have access to it is CEO and Sales Manager. He sent email to Sales
Manager and inform about the file. Access to folder is protected by ACLs but
ones Sales Manager have access to it, what will prevent him emailing it to a
person in Technical Department or bring it home with him and share it with
another party? Active Directory Right Management Service controls the
behavior of data once users have access it. But this will not prevent data
leakage via digital photographs, third-party screen capturing, hard copies or
viruses and malware.

AD RMS can,

• Follow Data with Policies (Persistent Usage Rights and

Conditions) – NTFS permission and ACLs only can manage a data within its
operation boundaries. In my previous example, when the report is inside the
Sales folder it will only can access by CEO and Sales Manager. However, if its
copied to local disk, forward as email it will bypass the NTFS permissions and
ACLs. AD RMS uses Persistent usage policies which follows the data. Even its
moved, forwarded, the policies will follow it.
• Prevent Confidential Emails going in to wrong hands – Emails is one of the
media that commonly involves with data leakage. Constants news are coming
on medias due to wrong peoples got access to “confidential” emails. Once
email is left outgoing email folder, we do not have control over the data and
we do not have guarantee if this is only access by the recipient and it’s not
forwarded to another party that original sender not aware of. AD RMS can
prevent recipient been forwarding, modifying, copying or printing confidential
emails. It also guarantees, its only can open by the expected recipient.
• Prevent Data been access by unauthorized peoples – Similar to emails, AD
RMS can also protect confidential files, reports been modified, copied,
forwarded or print by unauthorized users.
• Prevent Users by capturing content using Windows Print Screen feature –
Even users do not forward or copy method to send data they still can use print
screen option to capture the data in another format. AD RMS can prevent
users by using windows print screen tool to capture data. However, this not
going to prevent users by using third-party screen capturing solutions.
• File Expiration – AD RMS allows to set time limit to files so after certain
period of time, content of it will not be able to access.
• Protect Data on Mobile Devices and MAC – People uses mobile devices to
access corporate services and data. AD RMS mobile extension allow to extend
its data protection capabilities in to mobile devices which runs with Windows,
Android or iOS. In order to do that, Device should have latest RMS clients and
RMS aware apps installed as well. This also applies to MAC devices as long as it
uses Office 2016 for MAC and RMS aware applications.
• Integration with Applications – AD RMS not only support Microsoft office
files, its support wide range of applications and file types. As an example, AD
RMS directly can integrate with Share Point (2007 onwards) to protect the
documents published on intranet site. There are third party applications which
support RMS too. It also supports file types such as .pdf, .jpg, .txt, .xml. This
allow corporates to protects more and more data types in infrastructure.

Active Directory Right

Management Service (AD
RMS) – Part 02 – AD RMS
Components
In my previous blog post about AD RMS, I have explained what is RMS and its
capabilities. If you didn’t read it yet, you can find it . In this post I am going to
explain about AD RMS components.

AD RMS have its own role services and related components which need to
work together in order to maintain healthy AD RMS environment. Let look in
to these components in details.

Active Directory Domain Services (AD DS) – AD RMS is one of Active

Directory Role service. AD RMS can only be installed in AD DS environment
and it must be on member servers. It also uses to publish service connection
point (SCP), where internal users can automatically discover the URL for AD
RMS environment.
AD RMS Cluster – AD RMS Cluster is a single RMS server or group of servers
which shares certificates and licensing requests from its clients. Even its says
as “Cluster” it is different from typical Windows failover cluster. Failover
cluster at least needed two nodes. But in RMS cluster, event it’s have single
server it become a cluster. But there is one requirement for AD RMS cluster if
there are multiple servers involves. AD RMS supports two types of databases
similar to AD FS. By default, it uses Windows Internal Database (WID) and it
also supports to Microsoft SQL Server Database. If AD RMS Cluster going to
have multiple servers it must use MS SQL database in separate server.

There are two type of clusters in AD RMS,

Root Cluster – When setup first AD RMS server in infrastructure, it becomes
root cluster. By default, it responds to both licensing and certificates requests
from clients. When required, additional RMS servers can be added to the
cluster. There is only one root cluster can exist on one AD DS forest.
Licensing Cluster – If organization has multiple active directory sites, there
are situation where remote sites prefers to use servers in their own site
whenever possible. It prevents users by connecting sites through slow links. In
such scenarios, organizations can deploy licensing-only cluster in remote sites.
It only responses to licensing requests from clients.

When new RMS server add to the infrastructure, based on installed roles it will
automatically make it part of relevant cluster. However, it is recommended to
use root cluster only as it will automatically load balance both certificates and
licensing requests. When it has two clusters, load balancing is handled by each
cluster separately even though it’s components of one system.

Web Server – AD RMS required web service for its operations. There for it
required IIS 7.0 or latest with following role services.
• Web Server (IIS)
• Web Server
o Common HTTP Features
 Static Content
 Directory Browsing
 HTTP Errors
 HTTP Redirection
o Performance
 Static Content Compression
o Health and Diagnostics
 HTTP Logging
 Logging Tools
 Request Monitor
 Tracing
o Security
 Windows Authentication
• Management Tools
o IIS Management Console
o IIS 6 Management Compatibility
 IIS 6 Metabase Compatibility
  IIS 6 WMI Compatibility
SQL Server – AD RMS supports Windows Internal Database (WID) and
Microsoft SQL Server Database. If AD RMS Cluster going to have multiple
servers, its database must be in MS SQL server. It supports SQL server 2005
onwards. AD RMS have three databases.
Configuration Database – Configuration database includes configuration data
related to AD RMS cluster, windows users identities and AD RMS certificate
key pair which used to create cluster.
Logging Database – This contain the logging data for the AD RMS setup. By
default, it will install it in the same SQL server instance which hosts the
Configuration Database.
Directory Service Database – This database maintains cached data about
users, SID Values, Group membership and related identifiers. This data been
collected by AD RMS licensing service from LDAP queries which ran against
global catalog server. by default its refresh in every 12 hours.

AD RMS support SQL High availability solutions including SQL failover

clustering, database mirroring and log shipping. It is NOT supported SQL
server AlwaysOn.

In previous section I have mentioned about mobile device extensions which

can used to extend AD RMS to manage corporate data in mobile devices. It
does not support to Windows Internal Database (WID) and if you going to use
this feature, Ad RMS databases must run for separate SQL server.

AD RMS Client – AD RMS client is required to communicate with AD RMS

cluster and protect data. This is included in all the recent operating systems
which was released after windows XP. However, this still need to install on
MAC and Mobile devices to use AD RMS.
Active Directory Certificate Service (AD CS) – AD RMS uses several certificates
to protect the communication between AD RMS components and clients. Most
of those can issue using corporate trusted certificate authority. As an example,
AD RMS cluster can build using SSL certificate to protect communication
between servers in cluster. If AD RMS setup required to publish service URLs
externally, then it will be required a certificate from public certificate
authority. AD RMS itself uses various Extensible Rights Markup
Language (XrML)-based certificates to protect communication between
components and data. These certificates are different from AD CS
certificates.
 Active Directory Right
Management Service (AD
RMS) – part 03 – How AD
RMS Works?
In part 01 of this series we learned RMS and its capabilities. if you didn’t read it
yet, you can find it In part 02 we learned about AD RMS components. You can
read it using

In part 03, I am going to explain how AD RMS works.

By now we know the components of the AD RMS and its capabilities. In this
section, we are going to look in details to understand how all these
components work together to protect corporate data.

Before start the data protecting process, we need to have healthy AD RMS
Cluster, AD RMS Clients (Author and Recipient) and reliable connection
between those components. Once these prerequires fulfill, Data protection
process will happen in three main stages which is protect content by author,
publish protected content and access protected content by recipient. Let’s
assume Peter is trying to protect a document using AD RMS. He going to send
it to Adam and he do not want him to edit or print it. This is the first time he
going to use AD RMS. In AD RMS environment, user Peter will refer as
Information Author. On his first authentication in to AD RMS cluster, it
creates Right Account Certificate (RAC) and it will be user’s identity in AD
RMS. This is a onetime process. This certificate contains the public key and
private key of the Peter which is encrypted by his computer’s public key. When
Peter register with AD RMS cluster it also creates another certificate
called Client Licensor Certificate (CLC). This CLC includes Client Licensor
Certificate’s public key and private key which is protected by public key of
Peter. It also includes AD RMS cluster public key which is signed by AD RMS
private key.
Peter decides what data need to be protected first. Then it generates
symmetric key (random) and encrypt the data which needs to be protected. It
uses AES-256 standards to encrypt the data. When first AD RMS server added
to the cluster, it creates another certificate called Server Licensor Certificate
(SLC). This represent the identity element of the AD RMS server. This is shared
with clients so they can use to exchange confidential data in secure way. SLC
includes the public key of the AD RMS server. As the next step the system will
encrypt the symmetric key used for data encryption by using it. So, only AD
RMS cluster can open it.
After that RMS Client creates Publishing License (PL). This PL use to indicate
allowed recipients, what rights they got and what condition will apply towards
protected data. PL includes encrypted symmetric key that can used to decrypt
the protected data. All these data then encrypt with Server Licensor
Certificate’s public key. Apart from that AD RMS client also will sign encrypted
data with private key of CLS. At the end this protected data will attached to
PL. it also included the copy of symmetric key which is encrypted with CLS
public key. This confirms Peter’s authority over the protected document, so he
can decrypt the document without using another license. Once all these
encryptions and signings are done, the document is ready to send over to
Adam.
Once Adam receives the document, his Ad RMS aware application try to open
it and found it is a protected document. Similar to Peter, Adam already have
his RAC and CLS from the AD RMS Cluster. In order to open the protected
document at once does it encrypt it with does it encrypt or sign with any of
Adam’s certificates? No, it’s not. But his AD RMS client knows who need to
contact in order to sort it out for him. To open the protected document Adam
should have a Use License (UL). This is issue by the RMS cluster. So, AD RMS
client request for license also included encrypted Publishing License,
Encrypted Symmetric Key, Peter’s CLC and Public key of Adam’s RAC. The
protected document will not send over with this request to RMS Cluster. To
decrypt the protected document Adam needs the Symmetric key which used
by Peter to encrypt the document. As first step Server needs to know if Adam
is permitted to access the document, if he is permitted what sort of conditions
and rights will apply. This info is in Publishing License. It is encrypted using
public key of SLC. AD RMS server is the private key owner for it and he can
easily extract it. if Adam is not allowed in PL, it will be declined the access to
it. if its allowed it creates a list mentioning Adam’s rights to the document.
The most important part of the decryption process is to retrieve the
Symmetric Key. This is also encrypted by SLC’s public key. Once it is extract, it
will be re-encrypt using Adam’s RAC public key. it was a part of the Use
License request. This ensure, the only one can see the key is Adam’s system.
Since server got all the required information, it generates Use License
including the permission list and encrypted symmetric key. then it sends over
to Adam’s RMS client. Once it reaches Adam’s system, it can decrypt the
symmetric key using RAC’s private key. then RMS aware application will
decrypt the document and attach the rights information retrieved from the
User License. At the end, voila!!! Adam can see the content of the document.

In above I have talked lots about different certificates, licenses, data

encryption and decryption. I thought its still better to explain it in high level to
recap things we learned.

Peter wants to send protected document to Adam. Adam should only have
read permission to the document and should not be able to modify or print.

1) This is the first-time peter going to use AD RMS. As soon as he tries to

protect the document, RMS client initiate a connection to AD RMS server
(cluster)
2) AD RMS Server replied with Right Account Certificate and Client Licensor
Certificate. This is one time process.
3) In Peter’s system, random symmetric key is generated and encrypt the
document using it. Then this symmetric key is encrypt using SLC’s public key.
After that it is attached to a Publishing License which includes Adam’s rights
for the protected document. After that PL attached to encrypted document.
4) Peter sends protected document (along with this additional info) to Adam.
5) Adam’s RMS Aware application try to open it and found that it need Use
License from AD RMS Server. then RMS client request it from the RMS Server.
6) RMS server decrypt the symmetric key and the PL. after that server checks
if the requester match with the PL. in our scenario it matches, so it went ahead
and creates Use License. This includes symmetric key (it re-encrypts using
Adam’s RAC Public Key) and a list which contains rights describes in PL. Then
it delivers to Adam’s system.
7) Once Adam’s system receives the Use License, it retrieves Symmetric key
and decrypt the document. Then Adam open the document and use it
according to rights described on PL

Active Directory Right

Management Service (AD
RMS) – Part 04 – AD RMS
Configuration
This is the last part of the series and in here I am going to demonstrate how to
install and configure AD RMS.

Setup AD RMS Root Cluster

AD RMS only can install in Domain Member Server. I have a demo server setup
and its already member server of the domain. First AD RMS server add to the
forest creates the AD RMS cluster.

Install AD RMS Role

1) Log in to the server as Enterprise Administrator.
2) Install the AD RMS role and related management tools using,
Install-WindowsFeature ADRMS -IncludeManagementTools
Configure AD RMS Role
1) Launch Server Manager > Notifications > Under “Configuration required
for Active Directory Rights Management Services” > Perform Additional
Configuration. This will open the AD RMS Configuration Wizard. Click Next to
start the configuration.

2) In next screen, it gives option to create new AD RMS root cluster or join it to
existing AD RMS cluster. Since it is new cluster, select option Create a new AD
RMS root cluster and click Next.
3) Next Screen is to define the AD RMS database configuration. If it’s going to
use MS SQL server need to specify the Database server and the instance. Or
else it can use Windows Internal Database. Please note if WID used, it cannot
have any more AD RMS servers and cannot have AD RMS mobile extension
either. Since its demo, I am going to use WID. Once selection made,
click Next to move to next step.

4) In Next window, we need to define service account. It is used to

communicate with other services and computers. This doesn’t need to have
Domain or Enterprise Admin rights. Click on Specify and provide the user
name and password for the account. Then click Next to Proceed to next
window.
5) In next windows, we need to select the Cryptographic mode. This defines
the strength of the hashes. This is support two mode which is SHA-1 and SHA-
256. It is highly recommended to use Mode 2 which is SHA-256 for stronger
hashing. However, this need to be match with the other RMS cluster it deals
with. In our setup, I am going to use default SHA-256. Once Selection is made
click next to proceed.
6) AD RMS uses cluster key to sign the certificate and licenses it issues. This is
also required when AD RMS restore or when new AD RMS server add to the
same cluster. It can be saved in two places. Default method is to use AD RMS
centrally managed key storage. So, it doesn’t need any additional
configurations. It also supports to use cryptographic service provider (CSP) as
storage. But this required manual distribution of key when add another AD
RMS server to the cluster. In this we will use option “Use AD RMS centrally
managed key storage”. Once selection is made click Next to proceed.
7) AD RMS also uses Password to encrypt the cluster key described in above.
This is required to provide when add another AD RMS server to cluster or when
restore AD RMS from backup. This key is cannot reset. There for
recommended to keep it recorded in secure place. Once define the AD RMS
Cluster Key Password, click Next to proceed.
8) In next window, we need to define the IIS virtual directory for the AD RMS
web site. Unless there is specific requirement always use the default and click
Next.
9) In next step, we need to define a AD RMS cluster URL. This will use by AD
RMS clients to communicate with AD RMS cluster. It is highly recommended to
use SSL for this even its allow to use it with HTTP only method. The related
DNS records and Firewall rules need to be adjusted in order to provide
connection between AD RMS clients and this URL (Internally or Externally).
Once configuration values provided, click Next to proceed. One thing need to
noted is, once this URL is specified, it cannot be change. In this demo, the RMS
URL is https://rms.rebeladmin.com.
10) In next step, we need to define Server Authentication Certificate. This
certificate will use to encrypt the network traffic between RMS clients and AD
RMS cluster. For testing it can use self-signed certificate but not
recommended for production. If its uses internal CA, client computers should
be aware of the root certificate. In wizard, it automatically takes the list of SSL
certificates installed in the Computer and we can select the certificate from
there. It also allowed to configure this setting in later time. Once settings are
defined, click Next to proceed.
11) In next window, it asks to provide Name for the Server License Certificate
(SLC). This certificate is to define the identity of the AD RMS cluster and it
used in the Data protection process between clients to encrypt/decrypt
symmetric keys. Once defined a meaningful name, click Next to proceed.
12) Last step of the configuration is to register AD RMS connection service
point (SCP) with the AD DS. If needed this can configure later too. This need
enterprise administrator privileges to register it with AD DS. In this demo, I
already logged as enterprise administrator so I am using “Register the SCP
now”. Once option selected, click Next.
13) After the confirmation, installation will begin and wait for the result. If it’s
all successful, log off and log back in the AD RMS server.
14) Once log back in, Go to Server Manager > Tools > Active Directory Rights
Management Service to access the AD RMS cluster.
Test Protecting Data using AD RMS Cluster
Next step of the demo is to test the AD RMS cluster by protecting data. For
that I am using two user accounts.

User Email Address Role

Peter peter@rebeladmin.com Author
Adam adam@rebeladmin.com Recipient

Email account filed is must and if user doesn’t have email address defined, it
will not be allowed to protect the document.

The end user computers must have added https://rms.rebeladmin.com to the

Internet Explorer, Local Intranet’s trusted site lists. This can be done via GPO.
If it’s not added, when go to protect the document, users will get following
error,
In this demo as user Peter going to create protected document using Word
2013. The recipient will only be user Adam and he will only have read
permission.

To Protect the Document

1) Log in to the Windows 10 (Domain member) computer as user Peter
2) Open word 2013 and type some text
3) Then Go to File > Protect Document > Restrict Access > Connect to Digital
Rights Management Servers and get templates

4) Once its successfully retrieves the templates, go back to same option and
select Restricted Access
5) Then it will open up new window. On there for the read permissions, type
adam@rebeladmin.com to provide read only permission to user adam. Then
click OK.
6) After that save the document. In demo, I used a network share which user
adam also have access.
7) Now I log in to another window 10 computers as user adam.
8) Then brows to path where document was saved and open it using word
2013.
9) On the opening process, it asks to authenticate to the RMS to retrieve the
licenses. After that it open the document. In top of the document it says
document got limited access. When click on the “View Permission” it list down
the allowed permissions and it matches what we set in the author side.
10) Further in to testing I have log in to system as another user (Liam) and
when I access the file I gets,

This ends the configuration and testing of the AD RMS cluster. In this demo, I
explained how we can set up AD RMS cluster with minimum resource and
configuration. I only used the default configuration of AD RMS cluster and no
custom policies applied. By understand core functions allows you to customize
it to meet your organization requirements.