Windows Rights Management Services
Protect content like never before
December 14, 2003
What company doesn't dread the leak of confidential information, be it trade secrets or sales figures? Traditional access-control mechanisms such as discretionary access control (DAC), mandatory access control (MAC), and role-based access control can restrict users' access to files but can't prevent authorized users from printing sensitive documents or copying such documents to 3.5" disks or removable USB drives. Traditional mechanisms also are often ineffectual at securing email content.
Microsoft Windows Rights Management Services (RMS) for Windows Server 2003 offers a solution. RMS, which is based on Extensible Rights Markup Language (XrML) 1.2.1, consists of a client component and a server component that work in tandem with RMS-aware applications to let users protect document, email message, or Web site content. RMS lets users create usage policies to define who can access rights-protected content, what actions authorized users can perform (e.g., save, print, forward, edit, reply), and when these actions can take place (e.g., within a certain number of days). These policies reside in a publishing license, which also contains a key that uses 128-bit Advanced Encryption Standard (AES) encryption to protect the content and URLs for the RMS licensing server that can issue a use license for the content. Part of the publishing license is encrypted to protect the most sensitive information it contains. When a user opens rights-protected content in an RMS-aware application, the application contacts the RMS server that the publishing license specifies to obtain a use license, which the application then uses to access the content and enforce the usage rights for that particular user. To receive a use license, a user must first obtain a valid XrML Rights Management Account Certificate (RAC) from his or her RMS certification server (an RMS server can function as both a certification and licensing server). The RMS-aware application guides the user through the process of obtaining an RAC if the user doesn't already have one. Users without RMS-aware applications can download and install the Rights Management Add-on for Internet Explorer (RMA). This free add-on lets users use Microsoft Internet Explorer (IE) to view—but not modify—rights-protected content. As you can imagine, if your organization plans to implement RMS, you'll need to plan ahead for its installation, configuration, and use.
Planning for Installation
Microsoft designed RMS to be a forestwide technology, and most organizations implement only one RMS hierarchy per forest. (You can, however, build clusters of RMS servers for load balancing and fault tolerance, and you can build hierarchies to accommodate the needs of business units or geographically separated office locations. For more information about RMS clusters and hierarchies, see the sidebar "RMS Clusters and Hierarchies.")
The first step in planning your RMS infrastructure is to determine how your organization will use RMS: internally only, or both internally and externally. RMS lets you specify two contact URLs for each RMS server—an intranet URL for internal users and an extranet URL for external users. You set the intranet URL during RMS server configuration and can't change it easily. By default, RMS bases this URL on the RMS server's computer name, but I recommend not using physical server names in your RMS server URL; doing so can complicate the process of creating clusters and replacing failed systems. Instead, create a DNS A or CNAME record for the RMS server and specify this entry, in the form of a Fully Qualified Domain Name (FQDN), as the intranet URL. The extranet URL, which you set after RMS installation, is easy to change.
You also need to decide where to place your first RMS server, which will become an RMS certification server. The RMS server component, which runs as a Web-based service and uses the Windows .NET Framework, can run on any edition of Windows 2003 and requires you to install Microsoft IIS 6.0, ASP.NET, and Microsoft Message Queue Services (MSMQ) on the server. The RMS client software component, which can run on Windows 98 Second Edition (Win98SE) or later, uses standard Web protocols (i.e., HTTP or HTTP Secure—HTTPS) to communicate with RMS servers (communication is secure regardless of whether you use HTTP or HTTPS). Each RMS server requires an ADO-supported database such as Microsoft SQL Server 2000 (preferably Service Pack 3—SP3—or later) to store configuration and log information and to cache expanded distribution lists (DLs). The RMS and database servers should be in the same domain. Clients contact the RMS certification server during activation and when obtaining an RAC. The RMS certification server needs to communicate with a Global Catalog (GC) server when authenticating users; with the Microsoft Enrollment Service during enrollment and when renewing its licensor certificate; and with the Activation Service when activating RMS clients (the RMS server accesses both these services over the Internet). The RMS certification server also performs as a licensing server to issue publishing and use licenses, so the server must be secure to protect RMS license information. You need to place the RMS certification server in a central, physically secure location, close to a GC server and to your database server, with good communications links to your clients and to the Internet. As a best practice, Microsoft recommends that you install RMS on a dedicated server. Figure 1 shows a sample RMS topology design.
You need to prepare users' Active Directory (AD) accounts for use with RMS. RMS doesn't rely on Microsoft Exchange Server, but because RMS identifies users by email address, every user must have an AD user account with an associated unique email address. If you're running Exchange 2000 Server or later, Exchange's Recipient Policies and Recipient Update Service (RUS) can email-enable the AD accounts. Some other email systems (e.g., Windows 2003's POP3 service) will also populate AD user accounts with users' email addresses. If you aren't running such an email system, you'll need to manually add email addresses to users' accounts or use an Active Directory Service Interfaces (ADSI) or similar script to add the addresses.
Before clients can use RMS, a member of the Enterprise Admins group must publish an AD serviceConnectionPoint object for the RMS certification server, which clients and applicants use to locate the RMS certification server during client activation and when requesting an RAC for a user. If you plan to create multiple RMS hierarchies in your forest or don't want to publish a serviceConnectionPoint object in AD, you'll need to use registry overrides on your client systems. The required overrides will depend on the RMS-aware applications that users plan to leverage; see the Microsoft Office 2003 Editions Resource Kit (http://www.microsoft.com/office/ork) for details about overrides for Office 2003 applications.
To leverage RMS, users must also have access to RMS-aware applications, such as those in Office System 2003, or to RMA and IE 5.5 or later. Software development kits (SDKs) are available for ISVs and for companies that want to develop their own RMS-aware applications. (You can download RMA at http://www.microsoft.com/windows/ie/downloads/addon/default.asp.)
The RMS Certification Server
Installing the RMS certification server is a simple process. Log on to the server as a member of the Domain Admins group. The RMS server component consists of a self-extracting executable file that contains a Windows Installer (.msi) file. The installation program prompts you to agree to license terms and to confirm the installation location for the server component. The installation creates a Start Menu program group with links to an online Help file, a README file, and the Web-based RMS management console.
After you've installed the RMS certification server, you need to provision, or enroll, the server. Provisioning a server is a two-step process: First, you enter configuration information; second, the server enrolls with Microsoft to obtain a signed RMS licensor certificate. Select the Web site on which you want to provision RMS (Microsoft recommends that you do so on a dedicated Web site), then click Provision RMS on this Web site to begin the provisioning process.
Configuration. The RMS server can communicate with a locally installed database or a database on a remote server. If the database is local, select the Local database option in the Configuration database section; otherwise, select the Remote database option and enter the name of the database server.
In the RMS service account section, enter the name and password of the service account that RMS will use. If you chose to use a local configuration database, you can run RMS under the Local System account, although for security reasons I recommend against doing so. If you chose to use a remote database, you must enter the credentials of a domain account. This account will have access to the databases that RMS creates on the database server.
In the Cluster URL section, enter the FQDN that you want to use as the intranet URL. For additional security, you can select HTTPS:// from the drop-down list. This setting directs RMS-aware applications to connect to the RMS server over a Secure Sockets Layer (SSL) connection (you'll need to install an SSL certificate and configure IIS to accept SSL connections).
In the Private key protection and enrollment section, enter a password that RMS will use to protect the keys it generates to secure licenses. Write down the password and keep it safe; you'll need it if you need to reinstall or upgrade the RMS server or add servers to create a cluster. If you have a supported Hardware Security Module (HSM), RMS can use the HSM to securely store keys; simply clear the Use the default storage-based private key connection option and enter the requested information about your HSM. Enter a descriptive name for the Server licensor certificate name and the email address of an administrative contact. If your organization has a proxy server, you can configure your RMS server to connect through the proxy server; select the This computer uses a proxy server to connect to the Internet option. Enter the name of your proxy server and the port it uses in the Address and Port fields. If your proxy server requires users to authenticate by presenting credentials, select the This proxy server requires authentication option, select the type of authentication (Basic, Digest, or Integrated Windows), and complete the User Name, Password, Confirm Password, and Domain fields.
Last, in the Revocation section, you can elect to let a trusted third party revoke the RMS server's licensor certificate. Most organizations won't want to select this option. (Revocation is an advanced topic; for more information, see the RMS Server Deployment Guide.) After you've entered the required configuration information, click Submit to begin the second step of the provisioning process.
Enrollment. During the enrollment step, the RMS server creates and populates the databases that it will use, configures the Web services that it will offer, generates an RMS server licensor certificate request, and contacts the Microsoft Enrollment Service to obtain a signed certificate. If an error occurs during enrollment, use the provided error message to determine the cause, then click Back to return to the configuration step and correct the information that led to the error. Run IISRESET from the command line to clear any state information preserved on the RMS Web site (be forewarned that this action will also stop and restart any other Web sites that you're running). Click Submit again to retry enrollment. Unless you have to correct errors, this step doesn't involve any direct interaction on your part.
After you've successfully provisioned your RMS certification server, you can choose from three options: Administer RMS on this Web site, Change RMS service account, and Remove RMS from this Web site. The first option takes you to the primary RMS Administration page, from which you can administer and further configure RMS. After you've provisioned the RMS server, log on as a member of the Enterprise Admins group, access the RMS Administration page, click RMS service connection point, then click Register URL to publish the serviceConnectionPoint object in AD.
RMS Client Systems
Before users can produce or work with rights-protected content, you must install and activate the RMS client component on the users' systems. The client component consists of DLLs and a command-line tool that administrators can use to activate and test RMS. The RMS client software comes in the form of an .msi file that you can download and distribute by using Group Policy Objects (GPOs), Microsoft Systems Management Server (SMS), or some other distribution tool.
After you install the client software, you must activate the clients. The activation process takes place at the end of the installation process or in response to the first RMS operation that a user attempts to perform. During activation, the client system contacts the RMS certification server (or cluster) to request an RMS lockbox. The lockbox is a 400KB DLL, called secrep.dll, that's unique to each client. The RMS certification server proxies the request to the Microsoft-hosted activation server, which generates the lockbox. (See the sidebar "Enrollment and Activation Services" for more information about the activation service.) The RMS certification server returns the lockbox to the client, which installs the DLL in %systemroot%system32.
Microsoft chose to have client systems obtain their lockbox through the RMS certification server because many enterprise client systems don't have Internet access. If your organization does permit client systems access to the Internet and you're concerned about performance or bandwidth, you can use registry overrides to point the client directly to the activation service. For full details of this process, see the RMS Server Deployment Guide.
How users leverage RMS will depend largely on which applications they use. Office 2003's RMS-aware applications—Microsoft Excel, Outlook, PowerPoint, and Word—simplify the process of protecting an email message or document. Each application's toolbar includes an RMS icon, such as the ones that Figure 2 and Figure 3 show. Clicking the RMS icon in Outlook when you create a message prevents recipients from copying, printing, or forwarding the message. Clicking the icon when in a Word, Excel, or PowerPoint file launches a dialog box in which you can specify the usage rights for the file's content.
All Office applications also let the content creator apply predefined rights-policy templates that you can create on an RMS server to define specific sets of usage rights. You can store these templates centrally or use distribution software or scripts to push them to users' desktops. (The Office 2003 resource kit describes the registry settings that direct applications to the templates' location; you can use the RMS Tool Kit utilities, which are available at http://www.microsoft.com/rms, to set the values.) The content creator can use the Office 2003 applications' File, Permissions menu option to select a template. The applications also let the creator distribute rights-protected content in such a way that users of earlier Office versions (i.e., Office XP, Office 2000, and Office 97) can use RMA to view the content.
Exploring RMS
After you have RMS running, you can explore many of the features that are beyond the scope of this article: recovery agents; revocation of users, applications, and publishing and use licenses; and RMS's extensive logging capabilities. RMS is surprisingly flexible, and you can use the RMS client and server SDKs to build your own RMS-aware applications and Web-based portal services. For more information about these features, visit the Microsoft Windows Rights Management Services page (http://www.microsoft.com/rm). For more information about XrML, visit http://www.xrml.org.
About the Author
You May Also Like