Friday, 14 March 2014

AD Rights Management Service


AD Rights Management Service
Topics Covered
Introduction to AD RMS
How AD RMS Works
RMS Lab setup
RMS Installation
Testing RMS using Windows Vista Client

Active Directory Rights Management Service
Active Directory Rights Management Service (AD RMS) was formerly known as rights
management service or information rights management. AD RMS is now integrated with AD and
is now part of windows 2008 server roles. AD RMS is a technology which helps to protect your
information or data. AD RMS enables you to protect your intellectual property through the
integration of your Operating system and Application. AD RMS can reply both AD CS and AD
FS to extend its support.
AD RMS works with a special AD RMS client to protect sensitive information. Protection is
provided through RSN server role, which is designed to provide certificate and licensing
management.AD RMS stores all configuration and logging information in Windows Internal
Database or SQL Server 2005 or SQL Server 2008. With AD RMS you can protect your
company documents from unauthorized access. You can specify which user can access the
document and perform actions like coping, editing, forwarding, printing and deleting.
AD RMS uses client-server architecture using Windows 2008 Server as Server component and
AD RMS client as client component on Windows XP, Vista and 7. AD RMS client is built-in
feature of Windows vista and Windows 7 whereas we need to download RMS client for
Windows XP. The RMS client is required for creating rights-protected documents using the
application supported.
RMS enabled application
• Microsoft Office 2007 Professional
• Microsoft Office Sharepoint Server
• Acrobat Reader (using thirty party software from gigaturst)
• Exchange 2003 and 2007
• Internet Explorer

How AD RMS Works
User TOM wants to protect a Word 2007 document and he wants only HARRY can read the
document and no other user can read it. Moreover, he also wants that HARRY can only read the
document; he cannot print and copy the document. So in order to perform this task he request a
“Client Licensor” certificate from RMS Server. After receiving the certificate from RMS server
the TOM sets the rights and permission on the Word 2007 document. Word 2007 creates a
“publishing licence” and encrypt the document.
TOM now sends the file to HARRY. HARRY after receiving the file open’s the file. Word 2007
calls the RMS server which validates the user and issue a “Use licence”. Word 2007 next opens
the document with appropriate rights given to HARRY. This is how AD RMS works.
Requirement for AD RMS
1) Windows 2008 Server (Domain Member)
2) SQL Server or Windows Internal Database
3) IIS 7.0
4) Active Directory Domain Controller (located for Separate Machine)
5) Certificate Server or Self assigned Certificate

RMS Lab Setup (Our lab requires 3 machines as under)
Operating Systems Application/Role Computer Name
Windows 2008 Server Domain Controller Dc1.vision.com
Windows 2008 Server Member Server
AD RMS Role
IIS Role
Internal Database
Rms1.vision.com
Windows Vista Office 2007 Client1.vision.com
Other Requirements
1) Create 2 users on Domain Controller (i.e. rms_service and rms_installer). These users are
required for RMS to works. The first user rms_service is required to start the RMS server and
rms_installer is used for installation of RMS service.
2) Rms_installer user must be member of Enterprise admin and local administrator group of
RMS1.VISION.COM.
3) Set the password settings for both the users as “password never expires” and “user cannot
change the password”
4) Next create 2 more user on Domain Controller (i.e TOM, DICK and HARRY). These uses will use
client machine for login and testing of RMS.
5) Set the email address for both the users. (Email address is compulsory for RMS to work).

Installation of RMS Role on RMS1.VISION.COM
1) Login with rms_installer on RMS1.VISION.COM (note : before login add rms_installer to local
administrator group)
2) Start – Server Manager
3) Click Roles and select add roles
4) Select “Active Directory Rights Management Service” and click next.

5) When you select AD RMS role, windows will prompt to install IIS as shown below
6) Next select the additional role required if required
7) Next select “ create new cluster”

8) Select the Database required to store AD RMS data. In our case we will select “Windows Internal
Database”. But in production environment use SQL server
9) Next specify the service account. In our case it is rms_service user.
10) Next select “use AD RMS centrally managed key storage”

11) Specify AD RMS cluster password.
12) Next specify a FQDN name for the RMS server and then click on validate. Before specifying the
FQDN name we have to create a host entry in DNS for the same.

13) Next select the certificate for SSL encryption. In our case we will use “Create self-assign
certificate” but in production environment use of existing certificate and import it from CA.
14) Next select the AD RMS service point registration option to register AD RMS in Active directory.

15) Next, click next to complete the installation of RMS service
Testing AD RMS using Windows Vista Client
To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and
then restrict permissions on a Microsoft Word 2007 document so that members of the CP&L
Engineering group are able to read the document but unable to change, print, or copy. You will
then log on as Stuart Railson, verifying that the proper permission to read the document has been
granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of
the Engineering group, he should not be able to consume the rights-protected file.
To restrict permissions on a Microsoft Word document
1. Log on to Client1.vision.com as user TOM
2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office
Word 2007.
3. Type some data in the blank word file.
4. Click the Microsoft Office Button, click Prepare, click Restrict Permission, and then click
Restricted Access.

5. Click the Restrict permission to this document check box.
6.
7. In the Read box, type harry@123.com, and then click OK to close the Permission dialog box.
8. Click the Microsoft Office Button, click Save As, and then save the file
9. Log off as TOM.

Next, log on as HARRY and open the document
1. Log on to client1.vision.com as user HARRY
2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office
Word 2007.
3. Click the Microsoft Office Button, and then click Open.
4. select the file to open.
5. The following message appears: "Permission to this document is currently restricted. Microsoft
Office must connect to https://rms.vision.com:443/_wmcs/licensing to verify your credentials
and download your permission."
6. Click OK.
7. The following message appears: "Verifying your credentials for opening content with restricted
permissions…".
8. When the document opens, click the Microsoft Office Button. Notice that the Print option is not
available.
9. Close Microsoft Word.
10. Log off HARRY

No comments:

Post a Comment