Active Directory Rights Management Services - AD RMS

Activating Information Rights Management (IRM) in SharePoint - Proxy Gateway Error Correction

Recently we had a case where a customer was having some difficulty activating an IRM-protected document library in SharePoint on a server running Windows Server 2008. He got the following error:

Information Rights Management (IRM): There was a problem while trying to activate a rights account certificate.
Unspecified connection error. Try activating again later.

Error value: 8004cf3b

A common cause of this error is that the SharePoint server cannot contact the AD RMS server, due to a 502 Proxy Gateway error.

To resolve this issue: You can set WinHTTP proxy settings on Win2008 or Win2008 R2 using the Netsh command-line tool. You can add the AD RMS Server URL to the proxy bypass list on the Sharepoint computer to enable it to bootstrap correctly. The following is an example where https://myRmsServer is added to the proxy bypass list:

netsh winhttp set proxy proxy-server="myProxyServer.mydomain.corp.contoso.com:80" bypass-list= https://myRmsServer

Custom IRM Protectors

We occasionally get questions from customers about creating custom IRM protectors. Protectors are components that are used to apply AD RMS protection to files when they are added to document libraries like those in Windows SharePoint Services 3.0. Specifically, protectors “convert custom files types to rights-management formats when the user downloads them, and then convert those files back to nonencrypted file formats when the user uploads them for storage in the document library.”

The AD RMS team recently released an IRM protector implementation that protects files in Microsoft Office formats, such as .docx, .xlsx, and so on. Included with these is some documentation that can help you implement these protectors provided by the AD RMS team or with your own custom protector implementation.

Documentation_OfficeFileFormatProtectors – This document contains reference documentation for the protector interface and other required interfaces.

Developer’s Walkthrough Microsoft Office 2007 File Format Protectors for AD RMS – This document discusses setting up a pre-production development environment and implementing the I_IrmCyrpt interface, which is used to enable document encryption and decryption, and I_IrmPolicyInfoRMS, which holds licenses and other information used by a protector.
 

The AD RMS Bulk Protection Tool Has Arrived

We heard from the AD RMS community and we acted! Today, we are extremely proud to announce the availability of the AD RMS Bulk Protection Tool on Microsoft Download Center.

The AD RMS Bulk Protection Tool is a command-line tool that can decrypt multiple AD RMS protected files or encrypt multiple files to a predefined rights-policy template. This tool can be used to perform e-discovery of content for litigation or audit purposes, or to safeguard existing sensitive data on company shares. It also works in conjunction with the File Classification Infrastructure (FCI) feature in Windows Server 2008 R2 to classify and protect sensitive company data.

Here are some additional details:

Features

• Simple command-line interface
• Bulk decrypt RMS supported files and items within Outlook PSTs
• Bulk encrypt RMS supported files to a custom template
• Extensible to other file formats via IRM protector implementation

System Requirements

• Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2
• The tool requires installation of RMS Client SP2 and .NET Framework 2.0 SP2 on Windows XP
• Outlook 2007 is needed for decrypting items within PST files

You can refer to the AD RMS Bulk Protection Tool help file that is included with the tool for more usage details.

...and finally, we hope you enjoy the tool!

Yours truly,
Clinton Ho, Saket Kataruka, and Adeel Zaidi
The AD RMS Bulk Protection Tool Team

AD RMS and PowerShell

PowerShell has been included in Windows Server 2008 R2. If you haven’t heard of it, it’s “a command-line shell and scripting language that helps IT professionals achieve greater productivity and control system administration more easily.” You can learn more about it at the PowerShell Website or at the PowerShell team’s blog.

The AD RMS team recently release a guide called Using Windows PowerShell with AD RMS:

This guide explains how to use the Windows PowerShell cmdlets that enable you to install, configure, and administer the AD RMS server role on a computer running Windows Server 2008 R2. It introduces the Windows PowerShell providers that implement AD RMS-specific cmdlets, describes the namespace that these cmdlets work in, and also shows how to use general-purpose cmdlets, such as Set-Itemproperty, to manipulate items in these namespaces that represent AD RMS settings.

If you need more information, you can also visit the reference documentation for the AD RMS cmdlets.
 

AD RMS and Group Expansion

We get occasional questions from customers about AD RMS and group expansion across forests. The following are a few links that can help answer your questions concerning group expansion:

• The topic Deploying RMS Across Forests contains a thorough explanation of how AD RMS works in a multiple-forest environment: “RMS uses Active Directory to identify users and distribution groups. When an organization’s Active Directory deployment includes multiple forests, RMS uses contact objects to obtain the identities of users and groups that are part of a different forest than the RMS server.”
• The topic Release Notes for Windows Rights Management Services with Service Pack 2 contains a brief description of the group expansion functionality available in Windows RMS SP2: “…group expansion across forests facilitates the ability for RMS to expand Active Directory Universal group membership in a different forest where group memberships are not replicated between two forests…”
• Jason Tyler, a senior support engineer, has a post on his blog called Troubleshooting your RMS Server and Group Membership: “The only time that I usually will get on an RMS server to track things down (once it is setup and provisioned), is when I get a call from someone who says 'I am sending this RMS/IRM protected message to a group, and people in the group cannot open the message'.”

Information Protection in Exchange 2010

We are excited about the features being built into Exchange 2010 that use AD Rights Management Services technology to ensure that sensitive information is protected. Ed Banti, a Microsoft program manager, recently presented an overview of these features, which we have made available on TechNet Edge as a series of short videos.

In the following video, Ed discusses how end users can benefit from the information protection features in Exchange 2010, which include Outlook Web Access support and full-text search on protected messages:

Microsoft’s AD RMS Rights Policy Templates

Organizations using AD RMS often take advantage of rights policy templates to enable users to protect information according to a predefined set of rights. Many customers are asking us, what specific policy templates are used by the IT organization at Microsoft? Following are examples of the policy templates used by Microsoft’s IT organization:

• Microsoft Confidential - This template uses the Microsoft All Staff distribution group.  This group includes all Microsoft full-time employees (FTEs), contractors, and vendor staff.  Any person not included in this distribution group, such as people outside the company, cannot open content protected through this template. This template provides the following rights: View, Reply, Reply All, Save, Edit, and Forward.
• Microsoft Confidential Read Only - This template uses the Microsoft All Staff distribution group.  This group includes all Microsoft full time employees (FTEs), contractors, and vendor staff.  Any person not included in this distribution group, such as people outside the company, cannot open content protected through this template.  This template provides the following rights: View.
• Microsoft FTE Confidential - This template uses the Microsoft All FTE distribution group.  This group includes only Microsoft full-time employees (FTEs).  Any person not included in this distribution group, such as contractors, vendors, and people outside the company, cannot open content protected through this template.  This template provides the following rights: View, Reply, Reply All, Save, Edit, and Forward.
• Microsoft FTE Confidential Read Only - This template uses the Microsoft All FTE distribution group.  This group includes only Microsoft full-time employees (FTEs).  Any person not included in this distribution group, such as contractors, vendors, and people outside the company cannot open content protected through this template.  This template provides the following rights: View.
• Do Not Reply All – This template simply restricts recipients from using the Reply All function.  This prevents large volumes of response traffic to messages sent to many recipients.

An end user can specify a rights policy template when she creates new content. This helps to ensure that she can easily comply with her organization’s information security policy. Rights policy templates are an important and commonly-used feature of AD RMS.

You can learn more about rights policy templates in the Microsoft TechNet topic, AD RMS Policy Template Considerations. This topic provides an overview of the technical considerations you must make when using AD RMS rights policy templates. It includes details about specific rights, template location, template distribution, scripting, and other information.

New Technical White Paper: Deploying AD RMS at Microsoft

A technical white paper, Deploying Active Directory Rights Management Services at Microsoft, has recently been made available on TechNet. This white paper is the result of the collaborative effort of Microsoft’s consulting,  user assistance, and internal IT organizations. Its purpose is to give you some visibility into the AD RMS deployment process and to help you learn from Microsoft’s own deployment experience.

The following brief excerpt summarizes the subjects covered:
Since the worldwide implementation of AD RMS at Microsoft, each day, an average of approximately 5,000 documents and e-mail messages are protected to be consumed by 80,000 unique users. These numbers continually grow as an increasing number of users adopt AD RMS technologies as their preferred means of helping to protect their confidential e-mail and documents.

This paper discusses the need that Microsoft IT had for protecting confidential business data, the reasons for deploying RMS over other possible solutions, and how AD RMS works. This paper also offers detailed lessons learned and best practices derived from the RMS server and client deployment and usage experience of Microsoft IT.

Meet the Team: Matthew Lucas

What is your education and work background?
I was a college hire from the University of Illinois at Urbana-Champaign.  I’ve been at Microsoft for over a year now.

How did you come to be a part of the AD RMS team? How long have you worked with the team?
In college I did my senior project in digital privacy and built a prototypical web-based secure messaging application.  I followed my interest in privacy protection and encryption onto this team.  I’ve been on this team since I started as a full-timer.

What is your role?
I am the Program Manager handling our Mobile story – prioritizing customer demands, writing functional specifications for new features, coordinating work with partner teams, scheduling work items within our own team, and serving as a primary point-of-contact within the product group for the existing products.

What is your favorite aspect of the technology?
We have better integration with Outlook than any other secure messaging product I’ve seen.  That Outlook turns functionalities off in order to enforce the rights schemes dictated by our platform is really cool.

Any last words?
If you have an interest in privacy, compliance, or encryption, please let our team know!

More New Content: AD RMS Technical Reference

The team has recently released the following new content to help you use AD RMS:

• AD RMS Client Requirements – Provides important information about the AD RMS client in a format that you can quickly scan and reference. It includes a section that covers requirements for various versions of the client, and a section on AD RMS service discovery.
• AD RMS and AD FS Considerations – Provides a brief overview of requirements and configuration options for using AD RMS with Active Directory Federation Services (AD FS).
• AD RMS Business-To-Business Requirements for Trusted User Domains – Details the requirements for adding a trusted user domain, which allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster.

New Content: AD RMS Technical Reference

The AD RMS team has recently published new content that details requirements and prerequisites for your AD RMS environment. They are the following:

• AD RMS Prerequisites – Provides requirements and recommendations for setting up and configuring AD RMS in your environment. It includes information about certificates, DNS, hardware requirements, software requirements, and other topics.
• AD RMS SQL Server Requirements – Provides a brief overview of the SQL Server databases used by AD RMS, hardware requirements for the database server, and software requirements for the database server.
• AD RMS Firewall Considerations – Details how to configure your firewall for use with AD RMS.

We hope these guidelines prove to be valuable as you use them to plan for, deploy and configure AD RMS in your environment.

Templates, Distribution, and Why You Should Care

One of the great features of Active Directory Rights Management Services (AD RMS) is rights-policy templates. A template is something that an AD RMS administrator designs that provides a set of users, and/or groups, with a predefined set of rights. These templates are then used by AD RMS-enabled applications to enforce policies. You can read much more about AD RMS templates on TechNet here.

One of the big problems that IT administrators encounter with rights-policy templates is how to distribute them to end users. If the end user does not have the template, they can’t use the predefined policies. In previous versions of AD RMS (Windows Rights Management Services v1.0 SPx), Group Policy objects (GPO) were used as the primary means for template distribution. The AD RMS administrator would post the template .xml files to a UNC share and use GPO to push them to clients. There was no built-in way for the client to fetch templates.

Another problem with templates pertained to AD RMS-enabled applications and their developers. Applications that utilize templates typically allow the user to select which template they’d like to use to protect their content. This poses a problem for the application because there is no centralized location where the RM client stores templates, and no built-in way to discover them programmatically. The application was responsible for locating them in its own way (usually by way of registry key overrides). This resulted in different applications that would look for templates in different locations. This was problematic, to say the least. 

Enter Template Distribution. So what is template distribution and, ultimately, why should you care? Starting with Windows Vista Service Pack 1, the AD RMS client is able to fetch templates (this requires the AD RMS server to be at least Windows Server 2008) and store them in a centralized location. How? Through scheduled tasks and API’s, that’s how.

• Scheduled Tasks - There are two scheduled tasks: one manual, and one automated. The automated task runs silently in the background and suppresses authentication prompts (choosing to fail instead). The manual task is the same as the automated task, except that it does not suppress authentication prompts (as opposed to fail silently). When the task executes, it first makes a request to the server to get its template information. From the information returned, the client can determine that it a) has the correct templates and b) has the most up-to-date version of them. If either of these conditions are not met, the client acquires (or re-acquires) the templates from the server.
• Client API - In addition to scheduled tasks, the AD RMS client provides developers with an API that can be used to discover and acquire templates for their application. You can read more about that here. 

Note: It is important to point out that archived templates are not distributed to clients. This process applies only to distributed templates, hence the name.

Sounds great, right? But I’m sure you have some questions. So here’s an FAQ:

Q. Why are there two tasks, automated and manual?
A. There are two tasks because the end-user shouldn’t ever have to see a random credential UI for something that runs in the background and, even worse, for something they have no clue what it’s for. The automated task is designed to fail in this case, for this specific reason. The manual task can be invoked at any time by the user.
Q. How often will the automated task run once it’s enabled?
A. Once the task is enabled, the client will fetch templates (assuming it has never done this before). Afterwards, it creates the following registry key and populates it with the current time: HKCU\Software\Microsoft\MSDRM\TemplateManagement\lastUpdatedTime. Moving forward, the task checks the current time against the value in this registry key. If the date is off by 30 days or more, the client attempts to fetch templates again and the lastUpdatedTime is refreshed with the new date.
Q. So the default period is 30 days – can I change it?
A. Yes, this can be configured by setting the following registry key: HKCU\Software\Microsoft\MSDRM\TemplateManagement\updateFrequency (DWORD).
Q. Won’t all of the clients make requests at the same time and start a DoS attack?
A. No. When the client determines that it needs to fetch new templates, it will pick a random time within the next hour. This is to stagger the requests for enabling the scheduled task broadly in a large organization.
Q. Are the templates contained in TPD’s distributed?
A. No, templates contained in trusted publishing domains (TPD) are not distributed.
Q. Why aren’t my archived templates being distributed?
A. Wasn’t this answered already? Alright, here goes again. No, only distributed templates will be distributed to clients via template distribution.
Q. Is the automated task enabled out-of-the-box?
A. No, the automated task is not enabled when Windows is installed, since the majority of Windows users are not in an enterprise. 
Q. Where does the client store the templates?
A. The client stores templates here: %userprofile%\AppData\Local\Microsoft\DRM\templates.
Q. Is this functionality available on Windows XP, Windows Server 2003, or Windows Vista RTM?
A. No, this functionality is provided only on Vista SP1 and above.
Q. Is this functionality available for Windows Rights Management Services v1.0 SPx on Windows Server 2003?
A. No, this functionality is available only on Windows Server 2008 and above.

And there you have it – template distribution made easy.

Jody Hendrix, Lead Software Design Engineer in Test

New Content: AD RMS and Active Directory Objects

The AD RMS team has recently published new content that summarizes the required and optional AD DS user and computer objects for an AD RMS implementation.

The following abstract provides some details:
Microsoft Active Directory Domain Services (AD DS) is a Windows-based directory service. AD DS stores information about objects on a network and makes this information available to users and network administrators. For example, these objects can include user and computer accounts. AD DS is a requirement for installing and implementing AD RMS.

New Content: AD RMS Performance and Logging Best Practices

The AD RMS team has recently published new content that details best practices for properly scaling and managing your AD RMS infrastructure.

The following abstract details the contents of this documentation:
Here we describe the scaling scheme for an AD RMS infrastructure, we define sizing parameters for the server roles in an AD RMS infrastructure, and we describe logging characteristics of AD RMS that enable adequate performance monitoring. We also present real-world data regarding Microsoft’s own production implementation of AD RMS in order to enable you to perform preliminary sizing estimates for your own infrastructure.

We hope these guidelines prove to be helpful to you as you configure your AD RMS environment.

New Content: AD RMS Client Deployment and Usage Considerations

The AD RMS team has recently published new documentation that discuss best practices for managing your AD RMS client deployment.

The following abstract provides some details about the content:
Active Directory Rights Management Services (AD RMS) is an information protection technology that works with enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, modify, print, forward, or take other actions on the information.

AD RMS includes server-side technologies as well as client-side technologies. On the client, an RMS client must be in place, RMS enabled applications must be deployed and information protection policies and templates must be delivered.

In this paper we describe the best practices for safely and efficiently getting all those components in place on the client, as well as options for configuring the client in different scenarios.