Active Directory Rights Management Services - AD RMS : AD RMS

AD RMS Architecture Video Series: How AD RMS Works

tonytri — Thu, 17 Dec 2009 20:30:00 GMT

A successful deployment of Active Directory Rights Management Services depends on a careful consideration of how AD RMS works and how it interacts with other objects in your network environment. Enrique Saggese, a Senior Microsoft Consultant, recently gave a presentation about AD RMS design and deployment, which we are making available on TechNet Edge as a series of short videos.

In the first video in this series, Enrique describes the process and components that AD RMS uses to protect and consume IRM-enabled content.

Micah LaNasa, Technical Writer

Microsoft Office 2003 Cannot Open Documents Protected with RMS

tonytri — Sun, 13 Dec 2009 08:26:00 GMT

The issue of the inability to open documents protected with AD RMS with Microsoft Office 2003 has now been resolved with a hotfix. You can obtain the hotfix at the following locations:

Office Client – KB978551

Word Viewer – KB978558

Excel Viewer – KB978557

The AD RMS Bulk Protection Tool Has Arrived

tonytri — Fri, 30 Oct 2009 18:21:00 GMT

We heard from the AD RMS community and we acted! Today, we are extremely proud to announce the availability of the AD RMS Bulk Protection Tool on Microsoft Download Center.

The AD RMS Bulk Protection Tool is a command-line tool that can decrypt multiple AD RMS protected files or encrypt multiple files to a predefined rights-policy template. This tool can be used to perform e-discovery of content for litigation or audit purposes, or to safeguard existing sensitive data on company shares. It also works in conjunction with the File Classification Infrastructure (FCI) feature in Windows Server 2008 R2 to classify and protect sensitive company data.

Here are some additional details:

Features

Simple command-line interface
Bulk decrypt RMS supported files and items within Outlook PSTs
Bulk encrypt RMS supported files to a custom template
Extensible to other file formats via IRM protector implementation

System Requirements

Windows XP, Windows Vista, Windows 7, and Windows Server 2008 R2
The tool requires installation of RMS Client SP2 and .NET Framework 2.0 SP2 on Windows XP
Outlook 2007 is needed for decrypting items within PST files

You can refer to the AD RMS Bulk Protection Tool help file that is included with the tool for more usage details.

...and finally, we hope you enjoy the tool!

Yours truly,
Clinton Ho, Saket Kataruka, and Adeel Zaidi
The AD RMS Bulk Protection Tool Team

AD RMS and PowerShell

tonytri — Mon, 19 Oct 2009 18:45:00 GMT

PowerShell has been included in Windows Server 2008 R2. If you haven’t heard of it, it’s “a command-line shell and scripting language that helps IT professionals achieve greater productivity and control system administration more easily.” You can learn more about it at the PowerShell Website or at the PowerShell team’s blog.

The AD RMS team recently release a guide called Using Windows PowerShell with AD RMS:

This guide explains how to use the Windows PowerShell cmdlets that enable you to install, configure, and administer the AD RMS server role on a computer running Windows Server 2008 R2. It introduces the Windows PowerShell providers that implement AD RMS-specific cmdlets, describes the namespace that these cmdlets work in, and also shows how to use general-purpose cmdlets, such as Set-Itemproperty, to manipulate items in these namespaces that represent AD RMS settings.

If you need more information, you can also visit the reference documentation for the AD RMS cmdlets.

AD RMS and Group Expansion

tonytri — Wed, 16 Sep 2009 21:57:00 GMT

We get occasional questions from customers about AD RMS and group expansion across forests. The following are a few links that can help answer your questions concerning group expansion:

The topic Deploying RMS Across Forests contains a thorough explanation of how AD RMS works in a multiple-forest environment: “RMS uses Active Directory to identify users and distribution groups. When an organization’s Active Directory deployment includes multiple forests, RMS uses contact objects to obtain the identities of users and groups that are part of a different forest than the RMS server.”
The topic Release Notes for Windows Rights Management Services with Service Pack 2 contains a brief description of the group expansion functionality available in Windows RMS SP2: “…group expansion across forests facilitates the ability for RMS to expand Active Directory Universal group membership in a different forest where group memberships are not replicated between two forests…”
Jason Tyler, a senior support engineer, has a post on his blog called Troubleshooting your RMS Server and Group Membership: “The only time that I usually will get on an RMS server to track things down (once it is setup and provisioned), is when I get a call from someone who says 'I am sending this RMS/IRM protected message to a group, and people in the group cannot open the message'.”

Information Protection in Exchange 2010

tonytri — Tue, 08 Sep 2009 20:37:00 GMT

We are excited about the features being built into Exchange 2010 that use AD Rights Management Services technology to ensure that sensitive information is protected. Ed Banti, a Microsoft program manager, recently presented an overview of these features, which we have made available on TechNet Edge as a series of short videos.

In the following video, Ed discusses how end users can benefit from the information protection features in Exchange 2010, which include Outlook Web Access support and full-text search on protected messages:

New Content: AD RMS and Active Directory Objects

tonytri — Mon, 29 Jun 2009 20:58:00 GMT

The AD RMS team has recently published new content that summarizes the required and optional AD DS user and computer objects for an AD RMS implementation.

The following abstract provides some details:
Microsoft Active Directory Domain Services (AD DS) is a Windows-based directory service. AD DS stores information about objects on a network and makes this information available to users and network administrators. For example, these objects can include user and computer accounts. AD DS is a requirement for installing and implementing AD RMS.

New Content: AD RMS Performance and Logging Best Practices

tonytri — Mon, 29 Jun 2009 20:56:00 GMT

The AD RMS team has recently published new content that details best practices for properly scaling and managing your AD RMS infrastructure.

The following abstract details the contents of this documentation:
Here we describe the scaling scheme for an AD RMS infrastructure, we define sizing parameters for the server roles in an AD RMS infrastructure, and we describe logging characteristics of AD RMS that enable adequate performance monitoring. We also present real-world data regarding Microsoft’s own production implementation of AD RMS in order to enable you to perform preliminary sizing estimates for your own infrastructure.

We hope these guidelines prove to be helpful to you as you configure your AD RMS environment.

New Content: AD RMS Client Deployment and Usage Considerations

tonytri — Mon, 29 Jun 2009 20:43:00 GMT

The AD RMS team has recently published new documentation that discuss best practices for managing your AD RMS client deployment.

The following abstract provides some details about the content:
Active Directory Rights Management Services (AD RMS) is an information protection technology that works with enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, modify, print, forward, or take other actions on the information.

AD RMS includes server-side technologies as well as client-side technologies. On the client, an RMS client must be in place, RMS enabled applications must be deployed and information protection policies and templates must be delivered.

In this paper we describe the best practices for safely and efficiently getting all those components in place on the client, as well as options for configuring the client in different scenarios.

Group Expansion for Federated Users

tonytri — Tue, 09 Jun 2009 20:56:00 GMT

[Note - This post assumes the reader is familiar with terms such as issuance license, rights-policy templates, and AD RMS trust policies (federated trust). In summary, an issuance license represents the usage policy for a piece of content and contains a list of authorized users and usage rights assigned to each user. Rights-policy templates are used to control the rights that a user or group has on a particular piece of rights-protected content. Federated trust refers to using Active Directory Federation Services to establish trust between two forests.

This blog post references Windows Server 2008 R2. The release candidate for Windows Server 2008 R2 can be downloaded at www.microsoft.com. Please see the AD RMS with AD FS Identity Federation Step-by-Step Guide to learn how to configure an AD RMS server to work with Active Directory Federation Services (ADFS).]

AD RMS in Windows Server 2008 R2 can support groups that contain external, federated users. In Windows Server 2008, federated users had to be individually named in the issuance license or individually added to an AD RMS rights-policy template. Now, because group expansion for federated users is supported, it is possible to add federated users to a group and create protected content specifically for the group. This can be accomplished by creating a contact object for the federated users in Active Directory, in the forest where the AD RMS server is located, and adding that contact object to the group where you want to include the federated users.

Here’s an example:
Contoso has AD RMS and a group called TopSecretProj@Contoso.com. Contoso has decided to collaborate with Fabrikam. Usr01@Fabrikam.com must access all content that is shared with the TopSecretProj@Contoso.com group. The IT administrator in Contoso can create a contact object for Usr01@Fabrikam.com in Active Directory and add the new contact object as a member of TopSecretProj@Contoso.com.
As long as you have identity federation support configured and enabled between the two companies, Usr01@Fabrikam.com has access to all the content published for TopSecretProj@Contoso.com.

Sunitha Samuel, Lead Software Design Engineer in Test

Learn at Tech-Ed 2009

tonytri — Thu, 07 May 2009 19:56:00 GMT

Microsoft Tech-Ed is coming to Los Angeles on May 11th-15th.

You'll go back to your office with knowledge and expertise that only five days at Tech Ed can offer. You can learn about today’s cutting edge trends, helping make life easier for you (and everyone else) at work. But the most important benefit just might be the networking: you can build personal connections with Microsoft experts and peers that will last far beyond Tech-Ed.

Among the 20 technical tracks is a Security, Identity, and Access track that will feature AD RMS and related technologies. Some of the sessions highlighting AD RMS are the following:

Using Active Directory Rights Management Services and Microsoft Exchange to Protect Sensitive E-mail Communication (SIA324) - E-mail is one of the primary leak vectors for sensitive business information. Learn how Active Directory Rights Management Services and Exchange are helping to prevent confidential data from being inappropriately disclosed. (Amit Fulay, Fri 5/15 | 10:45 AM-12:00 PM | Petree Hall D)
Federated Collaboration Using Microsoft Office, SharePoint, Active Directory Rights Management Services, and Microsoft "Geneva" (SIA306) - This lab walks you through how to set up a B2B environment using Microsoft code name "Geneva" and Office SharePoint Server 2007 to publish sensitive documents for external users, and using Active Directory Rights Management Services to prevent sensitive information. It is intended for IT professionals who are looking to implement an end-to-end, federation-based collaboration solution. (Vijay Gajjala and Tariq Sharif, Thu 5/14 | 1:00 PM-2:15 PM | Theatre (Room 411))
Protect against Information Leaks with Microsoft Active Directory Rights Management Services and RSA Data Loss Prevention Solutions (SIA311) - Information is our customers' most valuable asset. It must be protected, yet also be shareable. Find out how Microsoft and RSA are partnering to combine the benefits of Enterprise Rights Management (ERM) and Data Loss Prevention (DLP) for the most effective approach to discovering, classifying, and protecting confidential business data from inappropriate disclosure while still enabling necessary business collaboration. (Mohan Atreya and Marcio Mello, Tue 5/12 | 2:45 PM-4:00 PM | Room 402)

See the list of sessions to see details about each session mentioned here, and other sessions.

We will also have some hands-on labs. Additionally, be sure to stop by and talk with the team at our product booth in the pavilion. It will be a great opportunity for you to see some of the new scenarios where AD RMS is helping organizations protect their information.

We hope to see you there.

Opening AD-RMS Protected Files on Your Windows Mobile Phone

tonytri — Mon, 30 Mar 2009 21:29:00 GMT

Thanks to Elizabeth at MS for the following post...

Perform these steps to setup Active Directory-Rights Management Services on your Windows Mobile phone:

Before you can set up AD-RMS on your phone, you need to make sure that you have Active Directory-Rights Management Services installed on your computer. If you’re running Windows Vista, AD-RMS is already installed. If you’re running Windows XP, you’ll need to install it through Add or Remove Programs in the Control Panel (if you don’t see Rights Management Services listed in Add or Remove Programs, you can download it directly from the Microsoft Download Center). If you are able to open protected content (a protected document in Office Word, for instance), you have AD-RMS properly installed and configured. Once you have AD-RMS installed, ensure that your computer is connected to your corporate network and to the domain.
Connect your phone to your computer through a USB cable.
If you’re using ActiveSync:

In ActiveSync, on the Tools menu, click Advanced Tools > Activate Information Rights Management.
In the Information Rights Management Activation dialog box, click Yes, and ActiveSync will try to activate IRM automatically.
If ActiveSync isn’t able to access your credentials, you’ll be asked to re-enter the information, including your user name, password, and domain. Click Retry.
After you’ve successfully activated Information Rights Management, click OK.

If you’re using Windows Mobile Device Center:

Click Mobile Device Settings > Activate Information Rights Management.
Enter your credentials (user name, password, domain), and click Activate.
After you’ve successfully activated Information Rights Management, click Done.

End of support for Windows Rights Management Services V1.0

tonytri — Tue, 10 Mar 2009 20:58:00 GMT

March 23, 2009 will bring a close to support for Windows Rights Management Services V1.0 as part of the Microsoft Lifecycle Policy. Microsoft will retire public and technical support, including security updates, by this date.

As of this date users will no longer be able to activate or re-activate clients, and may be unable to produce or use Rights-Protected content unless they upgrade to a newer version of Windows Rights Management Services Client. This includes Windows Rights Management Services Client V1.0 SP2, or the Windows Rights Management Services Client available as part of Windows Vista or Windows Server 2008. When users attempt to activate Windows Rights Management Services Client V1.0 using Microsoft Office they will receive the following error message “This service is temporarily unavailable. Ensure that you have connectivity to the server. This error could be caused because you are offline, your proxy settings are preventing your connection, or you are experiencing intermittent network issues.” Users attempting to activate via other RMS enabled applications may receive different error messages.

Microsoft is retiring support for this product because it is outdated and can expose customers to security risks.

We recommend that customers who are still running Windows Rights Management Services Client V1.0 upgrade to a newer version as soon as possible. Windows Rights Management Services Client V1.0 SP2 can be downloaded from the following links.
Windows Rights Management Services Client V1.0 SP2 client (x86)
Windows Rights Management Services Client V1.0 SP2 client (x64)

Windows Rights Management Client V2.0 is also available as part of the Windows Vista and Windows Server 2008 operating systems. Information about Windows Vista is available at http://www.microsoft.com/windows/windows-vista/default.aspx. Information about Windows Server 2008 is available at http://www.microsoft.com/windowsserver2008

We recommend that customers who are still running Windows Rights Management Services V1.0 servers upgrade to a newer version such as Windows Rights Management Services with Service Pack 2 as soon as possible.

RMS Hardening Guide

rightsmanagement — Mon, 27 Mar 2006 20:37:00 GMT

RMS is designed as a solution to allow digital enforcement of content usage policies. And like any other solution, one can follow some best practices to ensure that the service is running in a secure manner. Here are a few suggestions from the product team.

Deploy RMS web services as https – not http. Particularly for external services, deploying as https protects privacy of the RMS credentials that are sent back and forth in licensing requests, and importantly secures the authentication of certification requests. Additional security for authentication can be enabled by requiring https with client authentication, not just the standard server authentication, and requiring smartcards.
The default protection for RMS server private keys is a software-based protection. For added protection, Hardware Security Modules can be used for key protection off the server. Many varieties of HSM can be used, but two specific vendors who have done testing with RMS are Safenet (Luna HSM) and nCipher
Avoid email address recycling. This ensures that users (who may otherwise get the recycled email address of an authorized user) do not get access to protected content that they shouldn’t have access to.
Disable hibernation on desktops. You never know what is encrypted in memory and what is not. :-)
Use Windows integrated authentication to access SQL as it is stated in the installation guide.
ACL the pipelines appropriately. If you are not allowing Passport-authenticated users, you might want to have authentication of the licensing pipelines as well.
Minimize the number of services on RMS Servers. This is a recommended practice for defense-in-depth strategy.
The group of RMS administrators and the Superuser group should be an AD restricted group.
RMS service account should be used, as opposed to any system account, to run RMS. It should not be granted any additional special privileges. Also, be sure to isolate the RMS server by not running other applications on it. Sharing the RMS server with other applications may put RMS keys, and hence content, at risk
Since Office applications currently use the content of the Active Directory email attribute, or alternate SMTP proxy addresses, associated with a user as that user’s unique identity, be sure to protect this field in AD. Do not allow users in your AD to change this attribute, and inquire about the protection of this attribute before importing other organizations’ RMS servers into your list of trusted RMS domains.
When making RMS services available to the internet, you can offer advanced protection by using an application layer firewall. Rather than just opening port 443, ISA server (or potentially other application layer firewalls) can inspect the https traffic by terminating the https connection at the firewall and re-establishing a separate connection internally, once the traffic is inspected. This is a best practice when internet-enabling any web based application.

Again, the above is not an exhaustive list, but can serve as a good starting point for understanding how to deploy RMS in a secure manner. If you have more specific questions, please leave us a comment here or join our newsgroup and we will do our best to answer them