By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.
For information about AD RMS, see the Active Directory Rights Management Services TechCenter page at http://technet.microsoft.com/en-us/windowsserver/dd448611.aspx.
An AD RMS system includes a Windows Server 2008– or Windows Server 2008 R2–based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista and Windows 7 operating systems. Deploying an AD RMS system provides the following benefits to your organization:
AD RMS combines the features of Rights Management Services (RMS), developer tools, and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.
Organizations of all sizes are challenged to protect valuable digital information against careless mishandling and malicious use. The increasing incidences of information theft and the emergence of new legislative requirements to protect data underscore the need for better protection of digital content. The growing use of computers to create and work with these types of sensitive information, the introduction of extensive connectivity through private and public networks (including the Internet), and the appearance of increasingly powerful computing devices have made protecting organizational data an essential security consideration.
Types of digital content can include dynamic, database-driven reports on an information portal, confidential e-mail messages, strategic planning documents, military defense reports, and other sensitive files. This section describes some basic reasons why you might want to deploy AD RMS to protect content.
Organizations create and use a broad assortment of valuable content that they want and need to protect. The following list provides examples of content that you can protect by using AD RMS:
Deploying AD RMS can be an important part of a security strategy to protect this vulnerable content.
Protecting digital content is a difficult and ongoing task. Typically, organizations work to secure digital files and information by using perimeter-based security methods. Firewalls can limit access to the corporate network, and discretionary access control lists (DACLs) can restrict access to specific data. In addition, organizations can use encryption and authentication technologies and products (such as public key infrastructure [PKI] and Kerberos), to help secure e-mail while it is in transit, as well as to help ensure that the intended recipients are the first recipients to open the messages.
These methods help organizations control access to sensitive content. However, recipients are still free to do whatever they want with the content that they receive. After the user is authenticated and the content is decrypted, no restrictions control what can be done with the content or where it can be sent. Perimeter-based security methods cannot enforce business rules that control how people use and distribute the content outside the network perimeter, or after the perimeter is breached.
If you rely on individual discretion and responsibility for the manner in which digital content is shared and used, an unacceptable degree of risk might be introduced into this network security model. Even accidental security breaches can cause serious harm. For example, users could mistakenly forward sensitive e-mail messages or documents to recipients who have potentially malicious intent.
In addition to the threats of theft and mishandling, a growing list of legislative requirements adds to the ongoing task of protecting digital content. For example, many organizations must comply with Securities and Exchange Commission (SEC) fair disclosure codes, which address the problem of selective disclosure of certain information to inside investors. Similarly, the finance, healthcare, and legal sectors are increasingly challenged by the need to better protect digital content because of emerging legislative standards.
Without an end-to-end software solution such as AD RMS in place to effectively control the use of digital content no matter where it goes, the content can too easily end up in the wrong hands, whether maliciously or accidentally.
Digital content must be better protected. Although no form of information will ever be invulnerable to unauthorized use, and no single approach will shield data from misuse in all cases, the best defense is a comprehensive solution that safeguards information.
As an essential part of an organization's security strategy, a solution for better information protection should provide the means to control how content is used and distributed beyond simple access control. A solution for better information protection should:
AD RMS provides all of these capabilities. For more information, see How AD RMS works.
By using Server Manager, you can set up the following components of AD RMS:
AD RMS runs on a computer running the Windows Server 2008 or Windows Server 2008 R2 operating systems. When the AD RMS server role is installed, the required services are installed, one of which is Internet Information Services (IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.
The following table describes the minimum hardware requirements and recommendations for running Windows Server 2008– and Windows Server 2008 R2–based servers with the AD RMS server role.
Note: A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.
To assist with your hardware considerations, use testing in a lab environment, data from existing hardware in a production environment, and pilot roll-outs to determine the capacity needed for your server.
The following table describes the software requirements for running Windows Server 2008– and Windows Server 2008 R2–based servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.
The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-protected content, Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required. For additional security, AD RMS can be integrated with other technologies such as smart cards.
Windows Vista and Windows 7 include the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows Server 2008.
For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management Services topic on the Windows Server 2008 Technical Library (http://technet.microsoft.com/en-us/library/cc771789.aspx).
Richard Mueller edited Revision 10. Comment: Modify table to fit
Richard Mueller edited Revision 6. Comment: Modify last table to fit on page
Ed Price - MSFT edited Revision 4. Comment: TOC