AD Rights Management Services and the protection within

For IT pros, the days of simply securing the perimeter are long gone. AD Rights Management Services is just one of many solutions designed to help protect data from the inside.

IT professionals have spent the last several years watching security requirements for organizations become more...

and more complex. Information security used to be all about securing the perimeter of the network -- the so-called "hard and crunchy exterior" that came from a well-fortified firewall -- with little protection afforded to systems inside the network.

As threats such as Internet worms and viruses evolved, this model quickly became outdated. Security measures transitioned from simply securing the perimeter to shoring up the endpoint and network, adding host-based firewalls, and implementing intrusion detection and prevention technologies as an added layer of protection.

More on AD services with Windows Server 2008 R2

Active Directory Web Services brings new power to R2

AD Federation Services drives claims-based identity for Windows

Security threats continue to evolve, however, and the protection of data has become an additional, growing concern. Consider the damage that could be caused to an organization's reputation or intellectual property if a sensitive document was emailed outside of the company, or a document containing critical information was modified incorrectly, either accidentally or maliciously. Just as host-based firewalls were introduced to increase the security of an organization beyond a perimeter firewall, we are now seeing new advances in data protection technologies as well.

One such solution is Microsoft Active Directory Rights Management Services (AD RMS). Implementing AD RMS allows you to configure persistent usage policies on your organization's documents, which will remain embedded with the document regardless of where it is moved, copied, or otherwise stored.

Consider a situation in which the owner of a document moves it from one file share to another, where NTFS security on the document becomes less stringent than it should be. AD Rights Management Services can be used to create security settings that will persist with the document regardless of the server or file share it resides on, or even if it is emailed within or outside of an organization. AD RMS also includes support for federated business partnerships through the use of Active Directory Federation Services (ADFS).

AD Rights Management Services relies on client software along with AD RMS-enabled browsers and applications -- not all applications are or can be used to create RMS-protected content. Some examples of RMS-enabled applications include Microsoft Word, Outlook, and PowerPoint 2007 or higher. Specifically, you need to have the Enterprise, Professional Plus, or Ultimate versions of Office 2007 in order to create rights-protected content.

As for the necessary client software, Windows 7 and Vista include the AD RMS client out of the box, while other operating systems can download the necessary client software from the Microsoft website. Additionally, AD RMS provides developer tools and a software development kit (SDK) to allow third-parties to create RMS add-ons for other software applications.

Looking for more information on AD RMS? Check out this overview on the basics of Rights Management Services in Windows.

About the author:
Laura E. Hunter, the Principal for LHA Consulting, is a six-time recipient of the Microsoft MVP award in Windows Server System - Directory Services, and is a Microsoft Certified Masters in Windows Server 2008 Active Directory. She is also an active technical speaker, author and presenter focusing in the Active Directory, Federated Identity and Identity Management spaces.


Dig Deeper on Windows systems and network management