Managing access control with Windows Rights Management Services

Active Directory's Rights Management Services is a good way of managing access to data, but there are caveats.

Data security is about more than regulating user access to files. To be truly secure, organizations must be able to prevent legitimate users from leaking confidential data. This is where Windows Rights Management Services (also known as Active Directory Rights Management Services, or simply RMS) comes into play.

Rights Management Services is designed to enforce data usage policies. For example, RMS could be used to prevent someone from copying data from a Microsoft Word document or an Excel spreadsheet and pasting it into another document. Similarly, Rights Management Services could be used to prevent someone from printing a document or forwarding an e-mail.

Although Rights Management Services is great for augmenting your existing security, it does have one major limitation. In order for a document to be protected by RMS, the application that is associated with the document must be Rights Management Services-aware. Microsoft Office 2003, 2007, and 2010 all support RMS to varying degrees. The version of Office Mobile that is included with Windows Phone 7 also supports Rights Management Services, as do several third-party applications.

Because applications such as Microsoft Office are Rights Management Services-aware, users can restrict the documents that they create from directly within the application. For example, if you look at Figure 1, you can see an option in Microsoft Word to protect the document. The nice thing about the types of protection offered by Word and other Microsoft applications is that the security is bound to the document, not to the file system. As such, the document remains protected, even if it is copied to a different location.

Figure 1: Document level security (click to enlarge)
AD RMS: document level security

In spite of the requirement for user application support, Rights Management Service is not solely based on the client operating system and its applications. In order to use the RMS, you have to deploy a Rights Management Server.

Deploying the Active Directory Rights Management Services
On the surface, deploying Rights Management Services is deceptively simple. Active Directory RMS is a Windows Server 2008 server role, and like any other server role, it can be installed through Server Manager, as shown in Figure B.

Figure 2: Rights Management Services is deployed as a Windows Server role
Rights management services deployed as a Windows Server role

You don’t necessarily have to use a dedicated server for Rights Management Services, but the server that you choose to use must be running Windows Server 2008 or Windows Server 2008 R2, and it must be a member of an Active Directory domain. Additionally, the server must run Internet Information Services and ASP.NET and Message Queuing must be installed. Finally, the domain controllers must be running Windows 2000 SP3 or a later operating system.

Rights Management Services is designed to store user rights information in a SQL Server database. As such, you will need to provide the server with local or virtualized version of SQL Server 2005 or above.

Client Requirements
In addition to running RMS-aware applications, client computers must be domain members and they will need a copy of the AD RMS client. Windows Vista and Windows 7 have the client built in, but if you have any clients running Windows XP then you will need to download and install the AD RMS client.  

A Word of Caution
If the AD RMS server or the database server were to fail, then users with authorized access to documents could be prevented from using those documents. That being the case, it would be wise to take steps to ensure the availability of the RMS server and the underlying database server.

The easiest way to ensure the availability of RMS is probably to run the RMS server on a virtual machine on top of a clustered host server. You could provide database fault tolerance by either running SQL Server locally on the virtualized RMS server or by attaching the RMS server to a clustered SQL server. Of course these are just a couple of suggestions for providing fault tolerance for RMS. There are several other ways to ensure that the RMS server remains available.

Rights Management Services is relatively easy to get up and running, but if you need some extra help then you can always download Microsoft’s step-by-step guide.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for TechTarget sites.

Dig Deeper on Windows systems and network management