AD RMS Enterprise file Rights Management

The ad RMS (AD Rights Management Service) ensures the confidentiality of digital files within the enterprise, for example, if a user has permission to read a protected file, but if it is not licensed, it cannot be copied and printed.

AD RMS Overview

Although NTFS permissions can be used to set the user's access rights, however, NTFS permissions still have shortcomings, such as your open users can read a file containing confidential data, the user can copy the contents of the file or save the file to another location, so that the confidential document may be leaked out, Especially now that the portable storage media is prevalent, users can easily take files away from the company.

AD RMS is an information protection technology that, when paired with an AD RMS-enabled application, allows the owner of a file to set it as a copyright-protected file and grant it to other users to read, copy, or print. If the user is granted Read permission only, he cannot copy the contents of the file or print. Senders can also restrict recipients from forwarding messages.

Protection information is stored in each copyright file, regardless of where it is moved, where it is copied, and the protection information remains within the file, thus ensuring that the file is not accessible to unauthorized users. AD RMS can protect confidential documents within the enterprise, such as financial statements, technical documents, and so on.

Requirements for AD RMS

A basic AD RMS environment contains the components.

• domain controller : AD RMS requires a domain environment and therefore requires domain control.
• AD RMS Server : Clients require certificates and licenses to work with file rights protection, and the AD RMS server is responsible for issuing certificates and licenses. You can assume that multiple AD RMS servers provide the ability to troubleshoot and load-balance, where the first server is called the AD RMS root cluster server. Because the client communicates with the AD RMS server over HTTP and HTTPS, the AD RMS server must have IIS set up.
• database server : used to store information such as AD RMS settings and policies, you can use Microsoft SQL Server to set up a database server. You can also use the AD RMS built-in database directly, but only one AD RMS server is set up at this time.
• client users running the ad rms-enabled application : The user allows the ad rms-enabled application (such as word) and uses him to create, edit, and set the file as a protected file. This file is then stored in places that other users can access, such as a network shared folder, a USB flash drive, and so on.

How AD RMS Works

The following is a simple process, but easier to understand.

1. When the file owner runs the protection file for the first time, he obtains the certificate from the AD RMS server and can run the work of protecting the file after having the certificate.
2. The file owner takes advantage of the ad rms-enabled application to create the file and runs the steps to protect the file, which is to set the permissions and usage conditions for the file, and the application encrypts the file. The publishing license is then created, the permission to include files within the license is published, and the condition and decryption keys are used.

Note: Permissions include read, change, print, send and copy, etc., permissions can be used with conditions, such as the duration of access to this file. System administrators can also restrict certain applications or users from opening protected files through the settings of the AD RMS server.

1. The file owner stores the protected file (including the publishing license) to a location that is accessible to the recipient of the file, or sends him directly to the file recipient.
2. When a file recipient uses an ad rms-enabled application to open a file, it sends a request for a license to the AD RMS server.
3. After the AD RMS server confirms that the file recipient has access to the file by publishing the license information, it creates a user-requested use license (containing usage rights, use conditions and decryption keys), and then passes the use license to the file recipient.
4. Once the file recipient's ad rms-enabled application receives a usage license, it decrypts the protected file and accesses the file using the decryption key within the license.

AD RMS Instance Demo

We will practice setting up an AD RMS Enterprise copyright management environment. We simplify the complexity of the environment, remove the database server, switch to the AD RMS database, and place the copyright protection file directly in the shared folder of the domain-controlled DC, as well as the client side with only one WIN8 computer, the file owner and the file recipient are the computers.

Get your computer ready.

Following the creation of three machines, RMS required a domain-controlled environment, so we went on to the previous Contoso domain environment.

Create a user account

We want to create the file owner George and the file recipient Mary in the domain control, and to create an account adrms to start the AD RMS service, 3 accounts are general accounts (names are arbitrarily named) and do not need to give special permissions.

We landed in the marketing department to create George and Mary, create a adrms account in users, and don't have George and Mary set up a mailbox.

Installing active Directory Rights Management Services

Please log on to the server using administrators, and then install RMS by adding server roles.

Note : Users who install adrms must be subordinate to the local group administrators with the domain Group Enterprise Admins, and when we are currently using the domain administrators the default is to belong to these two groups. If you want to use a different domain user account to log in and install Adrms, first add this account to these two groups.

1. By default, the RMS service is installed according to the IIS

1. Perform additional configuration

1. Click Next when the RMS interface appears

It is known from the diagram that two types of clusters can be erected: the root cluster that will issue certificates and licenses, and only license-only clusters that issue licenses. The first server that is installed becomes the root cluster.

Note: If the environment is more complex, you can set up a license-only cluster after the root cluster is erected, but it is recommended that you use the root cluster and then join the other AD RMS servers to this root cluster because the root cluster and the license-only cluster cannot be used in the same load-balanced pool.

1. Choose to use the Windows Internal Database

Note: Because we choose a built-in database, only one AD RMS server can be set up. If you are using a Microsoft SQL Server database, select specify the database server and DB instance that must be joined to the domain, and the domain user account that is used to install adrms also requires a local administrators group that belongs to the database server. This gives you permission to create the database required for AD RMS within the database server.

1. Select the specified domain user account to start the AD RMS service

1. Next

1. Next

1. Set a password for the cluster key

When you want to join another AD RMS server to this cluster, you must provide the password that is set here. AD RMS uses the cluster key to sign issued certificates and licenses.

1. Choose to treat the default Web site of IIS as a clustered Web site

Select the cluster Web site that requires the client to take advantage of the installed HTTPS connection and set up the Web site.

For example, https://rms.contoso.com, where Adrms is the computer name of the AD RMS server. You must ensure that hosts and IP address records are created within the DNS server.

1. Select Create a self-signed certificate for SSL encryption and click Next

This option is recommended only for testing or small-scale environments, otherwise select the first option to choose the certificate that is applied to the certification authority.

Note: The steps to request a certificate from a certification authority include creating a certificate request file for the Web site, passing the contents of this file to the certification authority, and downloading and installing the certificate. You can also use AD Certificate Services to come from a line-hypothetical certification authority.

1. The first AD RMS server in the cluster creates a certificate (server licensor cerificate, SLC), known as a server licensor certificate, that can be used to issue certificates and licenses to clients. Name this SLC so that the client can identify the AD RMS cluster by this name (the other AD RMS servers that join this cluster share this SLC certificate).

1. Click Next, which will log the AD RMS service connection point (service Connection POINT,SCP) to the active Dirctory database so that the client can locate the AD RMS server through AD.

Note: The user account used to log on to AD RMS SCP must be part of the Domain Group Enterprise Admins, and if you use another user to log in and install AD RMS, the user must be an ancestor to the Enterprise Admins Group, and after the installation is complete, You can delete it from within the group.

1. Confirm Installation

Once the installation is complete, the currently logged-on user account (domain administrator) is added to the local AD RMS Enterprise system Administrators group, and the user has permission to administer AD RMS, but this user must log off and then log back in to be valid.

Note: The user's access token (access token) is updated before logging off, so that the user has permissions to the local ad RMS Enterprise system administrators group.

Create a shared folder that stores copyright-protected files

We want to create a shared folder, and then place the file owner's copyright-protected file in this folder so that the file recipient can access the file from this shared folder. This example creates a shared folder within a domain controller DC (which can also be created within another computer. ）

1. Log on to domain control in the C drive to create folder public

1. Select folder Settings Permissions

Give the folder everyone read and write permissions.

To test the capabilities of AD RMS

We first install Word 2012 on the client computer, then log in and create a copyright-protected file with George, and finally access the file by using Mary as the login.

Restrict the ability to read only files, not print, copy files

1. Log on to the client computer, install Office
2. Open Internet Explorer and add the Local intranet site https://rms.contoso.com in the advanced options to add this site to the security zone.

3. Create a Word document, click File-Info-protect Document-restrict access to the upper-left corner

The dialog box appears next because Word connects to the clustered Web site, but the certificate for the clustered Web site is self-issued by AD RMS, and the client computer has not yet trusted the AD RMS self-issued certificate. You can click Yes directly, but this dialog box will appear each time a client connects to the AD RMS server.

Note: If you do not want this dialog box to appear every time, use the following steps to trust the certificate that is issued by AD RMS: Click View Certificate - Install certificate - put all certificates in the following store -Browse Trusted Root Certification authorities .

1. Tick restrict permissions on this document and click the Read or Change button to develop permissions, and then click OK when you are finished. We choose to open to users [email protected]. If you want to further open permissions, click Other options, and then set by, we can see that you can also set the document expiration date, whether the document content can be printed, whether the content can be copied, and so on.

1. Click Save As to store the file in the shared folder \dc\public.
2. Log off and use Mary to log in.
3. Sites are also added to the intranet.
4. Open the Word file, and open the file in public.

1. was opened with Mary but cannot be modified.

Restricting mail forwarding

If you want to send and receive messages through Outlook, you can also restrict recipients from forwarding messages.

?

NOTES: RMS Advanced features

RMS advanced feature description includes RMS running process and so on too many I am not happy to write, everybody own Baidu Bar

AD RMS Enterprise file Rights Management