Imagine: the financial director just finished working on the quarterly results and decides to send them out to the different business unit managers for previewing before presenting them at the board. Unfortunately - willingly or by mistake – one of the managers forwards this mail to one of his colleagues who, again, decides to forward it to some other colleagues etc.… You can imagine that the financial directory just might not want this to happen (certainly not if the results are bad…).
Fortunately, there’s a way to prevent this: Integrated Rights Management (IRM)
Exchange 2010 IRM leverages the power of Active Directory Rights Management Service (AD RMS) to digitally protect documents (mails, etc.…) by assigning specific usage rights to them. You can for instance prevent forwarding or printing of a message and even prevent saving of attachments. What RMS will not do is prevent from taking screenshots…!
In this first part, I will explain the fundamentals and show you how to install a single AD RMS server.
AD RMS Fundamentals
The AD RMS server issues “certificates” that identify entities (e.g. users or groups) which allows these entities to publish digitally protected files (documents, mails,…) by assigning specific usages rights. A usage right defines what someone can do with content that has been protected (e.g. read, forward, print, …).
AD RMS includes one (or more) AD RMS server and client components that perform several actions:
- When content is protected, the AD RMS server will create a publishing license for that content. This ‘licence’ glues the assigned rights to the content. Because this information is kept on the server, protected content can also be sent outside the organization (given that the RMS server is made externally available as well).
- Whenever someone tries to access rights protected content, that user will ‘request’ access to that content through the RMS server. The RMS server will – at that point – verify whether the user has been granted specific rights to the content. If an entry is found for that user, the RMS server will respond providing the actions that the user allowed to perform on the content. If not, access is denied.
In order to talk to the RMS server, the client application needs to be RMS aware. On its turn, it will talk to the RMS client (installed on the client computer) which will contact the RMS Server.
The RMS Client on a user’s computer will try to localize the RMS server through the usage of a SCP. This SCP is created during AD RMS installation. However, this is not mandatory. You can also opt to create the SCP later or not create it at all (e.g. if you do not want all clients to be able to create RMS protected content). If so, you will need to manually configure each client machine that is to use AD RMS.
In order to avoid creating custom rights for every document, AD RMS uses templates. These templates are pre-defined sets of (common) usage rights (e.g. “Do Not Forward” or “Do Not Print”,…) that a user can select to protect content with.
Installing AD RMS
In this article, we will install a single RMS server and use an internal Windows Database. Note that this configuration is suited for testing purposes only. If you bring a RMS cluster into production, you should definitely use a dedicated SQL Server!
We will install the RMS component on a Windows Server 2008 R2 machine. The server should be a member of the same AD domain as the users that will be using RMS. It can be added as a Server Role through the Server Manager:
Click “Add Roles”, and then select “Active Directory Rights Management Services”:
Because we didn’t install the prerequisites prior to installing AD RMS, you will asked to do so during setup:
Confirm, and click “Next”:
Continue until you reach the following screen. Select “Create a new AD RMS Cluster” and click next:
Now, select “Use Windows Internal Database on this server”. Click Next:
You will be asked for a service account. If you haven’t created one before, do so now. The service account (user account), should be a regular domain member. During setup the user will be granted local administrator rights on the machine.
Therefore; if you are adding the role on a Domain Controller (not recommended unless for testing only), you should add the user account to the Domain Admins or Enterprise Admins security group. Click Next.
Select “Use AD RMS centrally managed key store”. If you select this option it is of utmost importance that you write down the Cluster Key Password! If you lose this key and you ever need to recover your RMS: you’re in serious trouble… In such case, all content that has been protected prior to DR will be unreadable… Click Next.
Choose a password, confirm and click Next (don’t forget to write down the password!):
Select the Default website and click Next. If you don’t want to use the default website, you should create a new one prior running the wizard:
Select “Use an SSL-encrypted connection” and specify an internal URL. Click Validate and click Next.
Now, you should either select an existing certificate (if you imported one before running the wizard), create a self-signed certificate or import a certificate later.
Choose whatever option fits best and click Next. Keep in mind that if you are using an self-signed certificate; that certificate needs to be trusted by all client-computers that are going to use RMS.
Here, we’ll choose the latter option “Choose a certificate later”. Click Next.
Specify a name that will identify the RMS cluster and Click Next:
Select “Register the AD RMS service connection point now”. Click Next.
Accept all configuration defaults for the next components and click “Install” in the end:
We’ve now finished setting up our (first) AD RMS server. Before we can start to manage the server, we will need to import (or create) a certificate into IIS.
If you don’t do this, you will get the following error message when you try to open the AD RMS console:
In this example, we will be using an internal CA to issue a new certificate for our RMS server.
Open the IIS Manager 7 and navigate to the server object in the navigation pane. Select “Server Certificates” from the result pane:
Select “Create Domain Certificate” from the action pane and complete the wizard.
After the certificate has been created, you will need to bind it to the website where RMS is installed (the one you selected during setup):
Once you’ve completed all steps, open up the the AD RMS console. You will now be able to manage the server:
That’s it for now. I’ve – in short – explained how AD RMS works and showed you how to configure a single-server deployment.
In the next part of this article, we’ll zoom in into the basic administration of AD RMS, the client-side configuration and the integration with Exchange Server 2010 IRM.
See you soon!
Michael Van Horenbeeck