Deploying Windows Rights Management Services

Last week, I discussed the impetus behind one of Microsoft's more interesting out-of-band (OOB) updates to Windows Server 2003, Windows Rights Management Services (RMS). Windows RMS helps protect enterprise information in email and other documents by applying rights management technology in a manageable, easily deployable fashion. As you might expect, the initial Windows RMS version is very much a version 1.0 product, fulfilling only the most needed functionality; for example, it provides no way to quickly apply rights to folders of preexisting documents, although various Windows RMS partners are working to fill that void. But like many of Microsoft's latest products, Windows RMS appears to be a high-quality and intriguing solution to real-world problems. This week, I look at how you deploy Windows RMS in your enterprise.

To test Windows RMS, I added a compatible server to my test domain. Windows RMS requires Windows 2003, Microsoft SQL Server 2000 Service Pack 3 (SP3) or Microsoft SQL Server Desktop Engine (MSDE--which is applicable only to test installations, but I tested SQL Server 2000 Enterprise Edition SP3 running on Windows 2003, Enterprise Edition), and Microsoft Internet Information Services (IIS) 6.0 with ASP.NET and Microsoft Message Queue Services (MSMQ) enabled. The server installer is a relatively simple affair, adding the Windows RMS components, Web-based administration front end, and documentation to the server, with no reboot required. You can also optionally configure a Hardware Security Module (HSM) for storing Windows RMS private keys and Secure Sockets Layer (SSL) for remote HTTP access to the Windows RMS administrative Web site; I didn't test either of these options.

After the installation finishes, you need to provision this first (and possibly only) Windows RMS server. The first Windows RMS server is called the root certificate server; this server is responsible for certifying rights requests to Windows RMS clients in your organization, although you can provision additional servers for redundancy and load balancing. I tested a single-server installation.

To provision Windows RMS, launch the Windows RMS Administration shortcut, found in the new Windows RMS folder on your Start menu. The Windows RMS front end is solely Web-based, with no Microsoft Management Console (MMC)- or wizard-based administration tools available. When you click the "Provision RMS on this Web site" link, you are provided with one page that steps you through the provisioning process. Frankly, I'd rather see a wizard-based provisioning tool because each step has various dependencies, and if you don't fill out the form on this page correctly, you're forced to return and reenter data. No biggie: Again, it's a 1.0 product, and this feature should improve by the next version, which is due in Windows Server Longhorn, the next Windows OS.

The "Provision the RMS Root Certification Server" page walks you through the process of provisioning the server. You need to provide information about the SQL Server database to use (locally or remotely), the domain account to which to tie the RMS service (you should have already created this account in the MMC Active Directory Users and Computers snap-in; the local system account is acceptable for single-server installations), and the URL for the root certification server (typically the server's URL). Then, you specify the software-based password you want to use for the RMS private key (or information about the hardware-based cryptographic service provider). The password must meet the password-strength requirements you've established for logons. If your network requires special proxy settings for outbound traffic, you need to specify those settings. Finally, you can specify a public key that can revoke your enterprise licensor certificate in the event of a disaster. This last feature can be useful if the RMS server fails catastrophically or if you need to revoke your root server, which you might want to do if your root private key has been compromised somehow.

If you enter all this information correctly, Windows RMS will provision the server. Next, you establish the RMS Service Connection Point certification URL in IIS and you're good to go. The Global Administration front end now lets you administer Windows RMS and provides some interesting options. For example, you can add exclusion policies that let you disable the rights of users who have left the company, or disallow users on various Windows versions that you consider insecure from accessing protected content.

Before you deploy the Windows RMS client to your users, you'll want to establish some rights policy templates, which describe rights that can apply to information, and the context in which those rights exist (e.g., specific recipients or an Active Directory--AD--group). To administer rights policy templates, open the Windows RMS Global Administration page and select "Rights policy templates" under "Administer RMS on this Web site." No rights policies exist at first, so you'll need to create your own. Each template has a name, a set of users or groups to which the template applies, and those users' rights, including Full Control, Export (Save As), View Rights, Save, View, Print, Extract, Edit, Allow Macros, Forward, Reply, and Reply All. You can also establish an optional expiration policy; determine whether the document author has full, perpetual rights; and specify a revocation policy. I established policies for such things as "read only" and "read only but allow printing" and experimented with expiration policies a bit, but this is the place you might create such real-world templates as "Company Confidential." My goal was to get a feel for how these policies work in the real world and how they affect users attempting to access protected content; the results were impressive, as I'll discuss further next week.

You have several options for deploying the Windows RMS client to your users. You can use Group Policy, Microsoft Systems Management Server (SMS), or a similar tool. The client systems support Windows 98 SE or later (or you can use Microsoft Internet Explorer--IE--6.0 with the RMS add-on; I didn't test this configuration). I used Group Policy and the new Group Policy Management Console (GPMC) update to Windows 2003 to roll out the service. The client is distributed as an .exe file so you can deploy it through Windows Update, but you can extract a Group Policy-friendly Microsoft Installer file from the .exe by running the following command:

MSDRMClient.exe /C /T:\[path to extract to\]

Windows RMS deployment is complicated enough that you'll want to follow the product's Deployment Guide thoroughly. The product has a lot of dependencies and requirements, and performing steps in a certain order is crucial. I specifically muddled through the process the way I believe most Windows administrators would, but if you're the kind of person who gets annoyed by Manage Your Server and its helpful wizards, don't make the mistake of working through Windows RMS without some help.

I'll finish this discussion of Windows RMS next week with a look at the client experience and answer reader questions about Windows RMS. I'll also provide some information about third parties who are building applications on top of Windows RMS and plugging some functional gaps.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.