Active Directory Rights Management Service for Windows is a data protection technology working with AD RMS-enabled applications and providing protection of digital information from unauthorized use in Internet, in offline mode and inside or outside corporate network. AD RMS services are suitable for organizations requiring protection of sensitive and service data, e.g. financial reports, product specifications, customer data and confidential e-mail messages. Using AD RMS allows augmenting an organization’s security strategy by providing information protection through persistent usage politics (also called usage rights and conditions), which are stored together with the information wherever it is used. AD RMS provides persistent data protection in binary format; hence usage rights are stored coupled with the information rather than rights which are simply stored in organization’s network. As a result these rights are applied just after access to information has been got in online or offline mode inside or outside the organization. AD RMS protects information by the means of persistent usage policies by creating required elements described below.
- Trusted entities. Organizations can specify the entities, including users, groups of users, computers and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS provides information protection by enabling access only to trusted participants.
- Usage rights and conditions. Organizations and users can assign usage rights and conditions that define how a specific trusted entity can use protected content. Examples of usage rights are permission to read, copy, print, save, forward and edit. Usage rights can be accompanied by conditions, such as validity period of these rights. Organizations can exclude applications and entities from accessing the rights-protected content.
- Encryption. Encryption is the process by which data is locked by the means of electronic keys. AD RMS encrypts information, making access conditional on the successful validation of the trusted entities. Once information is locked, only trusted entities having usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. After that specified usage rights and conditions are enforced by the application.
AD RMS system includes Windows Server®-based server where AD RMS server role handling certificates and licensing, SQL database server and AD RMS client are running. The latest version of AD RMS client is included as a part of Windows Vista®, Windows® 7 and Windows® 8 operating systems.
Providing collaboration
Active Directory Rights Management Services allows defining policy of information usage both inside and outside the organization. Ways of organizing collaboration are given below:
- Trusted User Domain. By using TUD AD RMS can process requests from users having Rights Access Certificates granted by AD RMS in another forest of AD.
- Trusted Publishing Domain allows to AD RMS cluster to issue licenses to use information protected by AD RMS cluster of another organization.
- Federated Trust. Integration with Active Directory Federation Services allows to AD RMS server to issue licenses and certificates to users from other forests of AD. In this case presence of AD RMS server in another forest is optional.
- Windows Live ID. AD SMR cluster can be configured to issue licenses to use protected information for external users having account of Windows Live ID cloud service. No additional client-side infrastructure is required.
Integration with other infrastructure services
- Microsoft Exchange. AD RMS integration with Exchange 2010 mail service provides the organization with preventing leak of sensitive information via e-mail messages. In this case usage rights are applied and messages containing sensitive data are encrypted automatically. Capability to scan message and inspect it for malicious code is kept.
- Microsoft Office SharePoint Services. AD RMS integration with SharePoint server provides protection of files downloaded from SharePoint server. AD RMS rights corresponding to rights on SharePoint server are applied to files being downloaded. On the SharePoint server files are unencrypted that allows searching in their content and indexing.
- File classification Infrastructure. Due to built-in Windows Server File Classification Infrastructure mechanism you can automatically search files requiring protection and apply RMS-policies to them.
- Mobile devices support. Mobile devices based on Windows Mobile 6.5 and higher can use documents protected with AD RMS. For mobile devices based on IOS and Android RMS-enabled software developed by Microsoft partners can be used.
Independent software vendors and developers can build in AD RMS enabling for applications or provide working with AD RMS for other servers (e.g. content management systems or portal servers running on windows or other operating systems) in order to protect sensitive data. Independent software vendors can integrate data protection functionality into software for servers designed for document and record management, mail gateway and archiving systems maintenance, workflow automation and content scan.
AD RMS services include developer tools and commercial security technologies such as encryption, certification and authentication providing creating reliable tools of data protection in the organizations. To develop your own AD RMS tools AD RMS SDK pack is available.
Here you can find additional information about described technology and its implementation peculiarities.