This guide is the steps taken from Microsoft TechNet but with rearranging the topics to seem a bit logical for someone that does not know the technology (there is no point in reinventing the wheel). I also added my personal experience into it and explained any other technology that might be needed in the process.
The soul purposes of this guide is to give some idea about the technology .you can use it to deploy your own Solution but I don’t recommended it as every infrastructure is a bit different than the other . Please remember the golden rules “60% planning 30% deployment 10% maintenance “.Feel free to contact me if you have any question.
note : I will be using the RMS instead of AD RMS as it commonly used
Organizations of all sizes are challenged to protect valuable digital information against careless mishandling and malicious use. The increasing incidences of information theft and the emergence of new legislative requirements to protect data underscore the need for better protection of digital content. The growing use of computers to create and work with these types of sensitive information, the introduction of extensive connectivity through private and public networks (including the Internet), and the appearance of increasingly powerful computing devices have made protecting organizational data an essential security consideration.
Types of digital content can include dynamic, database-driven reports on an information portal, confidential e-mail messages, strategic planning documents, military defense reports, and other sensitive files. This section describes some basic reasons why you might want to deploy RMS to protect content.
Vulnerable Organizational Information
Organizations create and use a broad assortment of valuable content that they want and need to protect. The following list provides examples of content that you can protect by using RMS:
- Traditional digital files and information. Typical examples of traditional digital files and information are e-mail communications, project-related documents, confidential reports, marketing plans, and product overviews. Information workers share these documents regularly through e-mail messages, conferencing applications, disk shares, and server-based or peer-to-peer systems. This category can also include other sensitive content, such as employee performance reviews and personal records that users might need or want to maintain in a secure, readily available state.
- Proprietary organizational information. Senior management uses this information to administer, monitor, and direct an organization’s activities. This proprietary content might include an organization’s sales and market share reports, financial performance information, and strategic forecasts and overviews. Improper distribution or use of such content might cause significant damage to an organization, either in the competitive market or in a court of law.
Deploying RMS can be an important part of a security strategy to protect this vulnerable content.
Enhanced Network Security
Protecting digital content is a difficult and ongoing task. Typically, organizations work to secure digital files and information by using perimeter-based security methods. Firewalls can limit access to the corporate network, and discretionary access control lists (DACLs) can restrict access to specific data. In addition, organizations can use encryption and authentication technologies and products (such as public key infrastructure [PKI] and Kerberos), to help secure e-mail while it is in transit, as well as to help ensure that the intended recipients are the first recipients to open the messages.
These methods help organizations control access to sensitive content. However, recipients are still free to do whatever they want with the content that they receive. After the user is authenticated and the content is decrypted, no restrictions control what can be done with the content or where it can be sent. Perimeter-based security methods cannot enforce business rules that control how people use and distribute the content outside the network perimeter, or after the perimeter is breached.
If you rely on individual discretion and responsibility for the manner in which digital content is shared and used, an unacceptable degree of risk might be introduced into this network security model. Even accidental security breaches can cause serious harm. For example, users could mistakenly forward sensitive e-mail messages or documents to recipients who have potentially malicious intent.
In addition to the threats of theft and mishandling, a growing list of legislative requirements adds to the ongoing task of protecting digital content. For example, many organizations must comply with Securities and Exchange Commission (SEC) fair disclosure codes, which address the problem of selective disclosure of certain information to inside investors. Similarly, the finance, healthcare, and legal sectors are increasingly challenged by the need to better protect digital content because of emerging legislative standards.
Without an end-to-end software solution such as RMS in place to effectively control the use of digital content no matter where it goes, the content can too easily end up in the wrong hands, whether maliciously or accidentally.
Better Protection for Digital Content
Digital content must be better protected. Although no form of information will ever be invulnerable to unauthorized use, and no single approach will shield data from misuse in all cases, the best defense is a comprehensive solution that safeguards information.
As an essential part of an organization’s security strategy, a solution for better information protection should provide the means to control how content is used and distributed beyond simple access control. A solution for better information protection should:
- Help protect an organization’s records and documents on the company intranet, as well as from being shared with unauthorized users.
- Help keep that content secure and tamper-resistant.
- Expire content based on time requirements when appropriate, even when that content is sent over an extranet to other organizations.
- Require an audit trail to track who has gained access to and used the content.
RMS provides all of these capabilities.
The term "Rights Management Services (RMS)" encompasses all of the server and client technologies that are required to support information rights management in an organization. The servers used for RMS certification and licensing, or RMS root clusters, in the organization along with the Microsoft-hosted RMS services (that run the Enrollment, Activation, and RMS account certification services) certify trusted entities that are in the RMS system. In addition, the RMS licensing-only servers in the organization issue publishing and use licenses that control how rights-protected content is consumed by the RMS client applications. RMS client technologies, including the RMS client, lockbox, and RMS-enabled applications, run on client computers and allow users to create, publish, and consume rights-protected content.
The different RMS client and server technologies work together to support the following functions:
- Creation of rights-protected content. Users who are trusted entities in an RMS system can easily create and manage protected files by using applications and tools that incorporate the features of RMS technology. In addition, RMS-enabled applications can use centrally defined and officially authorized rights policy templates to help users efficiently apply a predefined set of corporate usage policies. RMS-enabled applications are developed by Microsoft and other non-Microsoft developers to be used with an RMS installation.
- Licensing and distribution of rights-protected content. Certificates that are issued by the RMS system identify the trusted entities that can publish and consume rights-protected content. Users who are trusted entities in an RMS system can assign usage rights and conditions to content that they author and want to protect. These usage policies specify who can use the content and what they can do with it. Authors can request publishing licenses, which bind the usage policies to the specified content. They can then distribute the content, for example, by sending it to other users who are in their organization, posting it to internal servers for company use, or distributing it to trusted external partners.
In a process that is transparent to users, the RMS system validates the trusted entities in a publishing licensing request, and then issues a license that contains the specified usage rights and conditions for the content. The RMS-enabled application then generates the symmetric keys and uses them to encrypt the content. After the content is protected by this mechanism, only the users who are specified in the publishing licenses can decrypt and consume that content. Those users must also be trusted entities in the RMS system.
- Acquiring licenses to decrypt rights-protected information and enforcing usage policies. Users who are trusted entities can consume rights-protected content by using trusted clients. These clients are RMS-enabled computers and applications that allow users to view and work with rights-protected content, to preserve that content’s integrity, and to enforce usage policies. When users attempt to gain access to rights-protected content, requests are sent to an RMS server to issue use licenses for the user to consume that content.
In a process that is transparent to users, the RMS system issues unique use licenses that the RMS client can read and interpret. The RMS client inspects the certificate chain of the content, reviews the content revocation list if required to make sure that all of the criteria that establish the validity of the content are in place. Then subsequently, the RMS client enforces the usage rights and conditions specified for the user as specified in the publishing license. Provided that all of the usage rights and conditions are met, the RMS-enabled application uses the content key issued by the RMS system to decrypt the content. The usage rights and conditions are persistent and can be enforced wherever that the content goes.
its very important for us to know on every level why do we need RMS .what is the outcome and benefits from it on the three main levels Enterprise ,end user and IT .
Data/Information Leakage Prevention
The ability to protect intellectual property within Office e-mail messages and documents helps safeguard corporate assets against accidental or intentional leakage. Only authorized consumers can decrypt and open rights-protected messages and documents. Unauthorized consumers cannot open encrypted content at all, whereas the document usage abilities of authorized consumers are limited to the rights settings assigned by the publisher.
Simple Tools for Users
Document publishers can assign usage policies to their content by using any application that is AD RMS enabled, such as Office suite or any internally developed LOB application written to support AD RMS. Usage policies specify who can open the information, the specific rights assigned to each of the consumers, and how long those consumers can view or use the protected content. Specified users can open the rights-protected content with a simple click of a mouse, as they would any other file. Verification of usage policies is transparent to users.
Ease of Implementation
With the release of AD RMS, Microsoft has focused on minimizing the effort required by enterprises to implement an IRM solution. Installing the AD RMS role is as easy as enabling other Windows Server 2008 roles, and administrators can then connect it to other enterprise-critical servers such as those running Exchange Server or to external services, build and enforce usage policies, and establish trusted entities outside the organization. AD RMS provides several possible ways to deploy either single-cluster configurations or a global, distributed AD RMS system topology. Although the complexities of information protection make this a job that requires careful planning and design, the actual implementation process is relatively simple.
As a stateless Web service, AD RMS can also be scaled up or out through standard and well-known technologies to meet enterprise growth needs.
Greater Sharing of Sensitive Information
The content protection of IRM reduces the risk of unintentional exposure of confidential materials. The data publishers’ confidence, derived from that reduction of risk, enables them to take greater advantage of Office Outlook and SharePoint Web sites for disseminating sensitive business information. Because this information is available, recipients can make better, faster decisions, thereby improving business agility.
Powerful Document Protection Features
AD RMS technology enables persistent file-level protection, extending and enhancing existing network security efforts. Content owners can specify usage policies for their data, such as print, copy, and expire, giving them more features and options for protecting that information on the company intranet and in some extranet scenarios.
Ease of Administration
Administrative features of AD RMS, such as revocation lists and exclusion policies, provide a new level of control for sensitive and proprietary content . In addition, comprehensive logging enables IT to monitor licensing activity, including granted and denied requests.
The general use of rights policy templates enables an enterprise to define and roll out communication policies that are consistent across the organization and digitally enforced. AD RMS administrators design and control the content of the templates, and store them on the AD RMS servers for the enterprise publishing community to use. AD RMS administrators can easily modify the template definitions of approved consumers and the rights they are assigned within a rights-protected document. Templates offload the effort of determining who should be assigned user rights and what types of rights the intended consumer should receive from the publisher, simplifying the process that the publisher needs to follow. Furthermore, when modifications to a template occur, all past, present, and future content based on that template will inherit the new rights when a use license is issued.
AD RMS is a platform that can be incorporated into both commercial applications and internally developed line-of-business (LOB) applications to help protect information. This solution makes it possible to incorporate protection across the entire range of corporate information. . For more information about the AD RMS software development kits (SDKs), go to http://msdn.microsoft.com/en-us/library/cc530379(VS.85).aspx
Rights-protected documents can be accessed from inside the network and from the Internet. Protected documents can also be created and consumed while offline, and can be stored in a mobile device’s disk or in removable media with less danger of unauthorized access. Protected content can be accessed and created from Windows Mobile devices such as mobile phones, and can be consumed from any computer, even unmanaged computers, that can run Internet Explorer 7 and the RMA.
This gives authorized content creators and consumers the freedom to keep accessing, creating, and managing documents from all their normal locations, while helping to keep information safe from unauthorized users.
Common AD RMS Language
AD RMS technology uses Extensible Rights Markup Language (XrML) version 1.2.1 as the common language for expressing rights, which enables organizations to minimize the investment required to take advantage of AD RMS technology. XrML is a flexible, extensible, and interoperable standard equipped to meet any organization’s needs, regardless of industry, platform, format, media type, business model, or delivery architecture. XrML is a standard that defines a language for expressing rights and conditions for the consumption of content in a way that is independent of the individual implementation. Although different types of content might have somewhat different interpretations of the exact actions that a specific right expressed in XrML should allow, the general meaning of the restrictions and the way to express them are not platform or product specific.
Using a standard certificate format enables AD RMS to be extended and to interoperate with third-party products, while helping to ensure compatibility as future versions of the platform and third-party solutions evolve.