Securing the RMS Deployment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An RMS deployment is an asset to any organization that requires the same physical and network security measures as other critical servers in the infrastructure. As part of your deployment, you should identify the threats and countermeasures that apply to the RMS servers.

RMS is implemented as a Web service, so you can control access to RMS in the same manner as you would other Web services, by using access control lists and secure sockets layer.

Restricting Access to RMS Web Services Using ACLs

You can restrict access to RMS services by using access control lists. Each of the virtual roots created when RMS is provisioned on a Web site has a corresponding folder structure that can be secured. The folder structure by default is found in <system drive>:\<web_root_folder>\_wmcs, where web_root_folder is the name of the folder that is assigned to the Web site where RMS is provisioned. Some of the Web services such as the subenrollment service, the mobile device certification service, and the server service certification service are restricted by default and the users or groups that you want to enable to use the service must be explicitly added to the access control list.

The server service certification service provides rights account certificates (RAC) that can be used to access RMS-protected by services such as Web collaboration services, mail servers, and document management servers to support the extension of an RMS system, such as:

  • A document collaboration server where users can upload unprotected documents, but downloaded documents will automatically have RMS-protection applied in accordance with the rights-policy for the content type. One example of this would be Microsoft Office SharePoint Server¬†2007.

  • A document management system that serves as a general repository and archive of documents, protected and unprotected. The system will be able to index rights-protected documents for search while still preserving the rights policy defined by the content creator.

  • Enable the mail server to quickly open rights-protected content to inspect it for viruses, spam, or as part of a legal requirement or company mail policy.

Because these scenarios request licenses on behalf of its users, you should require, that the ability for servers to get RACs is restricted to only the server's in your organization that have been approved for such a function and that are appropriately secured.

Restricting Access to RMS Web Services Using SSL

It is recommended that you enable Secure Sockets Layer (SSL) and require 128-bit encryption on each of the RMS Web services files. These files have the .asmx file name extension and are located in the Licensing, Certification, and Admin virtual directories. SSL requires that your server have a valid SSL certificate installed for the Web site. If you apply SSL to the _wmcs folder of the RMS installation the sub-folders and files will inherit the setting. For more information about the Web services files and virtual directories, see "Internet Information Services" in the "RMS: Technical Reference" section of this documentation collection.


If you want to open the Windows RMS Administration Web pages from a browser on a remote computer, you must enable SSL. However, even with SSL enabled, you cannot open the Global Administration page from a remote computer. For more information about the remote administration of RMS, see "Using the Administration Home Page" in the "RMS: Operations" section of this documentation collection.

Setting a Strong Private Password Key

The private key password is used to generate and securely store the private key in the RMS configuration database. A strong password is recommended in order to ensure maximum security. If the password needs to be written down, make sure to store this password in a physically secured area.


If the private key password is lost or unknown and the RMS server goes offline unexpectedly, you will have to decrypt all RMS documents, rebuild your RMS environment, and encrypt everything again with the new private key.