Security During Normal RMS Operations
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
After you install and provision RMS, the RMS Web services operate as IIS applications, accessing various system resources which require authentication and authorization. All system resources require authentication and cannot be configured otherwise. The rest of this page describes the design of authorization in RMS.
The RMS Web services run within the context of an IIS application pool. Each application pool in IIS has a unique identity that may correspond to a domain user account, a local user account, the Network Service local account, or the Local System local account. Each of these accounts has varying degrees of authorization within the system. When RMS is provisioned, the RMS service account becomes the application pool identity for the RMS application pool. The application pool for the Global Administration Web site is "DRMS Application Pool." The application pool for the Web site you provision is called "_DRMSAppPool1." The RMS Logging Service runs as a separate Windows service under the same account as is specified for the RMS application pool identity.
Resources that RMS Web services need to access include various files and folders on the system, databases and stored procedures in the database server, the local registry, Active Directory, the assembly cache, memory, and other processes running on the system. The RMS Logging Service also needs to access the logging queue on the local system. Each of these resources has its own DACLs which define who is authorized to access the resource and what can be done with the resource.
To simplify assigning permission and managing service accounts, all of the required permissions are assigned to the local RMS Service Group that RMS created during provisioning. Because the RMS service account is a member of this group, it receives all the permissions assigned to the group.
The following list summarizes the permissions that are granted to the RMS Service Group:
Read permission to the virtual root directories
Write permission to the assembly cache directory
Write permission to the system temporary directory
Write permission to the logging queue
Read permission to Active Directory
If you are using Microsoft SQL Server 2000 or Microsoft SQL Server 2005 as your database server, you should be aware that it uses a slightly different method of assigning permissions than Windows Server 2003 does. Provisioning RMS creates a login for the RMS service account on the SQL Server. If you elected to provision RMS using the Local System account, a SQL Server login is created using the DOMAIN\computer_name format, where DOMAIN is the name of the Active Directory domain that the computer is a member of and computer_name is the name of the server. A SQL role named rms_service is created and assigned all necessary permissions. The login for the RMS service account is added to this group. No permissions are explicitly granted to the RMS service account.
Additionally, SQL Server assigns a database owner (DBO) to every database. Database ownership is assigned as follows during provisioning:
DBO for the Configuration database is given to the domain account that was used to provision RMS.
DBO for the Directory Services and Logging databases is given to the RMS service account
The permissions to all resources created by RMS were very carefully selected during the design of RMS with an eye toward security. There should be no reason to modify the permissions that are assigned during provisioning for any of the resources. If you need to change the user account or password of the service account after provisioning, you can do this from the RMS Global Administration Web page. For more information, see "To Change the RMS Service Account" in "RMS: Operations " in this documentation collection.