Security During Provisioning

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the RMS Administration Web site to provision RMS resources on an existing Web site. During provisioning, virtual directories and application pools are created under this Web site and RMS databases are created and configured on a database server. Optionally, if your server is connected to the Internet, the server may be enrolled with the Microsoft Enrollment Service during the provisioning process.

During provisioning, RMS uses the accounts that are described in the following table.

Account Purpose Permissions

Logged-on user's account

Creates virtual directories and application pools. IIS requires Windows authentication, and RMS impersonates the logged-on user who must be logged on locally.

Full control (the logged-on user must be a local administrator).

System account

Builds the temporary assembly for serialization.

Read and Write permissions to the Windows temporary folder, C:\Windows\Temp.

ASPNET account

Creates the temporary assembly of the *.aspx files.

Access to the temporary assembly cache directory, C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files, by default.

Network Services account

Registers the service connection point in Active Directory.

  • Read-only permissions to the provisioning site (typically C:\Inetpub\Wwwroot\Provisioning).

  • Read and Write permissions to the DRMS registry key. The permissions are granted by RMS Setup, which also creates the following registry key.

    On computers running the 32-bit version of Windows ServerĀ 2003


    On computers running the 64-bit version of Windows ServerĀ 2003


During provisioning, RMS performs the following tasks:

  • On the database server:

    • Creates configuration, directory services, and logging databases.

    • Grants Login permissions to the RMS Service Group.

    • Installs stored procedures on the databases, and grants Execute permissions to the RMS Service Group.

    • Executes queries on the master database.

  • Adds the RMS Service Group to the IIS_WPG group.

  • In C:\Inetpub\Wwwroot\_wmcs, creates a hierarchy of virtual directories, files, and application pools for the Web services and the RMS Administration Web site.

  • Sets DACLs on the virtual directories, files, and application pools.

  • Grants write access to the RMS Service Group to the temporary folder.

  • When you specify software key protection, encrypts the server licensor private key before storing it in the database. RMS requests a password during provisioning, and gains access to the machine-level DPAPI.

  • Installs the logging listener service.

  • Creates a logging message queue.

  • If it is provisioning the first server in the root cluster, it sets the service connection point in Active Directory.