AD RMS and Secure Design

Applies To: Windows Server 2008, Windows Server 2008 R2

Organizations must identify the users who are trusted entities within its AD RMS. To do so, AD RMS issues RM account certificates that associate user accounts with specific computers. There are two types of RM account certificates:

  • Standard - A standard account certificate enables the user to create, to view, and to use restricted content on a specific computer. The user can access the restricted content only for the specific number of days determined by the administrator of the AD RMS server.

  • Temporary - A temporary account certificate enables the user to view restricted content on a specific computer. The user can view the restricted content only for the specific number of minutes determined by the administrator of the AD RMS server.

Each certificate must be assigned a specific expiration date. The expiration date affects the duration of the users’ ability to access content offline. If it is not specified some users would be able to read the content even though the domain account had been removed from the Active Directory. The expiration date design is based on the corporate policy, taking into account human resource and machine replacements, and temporary resource access policy in the organization. It is recommended that this date be designed carefully.

AD RMS Server Private Key

Although hardware security module-based private key protection can be used within the AD RMS solution and in most of the time is required for high-secure environments, the preferred method is the default software-based private key protection. The software-based private key protection requires a strong password, which is used to encrypt the cluster’s private key.

AD RMS User Authentication

AD RMS user authentication is required when the user reads an RMS-protected document. The AD RMS server validates the user using Windows integrated authentication. The Windows integrated authentication takes place when the user acquires the AD RMS account certificate and obtains the user license to read content from an AD RMS server.

You can also use Smartcards when obtaining RACs and use licenses from the AD RMS server. To configure the AD RMS server to require client authentication, you need to enable SSL for the Web site on which you provisioned AD RMS and configure the authentication method in Internet Information Services (IIS).

AD RMS Database Security

The following recommendations are best practices and will increase the overall security of databases within the network and server environment:

  • Run the database server on a computer that is running Windows Server 2008 or Windows Server 2008 R2.

  • Restrict access to the database server. Keep it in a location that is physically secure.

  • Make sure that the database permissions and discretionary access control lists (DACL) that are on database files restrict access to authorized personnel. The default permissions and DACLs that are configured by AD RMS are secure. Use caution when changing any of the default settings.

  • Do not run any unnecessary services on the database server, such as Microsoft Internet Information Services (IIS), Message Queuing, or Terminal Services.

  • Do not run any databases on the database server except for the AD RMS databases.

  • Secure SQL Server databases by configuring either SSL or Internet Protocol security (IPsec) to provide encrypted channels. Encrypting database communications helps prevent malicious users from capturing or modifying logged data. For more information about configuring SSL or IPsec for SQL Server 2005 or SQL 2008, see Encrypting Connections to SQL Server (