Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management Services or RMS before Windows Server 2008) is a server software for information rights management shipped with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

RMS debuted in Windows Server 2003, with client API libraries made available for Windows 2000 and later. The Rights Management Client is included in Windows Vista and later, is available for Windows XP, Windows 2000 or Windows Server 2003.[1] In addition, there is an implementation of AD RMS in Office for Mac to use rights protection in OS X and some third-party products are available to use rights protection on Android, Blackberry OS, iOS and Windows RT.[2][3]

Attacks against policy enforcement capabilities

In April 2016, an alleged attack on RMS implementations (including Azure RMS) was published and reported to Microsoft.[4][5] The published code allows an authorized user that has been granted the right to view an RMS protected document to remove the protection and preserve the file formatting. This sort of manipulation requires that the user has been granted rights to decrypt the content to be able to view it. While Rights Management Services makes certain security assertions regarding the inability for unauthorized users to access protected content, the differentiation between different usage rights for authorized users is considered part of its policy enforcement capabilities, which Microsoft claims to be implemented as "best effort", so it is not considered by Microsoft to be a security issue but a policy enforcement limitation. Previously the RMS SDK enforced signing of code using the RMS capabilities in order to provide some level of control on which applications interacted with RMS, but this capability was later removed due to its limited ability to restrict such behaviors given the possibility to write applications use the web services directly to obtain licenses to decrypt the content. [6]

In addition, using this same technique, a user that has been granted rights to view a protected document can manipulate the content of the document without leaving traces of the manipulation. Since Azure RMS is not a non-repudiation solution and, unlike document signing solutions, does not claim to provide anti-tampering capabilities, and since the changes can only be made by users that are granted rights to the document, Microsoft does not consider the later issue to be an actual attack against the claimed capabilities of RMS. [7] The researchers provide a proof of concept tool, to allow evaluation of the results, via GitHub.[8]

Software support

RMS is natively supported by the following products:

Third-party solutions, such as those from Secure Islands (acquired by Microsoft), GigaTrust and Liquid Machines (acquired by Check Point) can add RMS support to the following:

See also


  1. ^ Microsoft Windows Rights Management Services Client with Service Pack 2 - x86
  2. ^
  3. ^ "Archived copy". Archived from the original on 2012-10-31. Retrieved 2013-10-14.CS1 maint: Archived copy as title (link)
  4. ^ Mainka, Christian; Grothe, Martin (2016-08-01). "How to Break Microsoft Rights Management Services". On Web-Security and -Insecurity. Network and Data Security Chair Ruhr-University Bochum. Retrieved 2016-08-04.
  5. ^ Mainka, Christian; Grothe, Martin (2016-08-04). "How to Break Microsoft Rights Management Services". WOOT '16 - 10 USENIX Workshop on Offensive Technologies. USENIX Security Symposium. Retrieved 2016-08-04.
  6. ^ "Creating a Rights Management Manifest". Microsoft Development Network. Microsoft. Retrieved 2017-10-06.
  7. ^ "AD RMS FAQ". MicrosoftDocs. Microsoft. Retrieved 2017-10-06.
  8. ^ Mainka, Christian; Grothe, Martin (2016-07-07). "MS-RMS-Attacks". MS-RMS-Attacks. GitHub. Retrieved 2016-08-04.
  9. ^ "Plan Information Rights Management in Office 2013". TechNet. Retrieved 2015-11-24.
  10. ^ "Archived copy". Archived from the original on 2013-02-02. Retrieved 2010-07-13.CS1 maint: Archived copy as title (link)
  11. ^ "Archived copy". Archived from the original on 2013-02-16. Retrieved 2013-01-31.CS1 maint: Archived copy as title (link)
  12. ^ a b c "GigaTrust Announces Availability of Adobe® Rights-Management Protector for Microsoft® Office SharePoint Server 2007 (MOSS 2007)". Archived from the original on 2008-05-17. Retrieved 2009-02-18.
  13. ^ "Archived copy". Archived from the original on 2013-02-02. Retrieved 2010-07-13.CS1 maint: Archived copy as title (link)
  14. ^ "Archived copy". Archived from the original on 2013-02-16. Retrieved 2013-01-31.CS1 maint: Archived copy as title (link)
  15. ^
  16. ^

External links

Active Directory

Active Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.A server running Active Directory Domain Service (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services and Rights Management Services.

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

Secure Islands

Secure Islands Technologies Ltd. was an Israeli privately held technology company headquartered in 5 Menachem Begin Ave., Beit Dagan, which was subsequently acquired by Microsoft. The company develops and markets Information Protection and Control (IPC) solutions.Secure Islands Technologies Ltd. was founded by two brothers, Aki and Yuval Eldar, in late 2006, to develop and sell advanced data security solutions. The then Jerusalem-based start-up company suggested a new solution for data protection: embedding security directly in data. Secure Islands builds software designed to classify sensitive information automatically based on policies outlined by an enterprise, and then to wrap it in the appropriate level of Digital rights management (DRM).

Windows Internal Database

Windows Internal Database (codenamed WYukon, sometimes referred to as SQL Server Embedded Edition) is a variant of SQL Server Express 2005–2014 that is included with Windows Server 2008 (SQL 2005), Windows Server 2008 R2 (SQL 2005), Windows Server 2012 (SQL 2012), Windows Server 2012 R2 (SQL 2012) and Windows Server 2016 (SQL 2014) and is included with other free Microsoft products released after 2007 that require an SQL Server database backend. Windows SharePoint Services 3.0 and Windows Server Update Services 3.0 both include Windows Internal Database, which can be used as an alternative to using a retail edition of SQL Server. WID was a 32-bit application, even as a component of Windows Server 2008 64-bit, which installs in the path C:\Windows\sysmsi\ssee\ In Windows Server 2012 and later, it is a 64-bit application, installed in C:\Windows\WID.

Windows Internal Database is not available as a standalone product for use by end-user applications; Microsoft provides SQL Server Express and Microsoft SQL Server for this purpose. Additionally, it is designed to only be accessible to Windows Services running on the same machine.

Several components of Windows Server 2008 and 2012 use Windows Internal Database for their data storage: Active Directory Rights Management Services, Windows System Resource Manager, UDDI Services, Active Directory Federation Services 2.0, IPAM and Windows SharePoint Services. On Windows Server 2003, SharePoint and Windows Server Update Services will install Windows Internal Database and use it as a default data store if a retail SQL Server database instance is not provided. A Knowledge Base article published by Microsoft states that Windows Internal Database does not identify itself as a removable component, and provides instructions how it may be uninstalled by calling Windows Installer directly.SQL Server Management Studio Express can be used to connect to an instance of Windows Internal Database using \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query (2003–2008) or \\.\pipe\MICROSOFT##WID\tsql\query (2012) as instance name. But this will only work locally, as Remote Connections cannot be enabled for this edition of SQL Server. Also note that "Windows Authentication" should be used (as opposed to SQL Server Authentication), and administrators seem to have the best results of authenticating successfully when logged on using the same administrative account that was created when Windows was installed.

Windows Server 2008

Windows Server 2008 is a server operating system produced by Microsoft. It was released to manufacturing on February 4, 2008, and reached general availability on February 27, 2008. It is the successor of Windows Server 2003, released nearly five years earlier.

Windows Server 2012

Windows Server 2012, codenamed "Windows Server 8", is the fifth release of Windows Server. It is the server version of Windows 8 and succeeds Windows Server 2008 R2. Two pre-release versions, a developer preview and a beta version, were released during development. The software was generally available to customers starting on September 4, 2012.Unlike its predecessor, Windows Server 2012 has no support for Itanium-based computers, and has four editions. Various features were added or improved over Windows Server 2008 R2 (with many placing an emphasis on cloud computing), such as an updated version of Hyper-V, an IP address management role, a new version of Windows Task Manager, and ReFS, a new file system. Windows Server 2012 received generally good reviews in spite of having included the same controversial Metro-based user interface seen in Windows 8, which includes the "Charms Bar" for quick access to settings in the desktop environment.

File systems
Spun off to
Microsoft Store

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.