Safeguarding Confidential Data in SharePoint 2010 : Using Active Directory Rights Management Services (AD RMS) for SharePoint Document Libraries

Active Directory Rights Management Services (AD RMS) is a Data Leak Prevention (DLP) technology that uses Digital Rights Management (DRM) concepts in an attempt to prevent critical data from easily being transferred outside of a company. AD RMS works by encrypting documents, and then only allowing them to be unencrypted if the client application agrees to the terms of the rights policy. For example, the rights policy may dictate that the document cannot be printed, that it can’t be saved in a different format, or that data from it cannot be copied/pasted. It can also dictate that the document expires after a certain period of time.

AD RMS is independent from SharePoint, and runs as a service on a Windows Server 2008 or Windows Server 2008 R2 server. Clients can encrypt files directly from their Office clients, or via Outlook, with or without SharePoint. Where the SharePoint integration comes into place, however, is in SharePoint’s ability to define a rights policy on all documents within a document library and have those rights policies enforced by an AD RMS server in the domain.

Understanding Prerequisites and Limitations of AD RMS

It is important to understand first what AD RMS can and can’t do in a SharePoint environment. The following key facts are important:

• AD RMS does not encrypt files in storage. Instead, the AD RMS rights policies are enforced only when the document is pulled out of the document library. This allows SharePoint indexing to be able to index the documents. If storage-level encryption is required, a technology such as SQL TDE.

• You can only establish one rights policy per document library and, once established, those policies apply to all documents, both existing and new documents in the library.

• The rights policies in SharePoint document libraries only define whether a user can print or programmatically access data or not. Other rights restrictions on documents actually depend on the SharePoint rights that a user has to the document library. If they have full contributor rights, they can do more with the content. If they simply have reader rights, they are fully restricted in what they can do.

• The AD RMS fully qualified domain name (FQDN) cannot be changed for existing content. Give considerable thought to what the FQDN will be and enable SSL encryption immediately on RMS. If you choose a flat name such as http://rmsserver for your URL, you will never be able to turn on external access to RMS. Instead, consider choosing something like https://rms.companyabc.com from the beginning, even if you don’t intend on turning on external access.

• Users using rights-protected documents or document libraries must have web-based access to the AD RMS FQDN to be able to open documents. If SharePoint is published on the outside, for example, the users will need to be able to access the FQDN of the AD RMS site. In the previous example, this means being able to get to rms.companyabc.com. This means that this must be published as a site if this type of functionality is required.

• After a service connection point (SCP) is published in AD, all users will immediately be able to use it. Consider waiting to publish the SCP until the environment has been fully tested. You can test out AD RMS by modifying the client registry to point to the AD RMS server instead of using an SCP initially.

Add multiple AD RMS servers for redundancy, and load balance them. This makes it even more critical to use an FQDN that can point to multiple servers or a load balanced VIP, such as rms.companyabc.com. You won’t be able to add a second AD RMS server into a cluster until the SCP has been published.

Installing AD RMS

For environments that don’t already have an AD RMS server in place (legacy Windows Server 2003 RMS will work as well), a new Windows Server 2008 R2 AD RMS environment is required. Note that the RMS server requires a separate server from the SharePoint farm servers, and will also require a database for the AD RMS database. In many cases, the AD RMS database server will be the same server as the SharePoint database server.

To install and configure AD RMS on a server, first install Windows Server 2008 R2, (Standard, Enterprise, or Datacenter will work) with the default installation options and then add it to the domain. Log in as an account with local admin access to the box and perform the following steps to install AD RMS:

1.	On the RMS server, run the Add Roles Wizard from Server Manager.
2.	Click Next to start the wizard.
3.	Check the box for Active Directory Rights Management Services
4.	Choose to add the required role services when prompted.
5.	Ensure that AD RMS and Web Server are checked in the summary dialog box, shown in Figure 1, and choose Next to continue. Figure 1. Installing the AD RMS role.
6.	Click Next at the AD RMS Welcome dialog box.
7.	Under Role Services, leave the default in place and click Next.
8.	From the RMS Cluster dialog box, choose to create a new RMS cluster and click Next to continue.
9.	From the Database dialog box, shown in Figure 2, choose to either use a local Windows Internal DB on the server or use a centralized SQL Server instance on another server. It is highly recommended to choose a separate SQL server, such as the SharePoint database server, for this. Figure 2. Selecting the database for AD RMS.
10.	Specify a domain user account in the subsequent dialog box that will be used for AD RMS. This account should not have any special rights other than domain user rights in the domain. You will need to create this account in advance before proceeding. Click Next to continue.
11.	Under the Cluster Key Storage dialog box, choose the default AD managed key storage and click next to continue.
12.	Enter a password for the cluster. Be sure to save this password; you’ll need it to add additional RMS servers into the cluster in the future. Click Next to continue.
13.	Use the default website and click Next to continue.
14.	Select whether to use an SSL-encrypted connection to RMS or an HTTP connection, such as what is shown in Figure 3. It is highly recommended to use SSL now, because content will display this name at all times. In addition, do not use a server name for the FQDN. Use a name that can be transferred to a VIP or another server in the future, such as rms.companyabc.com. Ideally, your RMS address will then always be https://rms.companyabc.com. Click Next to continue. Figure 3. Specifying the FQDN for AD RMS.
15.	At the subsequent dialog box, choose the SSL certificate that matches the FQDN chosen (that is, rms.companyabc.com). If it is not created yet, choose to install it later. This certificate must be installed for RMS to work properly. It is not recommended to use a self-signed certificate. Click Next to continue.
16.	Choose the name of the server licensor certificate (accept the default in most cases) and click Next to continue.
17.	Select whether to register the SCP now or later. Typically, the SCP will be registered immediately, but be sure to understand the implications of this. Once registered, all Office clients in the domain will “see” the RMS server and will be able to start encrypting content.
18.	Accept the default for the web role wizard, and then click Next.
19.	Review the settings, such as those shown in Figure 4, and choose Install. Figure 4. Reviewing AD RMS installation settings.
20.	Choose Close when the wizard completes.

Modifying the RMS Certification Pipeline

After an RMS server is installed, a file on the RMS server will need to be modified to allow the SharePoint server and a local RMS group to be able to access that file. If this step is not performed, SharePoint won’t be able to make a connection to the RMS server to be able protect document libraries. To configure this security, perform the following steps while logged in as a local administrator on the RMS server:

1.	On the RMS server, navigate to C:\Inetpub\wwwroot\_wmcs\Certification.
2.	Right-click the ServerCertification.asmx file and choose Properties, and then click the Security tab.
3.	Click Edit and then Add.
4.	Click Object Types, select Computers, and then click OK.
5.	Enter the name of all SharePoint web roles servers into the box and then click OK.
6.	Click Add.
7.	Select Object Types of Groups, and then click OK.
8.	Type RMSServer\AD RMS Service Group (where RMSServer is the name of your RMSServer), and then click OK.
9.	Review the security settings, which should be similar to what is shown in Figure 5. Figure 5. Modifying the security on the ServerCertification.asmx file on the RMS server.
10.	Click OK to close the security dialog box.

Enabling IRM Support in SharePoint Central Admin

After the ServerCertification.asmx file has been modified on the RMS server, switch to the SharePoint server to be able to turn on Information Rights Management (IRM) support and integrate the SharePoint servers with the AD RMS environment. To turn on this functionality, perform the following tasks:

1.	From SharePoint Central Admin, navigate to the Security link in the navigation pane.
2.	Under Information Policy, click Configure Information Rights Management.
3.	If the SCP is published in AD, choose Use the Default RMS Server Specified in Active Directory, as shown in Figure 6, and then click OK. Figure 6. Enabling AD RMS support in SharePoint Central Admin.

Enabling IRM Support on an Individual Document Library

After enabled in SharePoint Central Admin, IRM protection can be enabled on individual document libraries within the farm by any site administrator who has full rights to the document library. To enable IRM protection on an individual document library, perform the following steps:

1.	Within a SharePoint site, select a document library.
2.	From the Ribbon, choose Library Tools, Library, and then click the button for Library Settings.
3.	Under Permissions and Management, choose Information Rights Management.
4.	Check the Restrict Permission to Documents in This Library on Download box, as shown in Figure 7. Enter the remaining fields depending on how the policy will be applied, whether there is expiration of policy, whether readers to the site can print or access content programmatically, and so on. Click OK. Figure 7. Enabling IRM support on a SharePoint document library.

Once enabled, all current documents and future documents in that document library will have the rights protection policy chosen added to them as they are viewed or modified from within the SharePoint Site. To turn off rights protection, just go back into the document library settings and uncheck the box for IRM. This will remove IRM protection for all documents within the library.