Internet Information Services Support for RMS

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The primary RMS services are delivered by a set of ASP .NET Web services. These Web services run on Microsoft® Internet Information Services (IIS). During server provisioning, RMS sets up virtual directories in IIS. The application files for the Web services are installed in the virtual directories.

During server provisioning, you can select the Web site under which you want to set up virtual directories from a list of Web sites that exist on the server. Before you provision a server, you may want to create a special Web site for RMS. If you do this, you can configure authentication and access restrictions that are specific to your RMS deployment.

By default, the Web services files and virtual directories are protected by discretionary access control lists (DACL) to prevent unauthorized access to their features. The access control entries (ACE) on these items are as follows:

  • Administrators group has full control

  • Local system has full control

  • RMS Service Group has Read and Execute permissions

  • Guests and Users have Read and Execute, List Folder Content, and Read permissions

  • Anonymous access is not allowed

The following table lists the virtual directories that are created in IIS, and the services that are installed in the virtual directories.

Virtual directory Service Web service file

_wmcs

This is the RMS cluster administration virtual directory

Not applicable

Certification

This virtual directory contains the services that support RMS certification

Not applicable

 

Activation proxy

Activation.asmx

 

Account certification

Certification.asmx

 

Precertification

Precertification.asmx

 

Service locator

ServiceLocator.asmx

 

Server

Server.asmx

 

Server Certification

ServerCertification.asmx

 

Mobile Device Certification

MobileDeviceCertfication.asmx

 

Enrollment

SubEnrollService.asmx

Licensing

This virtual directory contains the services that support RMS licensing

Not applicable

 

Licensing

License.asmx

 

Publishing

Publish.asmx

 

Server

Server.asmx

 

Service locator

ServiceLocator.asmx

Admin

This virtual directory contains the services that support RMS administration

Not applicable

 

Administration

AdminSvc.asmx

DrmRemote

.NET Remoting interface

Not applicable

DirectoryServices

This is a subdirectory of DrmRemote

Not applicable

Note

The Administration service has tighter restrictions than the other Web services because the interfaces that are provided allow you to configure RMS. Because of this, members of the users group cannot gain access to the Administration service. In addition, IP filtering is enabled to grant access only to the local computer.

The DirectoryServices virtual directory does not grant access to Guest users.

The Service locator service also grants full control to the Network Service account.

To provision a server in a licensing-only cluster, you must change the default ACEs to permit access by the RMS administrator.