Internet Information Services Support for RMS
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The primary RMS services are delivered by a set of ASP .NET Web services. These Web services run on Microsoft® Internet Information Services (IIS). During server provisioning, RMS sets up virtual directories in IIS. The application files for the Web services are installed in the virtual directories.
During server provisioning, you can select the Web site under which you want to set up virtual directories from a list of Web sites that exist on the server. Before you provision a server, you may want to create a special Web site for RMS. If you do this, you can configure authentication and access restrictions that are specific to your RMS deployment.
By default, the Web services files and virtual directories are protected by discretionary access control lists (DACL) to prevent unauthorized access to their features. The access control entries (ACE) on these items are as follows:
Administrators group has full control
Local system has full control
RMS Service Group has Read and Execute permissions
Guests and Users have Read and Execute, List Folder Content, and Read permissions
Anonymous access is not allowed
The following table lists the virtual directories that are created in IIS, and the services that are installed in the virtual directories.
Virtual directory | Service | Web service file | |
---|---|---|---|
_wmcs |
This is the RMS cluster administration virtual directory |
Not applicable |
|
Certification |
This virtual directory contains the services that support RMS certification |
Not applicable |
|
|
Activation proxy |
Activation.asmx |
|
|
Account certification |
Certification.asmx |
|
|
Precertification |
Precertification.asmx |
|
|
Service locator |
ServiceLocator.asmx |
|
|
Server |
Server.asmx |
|
|
Server Certification |
ServerCertification.asmx |
|
|
Mobile Device Certification |
MobileDeviceCertfication.asmx |
|
|
Enrollment |
SubEnrollService.asmx |
|
Licensing |
This virtual directory contains the services that support RMS licensing |
Not applicable |
|
|
Licensing |
License.asmx |
|
|
Publishing |
Publish.asmx |
|
|
Server |
Server.asmx |
|
|
Service locator |
ServiceLocator.asmx |
|
Admin |
This virtual directory contains the services that support RMS administration |
Not applicable |
|
|
Administration |
AdminSvc.asmx |
|
DrmRemote |
.NET Remoting interface |
Not applicable |
|
DirectoryServices |
This is a subdirectory of DrmRemote |
Not applicable |
Note
The Administration service has tighter restrictions than the other Web services because the interfaces that are provided allow you to configure RMS. Because of this, members of the users group cannot gain access to the Administration service. In addition, IP filtering is enabled to grant access only to the local computer.
The DirectoryServices virtual directory does not grant access to Guest users. The Service locator service also grants full control to the Network Service account. To provision a server in a licensing-only cluster, you must change the default ACEs to permit access by the RMS administrator.