Securing RMS Servers

Updated: June 1, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the following recommendations to manage user accounts and security settings that are on your RMS servers:

  • The virtual directories of the Web site used to administer RMS have discretionary access control lists (DACLs) that limit access to local administrators. A local administrator can create an additional security group to further control access by adding and removing members, and by setting additional access control entries (ACEs) on the administration Web pages.

  • For greater security, change the DACL settings for the Security Settings Web page (SecurityPolicy.aspx). To allow provisioning, the default ACE grants full control to the account that provisions RMS. After provisioning, you should change the ACE to either an individual or a restricted security group.

  • In addition to the permissions and rights for each RMS server, give special attention to the requirements for securing the configuration database, which is vital to securing the entire deployment. For more information, see "Securing the Configuration Database" later in this subject.

For more information about securing the Microsoft Windows Server 2003 family of operating systems, obtain the "Windows Server 2003 Security Guide" from the Microsoft Download Center (