Export (0) Print
Expand All

Active Directory Rights Management Services Overview

 

Updated: April 1, 2015

Applies To: Windows Server 2012 R2, Windows Server 2012

This document provides an overview of Active Directory Rights Management Services (AD RMS) in Windows Server® 2012. AD RMS is the server role that provides you with management and development tools that work with industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions.

Did you mean…

AD RMS can be used to augment the security strategy for your organization by protecting documents using information rights management (IRM).

AD RMS allows individuals and administrators through IRM policies to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.

AD RMS and IRM help individuals enforce their personal preferences concerning the transmission of personal or private information. They also help organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.

System_CAPS_noteNote

AD RMS running on Windows Server 2012 R2 or Windows Server 2012 meets the requirements of FIPS 140-2 when this server role is deployed as described in FIPS Compliance Issues for RMS.

IRM solutions that AD RMS enables are used to help provide the following:

  • Persistent usage policies, which remain with the information, no matter where it is moved, sent or forwarded.

  • An additional layer of privacy to protect sensitive information —such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.

  • Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use

  • Prevent restricted content from being copied by using the Print Screen feature in Microsoft Windows

  • Support file expiration so that content in documents can no longer be viewed after a specified period of time

  • Enforce corporate policies that govern the use and dissemination of content within the company

IRM-based solutions that AD RMS supports cannot prevent all types of threats to the security of sensitive documents or prevent disclosure of screen readable information under all circumstances. For example, the following are some types of document security threats that AD RMS does not address or mitigate:

  • Content from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spyware

  • Content from being lost or corrupted because of the actions of computer viruses

  • Restricted content from being hand-copied or retyped from a display on a recipient's screen

  • A recipient from taking a digital photograph of the restricted content displayed on a screen

  • Restricted content from being copied by using third-party screen-capture programs

For more information about how AD RMS can be used to design secure document collaboration, see AD RMS Architecture Design and Secure Collaboration Scenarios.

For information about how AD RMS can secure all file types, see How RMS protects all file types – by using the RMS sharing app.

Several improvements have been made to the Windows Server 2012 version of AD RMS. These enhancements are covered online in the article What’s New in AD RMS?

The installation of AD RMS role services can be performed through the Server Manager. The following role services can be installed:

Role service

Description

Active Directory Rights Management Server

The Active Directory Rights Management Server is a required role service that installs all AD RMS features used to publish and consume rights-protected content.

Identity Federation Support

The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services.

If you are running a version of Rights Management that you want to upgrade or migrate to the latest version, use the following resources:

The following table provides additional resources for evaluating AD RMS.

Content type

References

Product evaluation

Deployment

System_CAPS_tipTip

Have a problem with your AD RMS deployment, or just want to check the health of your AD RMS infrastructure? Download and run the RMS Analyzer.

Community resources

Related technologies

Active Directory Certificate Services

Active Directory Domain Services

Active Directory Federation Services

Active Directory Lightweight Directory Services

Azure Rights Management

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft