Active DirectoryMicrosoft Technologies

Active Directory Right Management Service (AD RMS) – Part 01

Microsoft had taken their first approach to information rights management (IRM) by introducing Windows Right Management Service with Windows Server 2003. This was fully compliant with Federal Information Processing Standard (FIPS) 140-1. The update version of Windows Right Management was renamed as Active Directory Rights Management Services and re introduced with Windows Server 2008. It continued to grow with features and included with every new windows server versions after that. Microsoft also released Azure RMS (included in Azure Information Protection) which can use in Hybrid-Cloud environment to protect data. 

However, AD RMS is not the solution for all the Data security requirements. In an infrastructure, there is other things attached to data security. First step of the protection is to decide who have access to corporate network and resources. This fall under perimeter defense and Hardware/Software firewalls can use to define rules to manage traffic come in to corporate network and traffic goes out from corporate network. Modern Layer-7 Firewalls and Next Generation Firewalls allows not only to manage connections but go further on analysis traffic based on applications, user accounts (AD integrated). If users are allowed to use Internet, it also can bring threats to corporate data. It can be via viruses, malware, phishing emails etc. Similar threats can be eliminate using Layer 7 firewalls or Proxies. The next step on Data Protection is to controlled the data access for users and groups in the corporate network. This is done by using NTFS and Access Control Lists (ACLs). These helps to control who have access to what data and resources. The challenge is to protect data once users and groups have access to it. As an example, REBELADMIN Inc. does have Sales Department. CEO creates a word document which includes last year total sales and save it in a network folder. The only people have access to it is CEO and Sales Manager. He sent email to Sales Manager and inform about the file. Access to folder is protected by ACLs but ones Sales Manager have access to it, what will prevent him emailing it to a person in Technical Department or bring it home with him and share it with another party? Active Directory Right Management Service controls the behavior of data once users have access it. But this will not prevent data leakage via digital photographs, third-party screen capturing, hard copies or viruses and malware. 

AD RMS can,

Follow Data with Policies (Persistent Usage Rights and Conditions) –  NTFS permission and ACLs only can manage a data within its operation boundaries. In my previous example, when the report is inside the Sales folder it will only can access by CEO and Sales Manager. However, if its copied to local disk, forward as email it will bypass the NTFS permissions and ACLs. AD RMS uses Persistent usage policies which follows the data. Even its moved, forwarded, the policies will follow it. 

Prevent Confidential Emails going in to wrong hands – Emails is one of the media that commonly involves with data leakage. Constants news are coming on medias due to wrong peoples got access to “confidential” emails. Once email is left outgoing email folder, we do not have control over the data and we do not have guarantee if this is only access by the recipient and it’s not forwarded to another party that original sender not aware of. AD RMS can prevent recipient been forwarding, modifying, copying or printing confidential emails. It also guarantees, its only can open by the expected recipient.

Prevent Data been access by unauthorized peoples – Similar to emails, AD RMS can also protect confidential files, reports been modified, copied, forwarded or print by unauthorized users.

Prevent Users by capturing content using Windows Print Screen feature – Even users do not forward or copy method to send data they still can use print screen option to capture the data in another format. AD RMS can prevent users by using windows print screen tool to capture data. However, this not going to prevent users by using third-party screen capturing solutions. 

File Expiration – AD RMS allows to set time limit to files so after certain period of time, content of it will not be able to access. 

Protect Data on Mobile Devices and MAC – People uses mobile devices to access corporate services and data. AD RMS mobile extension allow to extend its data protection capabilities in to mobile devices which runs with Windows, Android or iOS. In order to do that, Device should have latest RMS clients and RMS aware apps installed as well. This also applies to MAC devices as long as it uses Office 2016 for MAC and RMS aware applications. 

Integration with Applications – AD RMS not only support Microsoft office files, its support wide range of applications and file types. As an example, AD RMS directly can integrate with Share Point (2007 onwards) to protect the documents published on intranet site. There are third party applications which support RMS too. It also supports file types such as .pdf, .jpg, .txt, .xml. This allow corporates to protects more and more data types in infrastructure. 

This marks the end of this blog post. In Part 02 I will be explaining the components of RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *