Export (0) Print
Expand All

Lockboxes

[The AD RMS SDK leveraging functionality exposed by the client in Msdrm.dll is available for use in Windows Server 2008, Windows Vista, Windows Server 2008 R2, Windows 7, Windows Server 2012, and Windows 8. It may be altered or unavailable in subsequent versions. Instead, use Active Directory Rights Management Services SDK 2.0, which leverages functionality exposed by the client in Msipc.dll.]

A lockbox is a dynamic link library (DLL) that can be used to increase the security of the environment in which an Active Directory Rights Management Services (AD RMS) application runs. The lockbox verifies all licenses and certificates used by the application and, for AD RMS clients, protects the process space by limiting access to required and optional modules identified in the application manifest. To create a secure environment, you can call DRMInitEnvironment and specify the lockbox path, the signed manifest, and the machine certificate.

Four lockboxes are installed with AD RMS. You can call DRMGetSecurityProvider to retrieve the path of the appropriate DLL for your certificate hierarchy (Production or Pre-production) and your operating system type (server or client).

Lockbox DLLDescription
Secproc_isv.dllClient lockbox for the Pre-production hierarchy.
Secproc.dllClient lockbox for the Production hierarchy.
Secproc_ssp_isv.dllServer lockbox for the Pre-production hierarchy.
Secproc_ssp.dllServer lockbox for the Production hierarchy.

 

Use a client lockbox for applications running on a client. Use a server lockbox for applications running on an AD RMS server that both publish and consume protected content. If your server-based application publishes but does not consume protected content, you can use the SOAP APIs included with the SDK rather than a lockbox. The following table identifies the features associated with each type of lockbox and with the SOAP APIs.

FeatureServer lockboxClient lockboxSOAP APIs (no lockbox)
Availability

RMS client 1.0 SP2

Windows Vista

Windows Server 2008

RMS client 1.0 SP2

Windows Vista

Windows Server 2008

RMS client 1.0 SP2

Windows Vista

Windows Server 2008

Supported RMS server versions

RMS client 1.0 SP2 and later.

All.

All.

Common scenariosServer applications that publish, consume, or process RMS-protected content. For example, a virus scanner, an email server that filters out spam, a document library or archival tool, a workflow engine, or a web portal.Client applications that publish and consume protected content.Server applications that need to publish RMS-protected content but that cannot use the server lockbox due to technical reasons.
Supports publishing RMS-protected contentYes.Yes.Yes.
Supports consuming RMS-protected contentYes.Yes.No.
Machine activationOccurs locally.Occurs locally.Not supported.
Executable file name must be listed in manifestNo.Yes.Manifests are not required.
Immediate callers into Msdrm.dll must be named in manifestNo. Yes.Manifests are not required.
Executable must be in native codeNo.No.No.
Supported on virtual serversYes.Yes.No.
Supports multithreaded applicationsYes.No.Yes.

 

Related topics

AD RMS Concepts

 

 

Show:
© 2014 Microsoft