Windows Rights Management Services

Enrollment. During the enrollment step, the RMS server creates and populates the databases that it will use, configures the Web services that it will offer, generates an RMS server licensor certificate request, and contacts the Microsoft Enrollment Service to obtain a signed certificate. If an error occurs during enrollment, use the provided error message to determine the cause, then click Back to return to the configuration step and correct the information that led to the error. Run IISRESET from the command line to clear any state information preserved on the RMS Web site (be forewarned that this action will also stop and restart any other Web sites that you're running). Click Submit again to retry enrollment. Unless you have to correct errors, this step doesn't involve any direct interaction on your part.

After you've successfully provisioned your RMS certification server, you can choose from three options: Administer RMS on this Web site, Change RMS service account, and Remove RMS from this Web site. The first option takes you to the primary RMS Administration page, from which you can administer and further configure RMS. After you've provisioned the RMS server, log on as a member of the Enterprise Admins group, access the RMS Administration page, click RMS service connection point, then click Register URL to publish the serviceConnectionPoint object in AD.

RMS Client Systems
Before users can produce or work with rights-protected content, you must install and activate the RMS client component on the users' systems. The client component consists of DLLs and a command-line tool that administrators can use to activate and test RMS. The RMS client software comes in the form of an .msi file that you can download and distribute by using Group Policy Objects (GPOs), Microsoft Systems Management Server (SMS), or some other distribution tool.

After you install the client software, you must activate the clients. The activation process takes place at the end of the installation process or in response to the first RMS operation that a user attempts to perform. During activation, the client system contacts the RMS certification server (or cluster) to request an RMS lockbox. The lockbox is a 400KB DLL, called secrep.dll, that's unique to each client. The RMS certification server proxies the request to the Microsoft-hosted activation server, which generates the lockbox. (See the sidebar "Enrollment and Activation Services" for more information about the activation service.) The RMS certification server returns the lockbox to the client, which installs the DLL in \%systemroot%\system32.

Microsoft chose to have client systems obtain their lockbox through the RMS certification server because many enterprise client systems don't have Internet access. If your organization does permit client systems access to the Internet and you're concerned about performance or bandwidth, you can use registry overrides to point the client directly to the activation service. For full details of this process, see the RMS Server Deployment Guide.

How users leverage RMS will depend largely on which applications they use. Office 2003's RMS-aware applications—Microsoft Excel, Outlook, PowerPoint, and Word—simplify the process of protecting an email message or document. Each application's toolbar includes an RMS icon, such as the ones that Figure 2 and Figure 3 show. Clicking the RMS icon in Outlook when you create a message prevents recipients from copying, printing, or forwarding the message. Clicking the icon when in a Word, Excel, or PowerPoint file launches a dialog box in which you can specify the usage rights for the file's content.

All Office applications also let the content creator apply predefined rights-policy templates that you can create on an RMS server to define specific sets of usage rights. You can store these templates centrally or use distribution software or scripts to push them to users' desktops. (The Office 2003 resource kit describes the registry settings that direct applications to the templates' location; you can use the RMS Tool Kit utilities, which are available at http://www.microsoft.com/rms, to set the values.) The content creator can use the Office 2003 applications' File, Permissions menu option to select a template. The applications also let the creator distribute rights-protected content in such a way that users of earlier Office versions (i.e., Office XP, Office 2000, and Office 97) can use RMA to view the content.

Exploring RMS
After you have RMS running, you can explore many of the features that are beyond the scope of this article: recovery agents; revocation of users, applications, and publishing and use licenses; and RMS's extensive logging capabilities. RMS is surprisingly flexible, and you can use the RMS client and server SDKs to build your own RMS-aware applications and Web-based portal services. For more information about these features, visit the Microsoft Windows Rights Management Services page (http://www.microsoft.com/rm). For more information about XrML, visit http://www.xrml.org.