In subsequent steps, you’ll enter the
internal web address by which the RMS
server will be known and specify whether
to use Secure Sockets Layer (SSL) to protect
RMS. To specify the internal web address,
you should use a Fully Qualified Domain
Name (FQDN); otherwise, you won’t be
able to add servers later to create a cluster.
The best practice is to use a DNS virtual
A record that has the same IP address as
the RMS server and website. For the SSL
option, I recommend that you choose to
use SSL—if you plan to support federation
later, you must select SSL now. If you accept
the default to use SSL and you don’t have
IIS installed or websites configured for SSL,
the wizard prompts you to either choose an
existing SSL certificate, create a self-signed
certificate, or install one manually later. If
you opt to install an SSL certificate later, you won’t be able to easily
configure RMS. You can
always use the IIS administration
tool to request a
different certificate later.
Next, you’ll specify
a name for your RMS
installation and specify
whether you want to register
RMS in a service-
ConnectionPoint (SCP)
object in AD. If you don’t,
you’ll have to configure
registry overrides on
users’ computers before
they can use IRM. I cover
SCP registration and registry
overrides later.
If you haven’t installed
IIS or haven’t configured
it to support RMS, the
wizard will show you what
will be installed or configured.
You shouldn’t have
to make any changes. If
you’re happy with your
selections when the wizard
lists them for your review, simply
click Install to proceed. You’ll need to
restart your server to make RMS available
for use. Afterward, you can view
your RMS configuration details in the
Server Manager administration console,
as Figure 1 shows. If you use SSL
and the RMS server’s internal address
isn’t the same as the host name, you’ll
get a certificate error, which you can
safely ignore.
Installing and Using IRM
The RMS client is built into Vista and
doesn’t need to be installed—as long
as you publish the SCP in AD when
you set up RMS, no further configuration
is required. For XP and Win2K
systems, you need to download the
RMS client from www.microsoft
.com/rms. To distribute the package, you can
use Microsoft Systems Management Server,
System Center Configuration Manager (a
third-party software distribution tool), or
Group Policy. If you use Windows Server
Update Services or Microsoft System Center
Essentials, you can distribute the RMS client
as an update. If you didn’t publish the SCP
in AD, you need to set each client machine’s HKEY_LOCAL_MACHINE\SOFTWARE Microsoft\MSDRM\ServiceLocation\Enter
prisePublishing registry subkey to the value http://internal address/_wmcs/Licensing,
where internal address is the URL of the
RMS server specified during installation. If
you’re using SSL, substitute https for http.
Users typically won’t need to take any
special steps to begin using IRM. Office
applications will automatically detect the RMS client, and the first time a user protects
a document or email message or attempts
to consume a protected document or message,
the IRM features will be available in
the GUI. As long as the client and user are
validated, the user is issued every license
and certificate necessary to protect content
or access protected content. Figure 2 shows
a protected email message and Word document
and their respective IRM buttons.
When a user’s client initially connects to
the RMS server, the user is prompted to enter
credentials if the server’s internal address
isn’t in IE’s Local intranet zone or in another
zone that’s configured to automatically send
credentials when they’re required. In that
case, either the user can manually add the
internal address to the Local intranet zone or
you can configure all your users’ IE settings
through Group Policy.
To protect and send an Outlook email
message, you can simply click Permission
on the message’s toolbar and click Send.
Recipients are automatically granted the
rights to read and reply
to the message, but not
to forward or print it. You
can also create and use
templates to grant more
rights or further restrict
rights. To protect content
created by other Office
applications, you click the
Protect Document button
on the Review tab, then
select Restricted Access
to open the Permission
dialog box shown in Figure
3. Select the Restrict
permission to this document check box to make
the dialog box’s options
available, and enter the
names of users who will
have Read and Change
rights. If you have Microsoft
Exchange Server 2007
or 2003 in your environment,
clicking the Read or
Change button will make the Select Names dialog box appear. In an
Exchange 2007 or 2003 shop, you can grant
rights to user groups and mail-enabled universal
security groups and enter user and
group names directly into the fields alongside
the Read and Change buttons.
If you aren’t using Exchange 2007 or
Exchange 2003, you can specify users and
groups by email address. To give users outside your organization
rights to content,
you’ll have to use email
addresses and configure
RMS for external
collaboration.
To change or add
permissions, click More
Options in the Permission
window to see the
dialog box in Figure 4.
The expiration option
lets you specify a date
after which users can’t
open the protected
document regardless
of their permissions.
The author can still
open the protected
document and can
remove permissions
or extend the expiration date.
With that basic understanding of how to
use IRM, let’s look at how to create and use
templates to avoid mistakes when configuring
content protections.
Creating and Using Templates
If your users repeatedly grant certain recipients
the same rights to content, you can use templates to simplify the process. You create
and store the templates on the RMS server,
then distribute them to users, either individually
or in a file share. (The latter option
is practical for mobile users only when
combined with offline folders.)
Templates are created as XML files. To create
a template, open the RMS role in Server
Manager, expand a server node, and select
the Rights Policy Templates node to open the
Distributed Rights Policy Templates window,
shown in Figure 5. Set the template-storage
location by clicking Change distributed rights
policy templates file location at the bottom of
the center pane. Select Enable export in the
Rights Policy Templates dialog box and enter
the UNC path of a folder to which the RMS
service account has change permissions, as Figure 6 shows. Click OK, then make sure
that the service account has both NTFS and
share-level permissions. Next, click the Create
distributed rights policy template link in
the right-hand pane.
Actually creating the template is a fivestep
process.
1. For each language you use, specify
the template name and a description.
2. Specify users and groups and the
rights you want to grant to each.
3. If you want content to expire, specify
an expiration interval. You can also force
users to obtain a new use license at a specified
interval. Designating end-user license
expiration dates is useful in conjunction
with exclusion, an advanced feature used
to deny access to protected content.
4. Configure
whether users can
view protected content
using the RMA
and whether they
must obtain a new
use license every
time they open protected
content.
5. Configure
revocation lists. An
advanced feature that
isn’t commonly used,
revocation lets you
revoke rights-protection
components. For
example, you can use
revocation to prevent
users who were
erroneously granted access rights from
opening a document
that’s already been
distributed.
For Office to be able
to access templates, you
need to add the HKEY_
CURRENT_USER Software\Microsoft Office\version\Com
mon\DRM\Admin
TemplatePath registry
setting to each user’s
computer, where version is 12.0 for Office
2007 and 11.0 for Office
2003. To modify the
registry for multiple
users, you can download and use the Office
2007 administrative templates
and Group Policy. After you
configure the template path, Office applications
import the templates and display them
under the Protect Document menu option,
as in Figure 7.
Real Data Protection
IRM and RMS take Office applications in
a powerful new direction to help you prevent
accidental data loss and intentional
but inappropriate disclosure of sensitive
organizational information. Once you’ve set up RMS, IRM lets users easily protect sensitive
Word documents, Excel spreadsheets,
PowerPoint presentations, Outlook emails,
and InfoPath forms. If you also consider
how user-friendly IRM is, it can be a good
security solution for organizations of all
sizes.
Register
