Protecting Sensitive Documents with Windows Rights Management Services

A little more than 2 months ago, I received my first introduction to Microsoft's new Windows Rights Management Services (RMS) for Windows Server 2003, one of the many out-of-band (OOB) updates the company planned for its latest Windows Server version. Microsoft describes Windows RMS as "information-protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use--both online and offline, inside and outside of the firewall," and that description is fairly accurate, if a bit sterile. In effect, Windows RMS provides an additional layer of security for sensitive documents and email whose distribution you'd like to limit in some way. Windows RMS is a premium service for all Windows 2003 versions. Every user who creates or views rights-protected content through an RMS server will need a Client Access License (CAL--which costs $29 to $37 per CAL), and if you're deploying the service in a large enterprise with numerous external users, you can purchase an external connector for $14,000 to $18,000. This connector provides unlimited access to the Windows RMS server without the need to purchase individual CALs for each external user.

About 2 years ago, Microsoft began talking to its enterprise and government customers about intellectual property theft, the fastest growing white-collar crime. You might be familiar with the Web site http://www.f#$%edcompany.com (replace the special characters with the appropriate letters to get the real URL), which has made a business out of publishing private internal memos from large companies. This information is precisely what most companies don't want publicized, and the amount of money that companies can lose to such theft is staggering, especially when large companies are in the middle of a complex merger and a malicious user steals and publishes legal documents or sales forecasts. With the click of a button, companies can lose their competitive advantage.

"We had this notion in our heads," Microsoft Security Business Unit Lead Product Manager Scott Hanan told me, "of a technology that was like [Digital Rights Management (DRM)], but not DRM. Enterprises have a lot of information they want to protect and a need for great levels of protection. Today, they take reasonable steps to protect that information. But once a recipient receives the information, you've lost control. Another problem is that while companies typically do have a formal document policy that defines what 'confidential' is, they overwhelmingly are unable to enforce it. This is the type of thing financial institutions put a huge amount of effort towards. How many times have you seen the 'please don't forward' text at the top of an email message or document? It's like an invitation to forward it."

In short, companies that work with sensitive data need a document usage policy that stays with the documents, defining how long recipients can read the document; whether the recipients can print it, forward it, edit it, extract its content, and save it in a nonprotected manner; and perform other tasks. The usage policy needs to be template-based so that companies can easily define custom policies, and it needs to be seamlessly integrated into the products the companies already use.

Responding to these needs, Microsoft worked up its Windows RMS technology, which it released early last month. Like many recent Microsoft products, Windows RMS comes with a host of requirements, most of which necessitate that your enterprise be fairly Microsoft-centric. For example, Windows RMS runs only on Windows 2003 and requires Microsoft SQL Server 2000 Service Pack 3 (SP3) or later (or SQL Server 2000 Desktop Engine SP3 or later). You must be running an Active Directory (AD)-based domain, and the Windows RMS servers must be running the Microsoft Message Queuing, Microsoft Internet Information Services (IIS) 6.0, and ASP.NET services. Supported clients--Windows 2003, Windows XP, Windows 2000 SP3, and Windows Me--must install the Windows Rights Management (RM) client, which you can deploy through Group Policy. And for enterprises looking to use this functionality in their custom applications, a set of Windows RM client software development kits (SDKs) is also available.

But Windows RMS is a platform-level service that any application can use to provide policy-based rights for any document types. Most documents support constructs such as "read only" and "print," and if you want to set permissions on application-specific tasks (such as graphics resizing in a graphics application), you can customize your policy templates so that "Company Confidential" (or similar name) is defined in one place and any RMS-enabled application can enforce the policy without you needing to create application-specific templates. You can also integrate Windows RMS into your own applications, and the poster child for that capability is, of course, Microsoft Office 2003, which includes a new Information Rights Management (IRM) feature in its Office Word 2003, Office Excel 2003, Office PowerPoint 2003, and Office Outlook 2003 applications. By using Windows RMS policies and these Office 2003 applications, you can control which users can open, copy, print, or forward email, Word documents, Excel spreadsheets, and PowerPoint presentations. Microsoft also ships a Rights Management Add-on for Internet Explorer that lets you share a protected Office document with users on previous Office versions. In the latest Word, Excel, and PowerPoint version, or in the Outlook 2003 New Mail window, IRM shows up as a Permission icon in the Standard toolbar; when you select this option, you can choose to restrict the permissions on the current document by using a simple UI to explicitly select the domain users and groups that can access the document, their exact permissions, and the expiration date of the document, if desired (after which point no one can read it).

IRM and Windows RMS won't protect you against all digital theft. You can't prevent a worker from reading the contents of a protected document over the phone, for example, although I've joked that the next generation of Microsoft Smartphone software will eliminate that problem as well. And although the technology can prevent screen captures, certain applications that bypass Windows' standard screen-capture functionality have successfully captured shots of Windows RMS-protected windows. But Windows RMS is quite a bit better than nothing, and it should be able to thwart most casual document theft.

Next week, I'll explore the process of installing, configuring, and managing Windows RMS. In the meantime, drop me a note if you're interested in knowing whether this intriguing product includes a certain feature or functionality you'd find valuable. I'll try to address all these queries next week.

Links

Windows RMS
http://www.microsoft.com/downloads/details.aspx?familyid=be7fae0c-2db2-4f7f-8aa1-416fe1b04fb1&displaylang=en

Windows RM client
http://www.microsoft.com/downloads/details.aspx?familyid=3115a374-116d-4a6f-beb2-d6eb6fa66eec&displaylang=en

Windows RMS SDK
http://www.microsoft.com/downloads/details.aspx?familyid=2dfcafb9-3e7b-4f70-b6d3-aecc965cd598&displaylang=en

Windows RM client SDK
http://www.microsoft.com/downloads/details.aspx?familyid=863dadce-d648-4d50-9392-b4faca34a0a8&displaylang=en

Rights Management Add-on for Internet Explorer
http://www.microsoft.com/windows/ie/downloads/addon

====================