| Executive Summary: Microsoft Rights Management Services (RMS) and Information Rights Management (IRM) technologies let users affix access and usage restrictions to Microsoft Office documents to prevent unauthorized distribution inside and outside an organization. Learn how RMS and IRM work, how to install and configure these features, and how end users can use them to protect valuable and sensitive information. |
Organizations that lose sensitive customer data not only
expose that data to identity thieves, fraudulent practices,
and public access, but also expose themselves to
catastrophe. Likely penalties include losing customers,
diminished reputation and company goodwill,
and hefty regulatory penalties and fines. Increasingly,
organizations are turning to their IT departments to supply technical
solutions to the data-protection problem. The good news is that if your
organization uses Microsoft Office 2007 or Office 2003 and Windows
Server 2008 or Windows Server 2003, you already have the technology
you need to better secure content produced in Office applications at
very little additional cost.
Active Directory Rights Management Services (AD RMS, or simply
RMS; formerly called Windows Rights Management Services) and
Information Rights Management (IRM) enable authorized administrators
and users to embed access and usage permissions and restrictions
in Office documents. Before granting access to protected content,
RMS and IRM validate trusted computers and users and enforce
usage restrictions, such as limiting document printing, copying, and
forwarding. The restrictions are bound to the content and accompany
it wherever it goes, both inside and outside the organization.
Before I explain how to install and configure an RMS server and
show you how easy it is for end users to protect content and access protected content, let’s
take a look inside RMS and IRM.
RMS and IRM
RMS is a web-based client/server infrastructure technology based on Windows Server and
Active Directory (AD). It works by letting document authors designate access restrictions for
files they create and extends access rights, such as Read, Edit, Print, Reply, and Forward, to
authorized users. Those restrictions and rights govern the use of the document even outside
your corporate firewall.
In addition to restricting access to files, RMS encrypts them. When an author sends a
protected file to another user or posts the file to a shared folder, every user who wants to
decrypt and access, or “consume,” the file must first obtain a use license from the author’s RMS server. Before allowing access, RMS
checks that the end user’s application is
a trusted application, that the user isn’t
excluded from using RMS, and that the protected
data hasn’t expired or been revoked.
RMS is built into Windows Vista, and it’s
available as a role on Server 2008. There are
differences between the Server 2008 and
Windows 2003 RMS versions, with the former
supporting federation and introducing
a new administration interface, scriptable
API, and numerous other small improvements.
If you have Windows 2003 R2 Standard,
Enterprise, or Datacenter Edition,
RMS software is available as an optional
Windows component. (You can download
the most recent version of the software for
Windows 2003 at www.microsoft.com/rms.)
If you’re running Windows XP or Windows
2000 desktops, you’ll also need to download
and install RMS SP2 Client. (I explain how to
install the RMS client later.)
Applications (not the OS) are responsible
for enforcing users’ rights. Office applications
that support RMS out of the box
include the XML Paper Specification viewer
and Microsoft Word, Excel, PowerPoint,
Outlook, and InfoPath. Several ISVs have
also announced RMS product support.
To create rights-protected Office documents,
you need at least Office Professional
Plus 2007 or Office Professional Edition
2003. To access rights-protected documents,
you must use Office Professional 2007, Office
Standard 2007, or Office Standard Edition
2003.
IRM is the application-specific UI that
lets users of RMS-aware applications protect
content and work with protected content.
Using the IRM GUI menu options and
dialog boxes, content creators build RMS
publishing licenses, which bind the access
and usage policies to the protected content.
Microsoft ships IRM in Office 2003 and
later versions of Word, Excel, PowerPoint,
Outlook, and InfoPath. Microsoft Office
SharePoint Server 2007 (MOSS) also supports
IRM, and the free, downloadable
Rights Management Add-On (RMA) for
Microsoft Internet Explorer (IE) lets users
browse rights-protected websites and open
protected Office documents in a limited
fashion. Several third-party vendors extend
IRM-like capabilities to their products that
do not natively support IRM by shipping
add-ons, plug-ins, or shims.
Installing and Configuring RMS
RMS requires Active Directory (AD), Windows
Server 2003 or later (I recommend
Server 2008), and a database server, preferably
Microsoft SQL Server. Alternatively, you
can use the Server 2008 Windows Internal
Database, but that choice limits your RMSconfiguration
options, as you’ll see.
You need to install RMS on a server. The
first server in a forest on which you install
RMS is called the certification server. For
scalability and fault tolerance, you can install
RMS on additional servers later to form a
certification cluster. A certification server or
cluster issues rights account certificates to
every user who needs to be able to protect
content or consume protected content. The
certification server or cluster also issues client
licensor certificates (which let users protect
content) and use licenses (which let users
consume protected content).
To install RMS on Server 2008, launch
Server Manager and click Roles in the lefthand
pane. In the Roles view action area,
click Add Roles to launch the Add Roles
Wizard. In the wizard’s Server Roles step,
select Active Directory Rights Management
Services; the wizard will display a dialog box
containing details of the roles and features
that will be installed to support RMS, such
as Microsoft IIS and the .NET Framework.
Click Add Required Role Services to close
the dialog box, then click Next to step
through the wizard.
When asked whether you want to install
support for federation, you can leave the
check box cleared unless you have a specific
need for federation. Next, the wizard
asks whether you want to create a new
AD RMS cluster or join an existing cluster.
Because you’re installing your first RMS
server, accept the default option—Create a
new AD RMS cluster—and click Next.
The wizard will ask whether to use the
Windows Internal Database or a different
database server. If you use Windows Internal
Database, you can’t create a cluster later
by adding more servers. To use an external
database, select Use a different database
server, then click Select to browse the available
computers and select one on which
SQL Server is installed. If multiple instances
of SQL Server are installed, you must also
select the instance you want to use.
In the next screen, click Specify, then
enter the username and password of the domain user account under which RMS
will run. The wizard will ask how you want
to configure key management. The default
option—to store keys centrally—is acceptable
for most enterprises. You’ll also be
asked for a passphrase to protect the keys.
You’ll need to specify the website on
which to install RMS. I recommend that
you use the default website. I also recommend
that no other web-based service be
installed alongside RMS on the same website,
as there are known conflicts with some
such services, such as Windows SharePoint
Services.
Contiune to page 2
Previous
Register
