|Executive Summary: Microsoft Rights Management Services (RMS) and Information Rights Management (IRM) technologies let users affix access and usage restrictions to Microsoft Office documents to prevent unauthorized distribution inside and outside an organization. Learn how RMS and IRM work, how to install and configure these features, and how end users can use them to protect valuable and sensitive information.|
Organizations that lose sensitive customer data not only expose that data to identity thieves, fraudulent practices, and public access, but also expose themselves to catastrophe. Likely penalties include losing customers, diminished reputation and company goodwill, and hefty regulatory penalties and fines. Increasingly, organizations are turning to their IT departments to supply technical solutions to the data-protection problem. The good news is that if your organization uses Microsoft Office 2007 or Office 2003 and Windows Server 2008 or Windows Server 2003, you already have the technology you need to better secure content produced in Office applications at very little additional cost.
Active Directory Rights Management Services (AD RMS, or simply RMS; formerly called Windows Rights Management Services) and Information Rights Management (IRM) enable authorized administrators and users to embed access and usage permissions and restrictions in Office documents. Before granting access to protected content, RMS and IRM validate trusted computers and users and enforce usage restrictions, such as limiting document printing, copying, and forwarding. The restrictions are bound to the content and accompany it wherever it goes, both inside and outside the organization.
Before I explain how to install and configure an RMS server and show you how easy it is for end users to protect content and access protected content, let’s take a look inside RMS and IRM.
RMS and IRM
RMS is a web-based client/server infrastructure technology based on Windows Server and Active Directory (AD). It works by letting document authors designate access restrictions for files they create and extends access rights, such as Read, Edit, Print, Reply, and Forward, to authorized users. Those restrictions and rights govern the use of the document even outside your corporate firewall.
In addition to restricting access to files, RMS encrypts them. When an author sends a protected file to another user or posts the file to a shared folder, every user who wants to decrypt and access, or “consume,” the file must first obtain a use license from the author’s RMS server. Before allowing access, RMS checks that the end user’s application is a trusted application, that the user isn’t excluded from using RMS, and that the protected data hasn’t expired or been revoked.
RMS is built into Windows Vista, and it’s available as a role on Server 2008. There are differences between the Server 2008 and Windows 2003 RMS versions, with the former supporting federation and introducing a new administration interface, scriptable API, and numerous other small improvements. If you have Windows 2003 R2 Standard, Enterprise, or Datacenter Edition, RMS software is available as an optional Windows component. (You can download the most recent version of the software for Windows 2003 at www.microsoft.com/rms.) If you’re running Windows XP or Windows 2000 desktops, you’ll also need to download and install RMS SP2 Client. (I explain how to install the RMS client later.)
Applications (not the OS) are responsible for enforcing users’ rights. Office applications that support RMS out of the box include the XML Paper Specification viewer and Microsoft Word, Excel, PowerPoint, Outlook, and InfoPath. Several ISVs have also announced RMS product support.
To create rights-protected Office documents, you need at least Office Professional Plus 2007 or Office Professional Edition 2003. To access rights-protected documents, you must use Office Professional 2007, Office Standard 2007, or Office Standard Edition 2003.
IRM is the application-specific UI that lets users of RMS-aware applications protect content and work with protected content. Using the IRM GUI menu options and dialog boxes, content creators build RMS publishing licenses, which bind the access and usage policies to the protected content. Microsoft ships IRM in Office 2003 and later versions of Word, Excel, PowerPoint, Outlook, and InfoPath. Microsoft Office SharePoint Server 2007 (MOSS) also supports IRM, and the free, downloadable Rights Management Add-On (RMA) for Microsoft Internet Explorer (IE) lets users browse rights-protected websites and open protected Office documents in a limited fashion. Several third-party vendors extend IRM-like capabilities to their products that do not natively support IRM by shipping add-ons, plug-ins, or shims.
Installing and Configuring RMS
RMS requires Active Directory (AD), Windows Server 2003 or later (I recommend Server 2008), and a database server, preferably Microsoft SQL Server. Alternatively, you can use the Server 2008 Windows Internal Database, but that choice limits your RMSconfiguration options, as you’ll see.
You need to install RMS on a server. The first server in a forest on which you install RMS is called the certification server. For scalability and fault tolerance, you can install RMS on additional servers later to form a certification cluster. A certification server or cluster issues rights account certificates to every user who needs to be able to protect content or consume protected content. The certification server or cluster also issues client licensor certificates (which let users protect content) and use licenses (which let users consume protected content).
To install RMS on Server 2008, launch Server Manager and click Roles in the lefthand pane. In the Roles view action area, click Add Roles to launch the Add Roles Wizard. In the wizard’s Server Roles step, select Active Directory Rights Management Services; the wizard will display a dialog box containing details of the roles and features that will be installed to support RMS, such as Microsoft IIS and the .NET Framework. Click Add Required Role Services to close the dialog box, then click Next to step through the wizard.
When asked whether you want to install support for federation, you can leave the check box cleared unless you have a specific need for federation. Next, the wizard asks whether you want to create a new AD RMS cluster or join an existing cluster. Because you’re installing your first RMS server, accept the default option—Create a new AD RMS cluster—and click Next.
The wizard will ask whether to use the Windows Internal Database or a different database server. If you use Windows Internal Database, you can’t create a cluster later by adding more servers. To use an external database, select Use a different database server, then click Select to browse the available computers and select one on which SQL Server is installed. If multiple instances of SQL Server are installed, you must also select the instance you want to use.
In the next screen, click Specify, then enter the username and password of the domain user account under which RMS will run. The wizard will ask how you want to configure key management. The default option—to store keys centrally—is acceptable for most enterprises. You’ll also be asked for a passphrase to protect the keys.
You’ll need to specify the website on which to install RMS. I recommend that you use the default website. I also recommend that no other web-based service be installed alongside RMS on the same website, as there are known conflicts with some such services, such as Windows SharePoint Services.
Contiune to page 2
In subsequent steps, you’ll enter the internal web address by which the RMS server will be known and specify whether to use Secure Sockets Layer (SSL) to protect RMS. To specify the internal web address, you should use a Fully Qualified Domain Name (FQDN); otherwise, you won’t be able to add servers later to create a cluster. The best practice is to use a DNS virtual A record that has the same IP address as the RMS server and website. For the SSL option, I recommend that you choose to use SSL—if you plan to support federation later, you must select SSL now. If you accept the default to use SSL and you don’t have IIS installed or websites configured for SSL, the wizard prompts you to either choose an existing SSL certificate, create a self-signed certificate, or install one manually later. If you opt to install an SSL certificate later, you won’t be able to easily configure RMS. You can always use the IIS administration tool to request a different certificate later.
Next, you’ll specify a name for your RMS installation and specify whether you want to register RMS in a service- ConnectionPoint (SCP) object in AD. If you don’t, you’ll have to configure registry overrides on users’ computers before they can use IRM. I cover SCP registration and registry overrides later.
If you haven’t installed IIS or haven’t configured it to support RMS, the wizard will show you what will be installed or configured. You shouldn’t have to make any changes. If you’re happy with your selections when the wizard lists them for your review, simply click Install to proceed. You’ll need to restart your server to make RMS available for use. Afterward, you can view your RMS configuration details in the Server Manager administration console, as Figure 1 shows. If you use SSL and the RMS server’s internal address isn’t the same as the host name, you’ll get a certificate error, which you can safely ignore.
Installing and Using IRM
The RMS client is built into Vista and doesn’t need to be installed—as long as you publish the SCP in AD when you set up RMS, no further configuration is required. For XP and Win2K systems, you need to download the RMS client from www.microsoft .com/rms. To distribute the package, you can use Microsoft Systems Management Server, System Center Configuration Manager (a third-party software distribution tool), or Group Policy. If you use Windows Server Update Services or Microsoft System Center Essentials, you can distribute the RMS client as an update. If you didn’t publish the SCP in AD, you need to set each client machine’s HKEY_LOCAL_MACHINE\SOFTWARE Microsoft\MSDRM\ServiceLocation\Enter prisePublishing registry subkey to the value http://internal address/_wmcs/Licensing, where internal address is the URL of the RMS server specified during installation. If you’re using SSL, substitute https for http.
Users typically won’t need to take any special steps to begin using IRM. Office applications will automatically detect the RMS client, and the first time a user protects a document or email message or attempts to consume a protected document or message, the IRM features will be available in the GUI. As long as the client and user are validated, the user is issued every license and certificate necessary to protect content or access protected content. Figure 2 shows a protected email message and Word document and their respective IRM buttons.
When a user’s client initially connects to the RMS server, the user is prompted to enter credentials if the server’s internal address isn’t in IE’s Local intranet zone or in another zone that’s configured to automatically send credentials when they’re required. In that case, either the user can manually add the internal address to the Local intranet zone or you can configure all your users’ IE settings through Group Policy.
To protect and send an Outlook email message, you can simply click Permission on the message’s toolbar and click Send. Recipients are automatically granted the rights to read and reply to the message, but not to forward or print it. You can also create and use templates to grant more rights or further restrict rights. To protect content created by other Office applications, you click the Protect Document button on the Review tab, then select Restricted Access to open the Permission dialog box shown in Figure 3. Select the Restrict permission to this document check box to make the dialog box’s options available, and enter the names of users who will have Read and Change rights. If you have Microsoft Exchange Server 2007 or 2003 in your environment, clicking the Read or Change button will make the Select Names dialog box appear. In an Exchange 2007 or 2003 shop, you can grant rights to user groups and mail-enabled universal security groups and enter user and group names directly into the fields alongside the Read and Change buttons.
If you aren’t using Exchange 2007 or Exchange 2003, you can specify users and groups by email address. To give users outside your organization rights to content, you’ll have to use email addresses and configure RMS for external collaboration.
To change or add permissions, click More Options in the Permission window to see the dialog box in Figure 4. The expiration option lets you specify a date after which users can’t open the protected document regardless of their permissions. The author can still open the protected document and can remove permissions or extend the expiration date.
With that basic understanding of how to use IRM, let’s look at how to create and use templates to avoid mistakes when configuring content protections.
Creating and Using Templates
If your users repeatedly grant certain recipients the same rights to content, you can use templates to simplify the process. You create and store the templates on the RMS server, then distribute them to users, either individually or in a file share. (The latter option is practical for mobile users only when combined with offline folders.)
Templates are created as XML files. To create a template, open the RMS role in Server Manager, expand a server node, and select the Rights Policy Templates node to open the Distributed Rights Policy Templates window, shown in Figure 5. Set the template-storage location by clicking Change distributed rights policy templates file location at the bottom of the center pane. Select Enable export in the Rights Policy Templates dialog box and enter the UNC path of a folder to which the RMS service account has change permissions, as Figure 6 shows. Click OK, then make sure that the service account has both NTFS and share-level permissions. Next, click the Create distributed rights policy template link in the right-hand pane.
Actually creating the template is a fivestep process.
1. For each language you use, specify the template name and a description.
2. Specify users and groups and the rights you want to grant to each.
3. If you want content to expire, specify an expiration interval. You can also force users to obtain a new use license at a specified interval. Designating end-user license expiration dates is useful in conjunction with exclusion, an advanced feature used to deny access to protected content.
4. Configure whether users can view protected content using the RMA and whether they must obtain a new use license every time they open protected content.
5. Configure revocation lists. An advanced feature that isn’t commonly used, revocation lets you revoke rights-protection components. For example, you can use revocation to prevent users who were erroneously granted access rights from opening a document that’s already been distributed.
For Office to be able to access templates, you need to add the HKEY_ CURRENT_USER Software\Microsoft Office\version\Com mon\DRM\Admin TemplatePath registry setting to each user’s computer, where version is 12.0 for Office 2007 and 11.0 for Office 2003. To modify the registry for multiple users, you can download and use the Office 2007 administrative templates and Group Policy. After you configure the template path, Office applications import the templates and display them under the Protect Document menu option, as in Figure 7.
Real Data Protection
IRM and RMS take Office applications in a powerful new direction to help you prevent accidental data loss and intentional but inappropriate disclosure of sensitive organizational information. Once you’ve set up RMS, IRM lets users easily protect sensitive Word documents, Excel spreadsheets, PowerPoint presentations, Outlook emails, and InfoPath forms. If you also consider how user-friendly IRM is, it can be a good security solution for organizations of all sizes.