For years, systems administrators have been asking how they can protect the content of Outlook messages from being copied, forwarded, or printed and make messages inaccessible after a specified date. Until recently, the only available solutions have been third-party tools and services. Citing its Trustworthy Computing initiative and the need to protect the privacy of digital information, Microsoft has stepped into the document- and message-protection product area by introducing Windows Rights Management Services (RMS) for Windows Server 2003 (http://www.microsoft.com/windowsserver2003/rm). Don't confuse RMS with Digital Rights Management (DRM), the Microsoft platform for providing secure distribution of video, audio, and other digital-media files so that users can play those files only on computers that have an authorized license key. Rather, the Information Rights Management (IRM) functionality that RMS implements lets organizations limit who can work with a document or an email message and what the authorized user can do with the document or message.

RMS components include an inhouse Windows RMS Server, which runs on Windows 2003; Microsoft Office Professional Edition 2003—the first client application that can create and read protected documents; the Windows Rights Management (RM) client, which lets applications work with RMS; the Rights Management Add-on for Internet Explorer (RMA), a client component that lets users use Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1) or IE 5.5 SP2 (for Windows Me clients) to view—but not modify—rights-protected content; and a software development kit (SDK) that programmers can use to create additional RMS client applications and server tools. An unsupported toolkit is also available to give administrators a deeper look inside the RMS database and provide some management capabilities.

How RMS Works
RMS is an ASP.NET Web service add-on that uses the Extensible Rights Markup Language (XrML—to read more about XrML, go to http://www.xrml.org). The RMS server generates use licenses associated with digital content and validates credentials to make that content available to authorized users. After an Office Professional 2003 or RMA user goes through the initial process of registering a machine and an email address with the RMS server, sending or reading a protected message requires only a few extra steps.

In a nutshell, RMS works like this: A person uses an RMS-enabled application such as those included in Office Professional 2003 (e.g., Microsoft Office Outlook 2003) to set permissions on a document or an email message. The application connects to the RMS server to obtain a signed license that contains information about how the message originator wants to protect the information, then embeds that license in the file or message. The server receives no information about the file or message. The application encrypts the file or message before saving or sending it.

When the recipient opens the file or message in an RMS-enabled application, that program sends the license and the user's credentials to the RMS server, requesting a use license. After the RMS server validates the credentials and returns a use license, the application decrypts the file or message, displays it, and enforces the rights policies that the message originator set up.

For Outlook email messages, the only available rights policy is Do Not Forward, which blocks forwarding, printing, copying, or taking a Windows screen print (although it doesn't block third-party screen-capture tools). Microsoft Office Excel 2003, Office PowerPoint 2003, and Office Word 2003 offer more options, which I show you later in this article.

Enabling RMS Support in Outlook 2003
The process of enabling RMS support in Outlook 2003 or other Office 2003 applications involves two steps: installing the Windows RM client and configuring Outlook or Office to use a particular RMS server.

A typical enterprise deployment will use Microsoft Systems Management Server (SMS) or Group Policy to roll out the RM client. If the RM client isn't already installed, the first time an Outlook user clicks the File, Permission, Do Not Forward command on a new message, the user sees a prompt to download the most recent RM client. If the user selects Yes and is connected to the Internet, Outlook downloads the msdrmclient.msi installation file. This file installs the RM client and attempts to activate the client computer by connecting to a server at Microsoft. Microsoft is operating a public-trial RMS server that you can use to try out RMS before you commit to an inhouse RMS server. To set up credentials for his or her email address, the user must choose to enroll with a corporate RMS server or with the Microsoft public-trial server, which requires the user to have a Microsoft .NET Passport account. Access to this trial server is currently free, although Microsoft doesn't guarantee that it will remain so.

Sending and Receiving RMS-Protected Email
To send a rights-managed message from Outlook 2003, a user creates the message as usual, but before sending it, he or she chooses File, Permission, Do Not Forward. Figure 1 shows a message protected by using an account that's connected to the Microsoft public RMS server by means of a .NET Passport. Users who have more than one email account can choose File, Permission, Restrict Permission As to choose which account to use to apply rights management to the message. You can also add an expiration date to an Outlook message through the View, Options dialog box.

What recipients see when they receive a rights-managed message depends on the version of Outlook they're using and whether they've obtained credentials for the RMS service. If the recipient hasn't already installed and activated the RM client and obtained credentials for the email address that received the message, a wizard walks the user through the process when he or she opens the message. Then, if this is the first RMS-restricted message the user has opened, the user sees the message box that Figure 2 shows. After the user connects to the server and downloads the use license, the message opens and any attachments are available, as Figure 3 shows. If the message contains any attachments, those files use the same license and have the same permissions as the message, as Figure 4 shows.

Using IE to Read RMS Mail
The RMA is available as a free download from http://www.microsoft.com/windows/ie/downloads/addon/default.asp. Before installing this add-on, you must first install the RM client, which you can download from http://www.microsoft.com/downloads/details.aspx?familyid=3115a374-116d-4a6f-beb2-d6eb6fa66eec&displaylang=en.

If you send a restricted message to someone who doesn't have Office Professional 2003, that user receives a message with a file attachment named message.rpmsg and text and HTML message parts that specify the URL for downloading the RMA. Installing the RMA adds a new file association to Windows so that files with the extension .rpmsg open through the rmarouter.exe application. The first time the user tries to open an .rpmsg file, the RMA runs a setup wizard that configures IE to use a corporate or .NET Passport account to work with RMS-protected documents. After the RMS server verifies the user's credentials, the message .rpmsg file opens in IE. The IE user will be subject to the same restrictions as an Outlook user.

Sending an RMS-Protected Document
Any Excel 2003, PowerPoint 2003, or Word 2003 file that you attach to an RMS-protected Outlook 2003 message is subject to the same restrictions as the parent message. If you want to send a restricted document but don't want to restrict the message, you can set permissions on the document rather than on the message to which it's attached. This method also gives you more permissions options. After you've set permissions and saved the file, you can create a new Outlook message, attach the file, and send the message as usual, without restricting it first.

To set permissions on a Word document so that both Office Pro 2003 and IE users can read it, follow these steps:

  1. Go to File, Permission, Restrict Permission As, and wait for Word to verify your credentials.
  2. If you see the Select User dialog box, choose the user account that you want to use to set permissions.
  3. In the Permission dialog box, which Figure 5 shows, select the Restrict permission to this document check box. If you know that all your recipients have Office Pro 2003, you can enter names or email addresses for recipients in the Read and Change fields, then click OK to finish.
  4. If you don't know which program your recipients are using, you can give them permission to use IE to read the document. To do so, click More Options to display an extended Permission dialog box, which Figure 6 shows. Select the Allow users with earlier versions of Office to read with browsers supporting Information Rights Management check box. As the dialog box notes, selecting this option increases the size of the file because Word saves a separate HTML representation that IE users can read. At this point, you might want to click Set Defaults to make browser access a default for future documents.
  5. If you didn't specify recipients in Step 3, click Add to add recipients and set their access level. Note that the account you use to set permissions on the document is always given Full Control by default.
  6. Set any other options you want, then click OK

Notice in Figure 6 how many more options you have when restricting a document, compared with the options you have for restricting an Outlook email message. You can let read-only users copy content or let all specified users print the document. You can also add programmatic access or an expiration date, although as I mentioned earlier, setting an expiration date is also an option for restricting an Outlook email message.

After you complete the document, save it. To send it to one of the users listed in the document's Permission dialog box, create a new Outlook message and attach the document file. (Don't use the File, Send To command in Word, and don't use the File, Permission, Do Not Forward command in Outlook.)

A Few More RMS Tips
Office Professional 2003 stores licenses for files and email messages on the local user's computer. This setup means that you can continue to access those messages and files even when you're disconnected from the network and can't communicate with the public or corporate RMS server.

However, there is one case in which you won't be able to access a restricted message that you downloaded earlier. If a message's originator set an expiration date and time on the message, recipients can no longer open the message or any attached files after the message expires.

Replying to an RMS-protected message produces several surprises. The body of the original message isn't included in the reply, regardless of the user's Reply settings. Furthermore, Outlook automatically applies the original message's permission restrictions to the outgoing reply. To turn off those restrictions, choose File, Permission, Unrestricted Access before sending the reply.

Going Further
I've covered just the basics that you need to start exploring the client operation of RMS on your own, by using the trial RMS service. An inhouse RMS server offers many more capabilities, including the ability to create policy templates that describe a set of standard users, rights, and conditions for protected documents and messages. If you want to offer more granular permission settings to Outlook 2003 users, you need to use such templates. Another key feature of an inhouse RMS server is the ability to set up trust relationships with other organizations that use RMS so that you can easily exchange protected documents with your partners. The Microsoft Web site has more information about these capabilities, plus other technical information and links to companies that are using the RMS SDK to build information protection into their applications. Office Professional 2003 might be the first RMS content-creation client, but it won't be the last. When you're ready to install a server, the Security Administrator article, "Windows Rights Management Services," January 2004, InstantDoc ID 40951, can show you how.