For years, systems administrators have been asking how they can protect the content of Outlook messages from being copied, forwarded, or printed and make messages inaccessible after a specified date. Until recently, the only available solutions have been third-party tools and services. Citing its Trustworthy Computing initiative and the need to protect the privacy of digital information, Microsoft has stepped into the document- and message-protection product area by introducing Windows Rights Management Services (RMS) for Windows Server 2003 (http://www.microsoft.com/windowsserver2003/rm). Don't confuse RMS with Digital Rights Management (DRM), the Microsoft platform for providing secure distribution of video, audio, and other digital-media files so that users can play those files only on computers that have an authorized license key. Rather, the Information Rights Management (IRM) functionality that RMS implements lets organizations limit who can work with a document or an email message and what the authorized user can do with the document or message.
RMS components include an inhouse Windows RMS Server, which runs on Windows 2003; Microsoft Office Professional Edition 2003—the first client application that can create and read protected documents; the Windows Rights Management (RM) client, which lets applications work with RMS; the Rights Management Add-on for Internet Explorer (RMA), a client component that lets users use Microsoft Internet Explorer (IE) 6.0 Service Pack 1 (SP1) or IE 5.5 SP2 (for Windows Me clients) to view—but not modify—rights-protected content; and a software development kit (SDK) that programmers can use to create additional RMS client applications and server tools. An unsupported toolkit is also available to give administrators a deeper look inside the RMS database and provide some management capabilities.
How RMS Works
RMS is an ASP.NET Web service add-on that uses the Extensible Rights Markup Language (XrML—to read more about XrML, go to http://www.xrml.org). The RMS server generates use licenses associated with digital content and validates credentials to make that content available to authorized users. After an Office Professional 2003 or RMA user goes through the initial process of registering a machine and an email address with the RMS server, sending or reading a protected message requires only a few extra steps.
In a nutshell, RMS works like this: A person uses an RMS-enabled application such as those included in Office Professional 2003 (e.g., Microsoft Office Outlook 2003) to set permissions on a document or an email message. The application connects to the RMS server to obtain a signed license that contains information about how the message originator wants to protect the information, then embeds that license in the file or message. The server receives no information about the file or message. The application encrypts the file or message before saving or sending it.
When the recipient opens the file or message in an RMS-enabled application, that program sends the license and the user's credentials to the RMS server, requesting a use license. After the RMS server validates the credentials and returns a use license, the application decrypts the file or message, displays it, and enforces the rights policies that the message originator set up.
For Outlook email messages, the only available rights policy is Do Not Forward, which blocks forwarding, printing, copying, or taking a Windows screen print (although it doesn't block third-party screen-capture tools). Microsoft Office Excel 2003, Office PowerPoint 2003, and Office Word 2003 offer more options, which I show you later in this article.
Enabling RMS Support in Outlook 2003
The process of enabling RMS support in Outlook 2003 or other Office 2003 applications involves two steps: installing the Windows RM client and configuring Outlook or Office to use a particular RMS server.
A typical enterprise deployment will use Microsoft Systems Management Server (SMS) or Group Policy to roll out the RM client. If the RM client isn't already installed, the first time an Outlook user clicks the File, Permission, Do Not Forward command on a new message, the user sees a prompt to download the most recent RM client. If the user selects Yes and is connected to the Internet, Outlook downloads the msdrmclient.msi installation file. This file installs the RM client and attempts to activate the client computer by connecting to a server at Microsoft. Microsoft is operating a public-trial RMS server that you can use to try out RMS before you commit to an inhouse RMS server. To set up credentials for his or her email address, the user must choose to enroll with a corporate RMS server or with the Microsoft public-trial server, which requires the user to have a Microsoft .NET Passport account. Access to this trial server is currently free, although Microsoft doesn't guarantee that it will remain so.
Sending and Receiving RMS-Protected Email
To send a rights-managed message from Outlook 2003, a user creates the message as usual, but before sending it, he or she chooses File, Permission, Do Not Forward. Figure 1 shows a message protected by using an account that's connected to the Microsoft public RMS server by means of a .NET Passport. Users who have more than one email account can choose File, Permission, Restrict Permission As to choose which account to use to apply rights management to the message. You can also add an expiration date to an Outlook message through the View, Options dialog box.
What recipients see when they receive a rights-managed message depends on the version of Outlook they're using and whether they've obtained credentials for the RMS service. If the recipient hasn't already installed and activated the RM client and obtained credentials for the email address that received the message, a wizard walks the user through the process when he or she opens the message. Then, if this is the first RMS-restricted message the user has opened, the user sees the message box that Figure 2 shows. After the user connects to the server and downloads the use license, the message opens and any attachments are available, as Figure 3 shows. If the message contains any attachments, those files use the same license and have the same permissions as the message, as Figure 4 shows.