Safeguard Sensitive Content with Information Rights Management

Organizations that lose sensitive customer data not only expose that data to identity thieves, fraudulent practices, and public access, but also expose themselves to catastrophe. Likely penalties include losing customers, diminished reputation and company goodwill, and hefty regulatory penalties and fines. Increasingly, organizations are turning to their IT departments to supply technical solutions to the data-protection problem. The good news is that if your organization uses Microsoft Office 2007 or Office 2003 and Windows Server 2008 or Windows Server 2003, you already have the technology you need to better secure content produced in Office applications at very little additional cost.

Active Directory Rights Management Services (AD RMS, or simply RMS; formerly called Windows Rights Management Services) and Information Rights Management (IRM) enable authorized administrators and users to embed access and usage permissions and restrictions in Office documents. Before granting access to protected content, RMS and IRM validate trusted computers and users and enforce usage restrictions, such as limiting document printing, copying, and forwarding. The restrictions are bound to the content and accompany it wherever it goes, both inside and outside the organization.

Before I explain how to install and configure an RMS server and show you how easy it is for end users to protect content and access protected content, let’s take a look inside RMS and IRM.

RMS and IRM
RMS is a web-based client/server infrastructure technology based on Windows Server and Active Directory (AD). It works by letting document authors designate access restrictions for files they create and extends access rights, such as Read, Edit, Print, Reply, and Forward, to authorized users. Those restrictions and rights govern the use of the document even outside your corporate firewall.

In addition to restricting access to files, RMS encrypts them. When an author sends a protected file to another user or posts the file to a shared folder, every user who wants to decrypt and access, or “consume,” the file must first obtain a use license from the author’s RMS server. Before allowing access, RMS checks that the end user’s application is a trusted application, that the user isn’t excluded from using RMS, and that the protected data hasn’t expired or been revoked.

RMS is built into Windows Vista, and it’s available as a role on Server 2008. There are differences between the Server 2008 and Windows 2003 RMS versions, with the former supporting federation and introducing a new administration interface, scriptable API, and numerous other small improvements. If you have Windows 2003 R2 Standard, Enterprise, or Datacenter Edition, RMS software is available as an optional Windows component. (You can download the most recent version of the software for Windows 2003 at www.microsoft.com/rms.) If you’re running Windows XP or Windows 2000 desktops, you’ll also need to download and install RMS SP2 Client. (I explain how to install the RMS client later.)

Applications (not the OS) are responsible for enforcing users’ rights. Office applications that support RMS out of the box include the XML Paper Specification viewer and Microsoft Word, Excel, PowerPoint, Outlook, and InfoPath. Several ISVs have also announced RMS product support.

To create rights-protected Office documents, you need at least Office Professional Plus 2007 or Office Professional Edition 2003. To access rights-protected documents, you must use Office Professional 2007, Office Standard 2007, or Office Standard Edition 2003.

IRM is the application-specific UI that lets users of RMS-aware applications protect content and work with protected content. Using the IRM GUI menu options and dialog boxes, content creators build RMS publishing licenses, which bind the access and usage policies to the protected content. Microsoft ships IRM in Office 2003 and later versions of Word, Excel, PowerPoint, Outlook, and InfoPath. Microsoft Office SharePoint Server 2007 (MOSS) also supports IRM, and the free, downloadable Rights Management Add-On (RMA) for Microsoft Internet Explorer (IE) lets users browse rights-protected websites and open protected Office documents in a limited fashion. Several third-party vendors extend IRM-like capabilities to their products that do not natively support IRM by shipping add-ons, plug-ins, or shims.

Installing and Configuring RMS
RMS requires Active Directory (AD), Windows Server 2003 or later (I recommend Server 2008), and a database server, preferably Microsoft SQL Server. Alternatively, you can use the Server 2008 Windows Internal Database, but that choice limits your RMSconfiguration options, as you’ll see.

You need to install RMS on a server. The first server in a forest on which you install RMS is called the certification server. For scalability and fault tolerance, you can install RMS on additional servers later to form a certification cluster. A certification server or cluster issues rights account certificates to every user who needs to be able to protect content or consume protected content. The certification server or cluster also issues client licensor certificates (which let users protect content) and use licenses (which let users consume protected content).

To install RMS on Server 2008, launch Server Manager and click Roles in the lefthand pane. In the Roles view action area, click Add Roles to launch the Add Roles Wizard. In the wizard’s Server Roles step, select Active Directory Rights Management Services; the wizard will display a dialog box containing details of the roles and features that will be installed to support RMS, such as Microsoft IIS and the .NET Framework. Click Add Required Role Services to close the dialog box, then click Next to step through the wizard.

When asked whether you want to install support for federation, you can leave the check box cleared unless you have a specific need for federation. Next, the wizard asks whether you want to create a new AD RMS cluster or join an existing cluster. Because you’re installing your first RMS server, accept the default option—Create a new AD RMS cluster—and click Next.

The wizard will ask whether to use the Windows Internal Database or a different database server. If you use Windows Internal Database, you can’t create a cluster later by adding more servers. To use an external database, select Use a different database server, then click Select to browse the available computers and select one on which SQL Server is installed. If multiple instances of SQL Server are installed, you must also select the instance you want to use.

In the next screen, click Specify, then enter the username and password of the domain user account under which RMS will run. The wizard will ask how you want to configure key management. The default option—to store keys centrally—is acceptable for most enterprises. You’ll also be asked for a passphrase to protect the keys.

You’ll need to specify the website on which to install RMS. I recommend that you use the default website. I also recommend that no other web-based service be installed alongside RMS on the same website, as there are known conflicts with some such services, such as Windows SharePoint Services.

Contiune to page 2