Deploying Windows Rights Management Services at Microsoft

Situation Sensitive business information created in Microsoft Office Professional Edition 2003 as e-mail or business documents was at risk of being exposed to unauthorized users.

Solution Microsoft IT implemented Microsoft Windows Rights Management Services (RMS) so that authors could use Office 2003 to restrict access to confidential data to only authorized consumers.

Benefits

  • Authors can apply granular access rights to e-mail messages and documents.

  • Sensitive information can be distributed as required with less concern that unauthorized users will access it.

  • RMS fulfills the requirements of multiple information protection technologies, simplifying the user experience and IT support tasks.

  • The RMS infrastructure is extensible to other, internally developed line-of-business applications.

Products & Technologies

  • Microsoft Windows Server 2003

  • Active Directory directory service

  • Windows Rights Management Services (RMS)

  • Microsoft SQL Server 2000

  • Office Professional Edition 2003

  • Information Rights Management (IRM)

  • Rights Management Add-on for Internet Explorer (RMA)

On This Page

Executive Summary
Introduction
Windows Rights Management Services
RMS Technology
Business Benefits of Deploying RMS
Deployment
Lessons Learned and Best Practices
Conclusion
For More Information

Executive Summary

With the continuing advancements and ubiquity of electronic communications in business, in addition to the growing reliance on technology for conducting day-to-day operations, companies have become vulnerable to the mismanagement and theft of intellectual property and sensitive business information. Microsoft employees rely very heavily on e-mail through Microsoft Office Outlook 2003 for both internal and external business communications. Microsoft employees also rely on Microsoft Office Professional Edition 2003 applications—such as Microsoft Office Word 2003, Microsoft Office Excel 2003, and Microsoft Office PowerPoint 2003—to document and work with corporate ideas and other business-sensitive information. To remain a flexible and agile business, Microsoft needed a solution that could protect the data of its business e-mail messages and documents without interfering with its users’ ability to be productive.

The Microsoft information technology organization (known as Microsoft IT) implemented Microsoft Windows Rights Management Services (RMS), a new information protection service available for Microsoft Windows Server™ 2003. RMS combined with Office Professional Edition 2003 enables Microsoft staff to add usage policy rights protection to their e-mail messages and documents. The rights can specify who can open the document, what they can do with it, and how long they can open it. The rights are applied directly to the object being protected, whether an e-mail message or a document file, so the protections applied stay with the object regardless of where it is sent in e-mail or stored as a file. Each protected message or document is encrypted and requires a use license from the RMS server to decrypt protected content and to apply the usage restrictions assigned to the consumer of that content.

Since the worldwide implementation of RMS at Microsoft, an average of approximately 12,000 unique users per week apply rights to content, and approximately 25,500 content usage licenses per week are issued. These numbers continually grow as an increasing number of users adopt RMS technologies as their preferred means of protecting their confidential e-mail and documents.

This paper discusses the need that Microsoft IT had for protecting confidential business data, the reasons for deploying RMS over other possible solutions, and how RMS works. This paper also offers detailed lessons learned and best practices derived from the RMS server and client deployment and usage experience of Microsoft IT. It assumes that readers are technical decision makers and are already familiar with the fundamentals of both public key and symmetric key security systems, the benefits that such systems offer, and the components required to implement the systems.

This paper uses the term “publisher” to denote someone who creates rights-protected content, such as an e-mail message or a document created in Office Professional Edition 2003. The term “consumer” denotes someone who needs to retrieve a use license to open rights-protected content.

This paper is based on Microsoft IT’s experience and recommendations as an early adopter. It is not intended to serve as a procedural guide. Each enterprise environment has unique circumstances; therefore, each organization should adapt the plans and lessons learned described in this paper to meet its specific needs.

Note:* *For security reasons, the sample names of forests, domains, internal resources, and organizations used in this paper do not represent real resource names used within Microsoft and are for illustration purposes only.

Introduction

The privacy and security of confidential data and intellectual property are vital to a business. If a corporate e-mail system or a business productivity application does not allow an organization to control who can see e-mail messages and/or documents after they are sent to consumers, that system or application is limiting the organization’s ability to conduct private business with agility and efficiency. Many businesses today may be unnecessarily restricting the use of e-mail systems or intranet websites for the dissemination of their confidential data because they lack knowledge of the technologies available to safeguard that data. Conversely, other businesses simply may not comprehend the magnitude of the issue relating to electronic data privacy and security. They unintentionally and unnecessarily expose their confidential data to people or organizations that were never intended to have access.

Microsoft, like any other business that creates valuable intellectual property in a highly competitive marketplace, needed the ability to better secure and safeguard the privacy of its confidential data. Microsoft IT recognized that it needed technology to control how sensitive business e-mail messages and business productivity documents could be shared and used, without risking losses in productivity. More specifically, Microsoft IT needed to implement technology that offered the end-user publisher of confidential e-mail messages and business productivity documents the ability to manage who could consume their content, and limit usage of their content on a document-by-document basis. Without such technology, intellectual property, trade secrets, or incident management data belonging to Microsoft or its business partners might have been inadvertently or even maliciously exposed to the public, the media, or business competitors.

Windows Rights Management Services

Microsoft IT considered various technology tools that could protect the confidentiality of sensitive data contained within business documents. However, in many cases, a viable solution for protecting one type of document placed unreasonable or technologically unfeasible demands on another type of document. Most of the solutions considered were simply incomplete or too easily bypassed by individuals with malicious intent.The tool that Microsoft IT selected was RMS, a Microsoft .NET–connected Web service provided by Windows Server 2003.

Note:* RMS is a component of Windows Server 2003, but does not ship with the product in the box. It is free-of-charge, downloadable software available at https://www.microsoft.com/windowsserver2003/downloads/featurepacks/default.mspx. *However, RMS does require the purchase of client access licenses for each user publishing and/or viewing rights-protected content.

RMS works with RMS-enabled applications, such as Office Professional Edition 2003, to provide a means for publishers of confidential e-mail messages and documents to control who can view their content by attaching a usage rights policy directly to an object (such as an e-mail message or a document file). The rights can restrict how the content is used and who is allowed to use it. An organization can set different rights for various individuals and/or groups, based on user accounts in the Active Directory directory service (in Microsoft Windows 2000 Server or Windows Server 2003), users in trusted RMS environments, and users of the Microsoft .NET Passport–based RMS service. User rights for consumers can also be set to expire after a finite period.

Note:* *Microsoft IT allows only content published by its internal RMS servers to be trusted internally.

Usage rights policies are associated directly with the protected content, not the container in which it is stored. Unlike access control list (ACL) permissions from a file system such as the NTFS file system, e-mail messages and documents protected with RMS technologies remain protected whether they are forwarded to an e-mail account outside the corporate firewall; sent as an e-mail attachment; or stored on a Microsoft SharePoint™ website, a shared folder on a file server, a CD-ROM, a universal serial bus (USB) drive, or a floppy disk. Office Professional Edition 2003 e-mail messages and documents that are rights-protected employ 128-bit encryption to prevent unauthorized viewing and usage of content.

RMS serves as the platform for this technology. However, Microsoft also needed a client application that applied the technology of RMS. Microsoft IT found the solution with its enterprise-wide deployment of Office Professional Edition 2003, the first major end-user set of applications to support the RMS platform. Office Professional Edition 2003 introduced a feature called Information Rights Management (IRM), which allows policy rights definitions to be applied to both e-mail messages and documents created in the Office Professional Edition 2003 applications Word 2003, Excel 2003, Outlook 2003, and PowerPoint 2003. It employs the technologies of the RMS platform to apply and enforce those policies.

To enable users not yet running Office Professional Edition 2003 to read rights-protected messages and documents, Microsoft IT also deployed the Rights Management Add-on for Internet Explorer (RMA), a downloadable RMS-enabled client viewer plug-in. This plug-in is also useful to Microsoft employees who access their work e-mail on their home computers by using Outlook Web Access (OWA), a feature of Microsoft Exchange 2000 Server and later. RMA enables rights-protected e-mail and attached Office Professional Edition 2003 document files to be read through a Web browser.

Note:* *RMA is an RMS-based technology that is not specifically limited to viewing rights-protected e-mail messages and documents created in Office Professional Edition 2003. Any application built to support RMS technology can be designed to take advantage of RMA.

At this time, there are no RMS-enabled applications to specifically protect content within databases or software source code development environments. However, those environments are typically locked down by other means to protect their valuable data from unauthorized access. RMS protects the forms of data that are almost always left unprotected—business documents, the vehicles in which confidential ideas, proposals, incident reports, and financial data are stored and used on a daily basis. RMS complements existing data safeguards within the enterprise organization, which enhances the organization’s overall ability to protect its internal, private information.

Extensibility
Any program that produces, stores, manages, displays, transports, or consumes data can be written to take advantage of RMS services. Although Office Professional Edition 2003 is (as of this writing) the only application to take advantage of the RMS platform, Microsoft IT is excited about RMS because of its extensibility and scalability. Microsoft IT is already exploring ways to implement RMS technology in a variety of key line-of-business (LOB) applications and for further protecting the content of confidential intranet websites.

Note:* *Although Office Professional Edition 2003 is the only version of Office 2003 Editions that can create rights-protected content, other versions of Office 2003 Editions support viewing and editing rights-protected content.

Comparison with Other Technologies
RMS is not the only technology that can help safeguard the contents of e-mail messages and business productivity documents. Other technologies include Secure Multipurpose Internet Mail Extensions (S/MIME), ACLs, and Encrypting File System (EFS). Each of these technologies serves a valuable purpose and all have been used within Microsoft. However, with regard to protecting the confidentiality of data, each of these technologies is applicable only in a narrow set of circumstances. This section briefly describes the technologies and compares them with RMS in order to provide background on why Microsoft IT chose to deploy RMS.

S/MIME
S/MIME is a security-oriented superset of Multipurpose Internet Mail Extensions (MIME), an industry-standard protocol widely used on the Internet for e-mail. S/MIME adds public key encryption and support for digital signatures to MIME. Support for S/MIME technology has been available for several versions of Microsoft messaging products. However, S/MIME does not help protect confidential documents outside of the realm of e-mail; nor does it control usage rights, such as the ability to restrict copying or printing protected information. Furthermore, after a recipient opens S/MIME-protected content, that recipient can forward the content to other recipients with the original protection removed.

ACLs
Security in Windows Server 2003 controls the use of objects through the interrelated mechanisms of authentication and authorization. After a user is authenticated, Windows Server 2003 uses authorization and access control technologies to determine whether an authenticated user has the correct authorization to access an object protected by means of ACLs.

ACLs for file and folder permissions require the use of the NTFS file system. Any permission restrictions assigned to a document are eliminated if the file is taken from the container where the permissions were set. For example, a document that restricts all access to a particular set of users will be rendered available to all if that file is sent by means of e-mail or is copied to a disk medium not using NTFS, such as a floppy disk, a CD-ROM, or a hard disk formatted with any variety of the FAT file system.

EFS
EFS protects sensitive data in all types of files that are stored on disk by means of the NTFS file system. It uses symmetric key encryption in conjunction with public key technology to provide confidentiality for files. In EFS, unlike most other external encryption services, file encryption does not require the file owner to decrypt and re-encrypt the file on each use. Decryption and encryption of the file take place transparently as it is read from and written to the disk. EFS runs as an integrated system service, which makes it easy to manage, difficult to attack, and transparent to the file owner and to applications.

EFS encryption survives moves and renames, if all files stay on NTFS volumes. Copying or moving the encrypted file or folder to a disk medium formatted with any file system other than NTFS removes the encryption and returns the file to its normal format. Additionally, only the person who applied EFS encryption to a file can open the file and work with it. Other users—even a file owner—cannot open an EFS-encrypted file without the private key of the person who applied EFS encryption to the file.

Comparing the Technologies
Table 1 compares IRM in Office Professional Edition 2003 with S/MIME digital signing, S/MIME encryption, ACLs, and EFS.

Table 1. Comparison of Technologies Used to Safeguard Confidential Data

Feature

IRM & RMS

S/MIME signing

S/MIME encryption

ACLs

EFS

Attests to the identity of the publisher

No

Yes

No

No

No

Differentiates permissions by consumer

Yes

No

No

Yes

No

Prevents unauthorized viewing

Yes

No

Yes

Yes

Yes

Encrypts protected content

Yes

No

Yes

No

Yes

Offers content expiration

Yes

No

No

No

No

Offers use license expiration

Yes

No

No

No

No

Controls content usage to reading, forwarding, saving, modifying, or printing by consumer

Yes

No

No

Yes*

No

Extends protection beyond initial publication location

Yes

Yes

Yes

No

Yes**

* ACLs can be set to modify, write, or read-only.
** EFS encryption is maintained with a copied or moved file only if the destination folder is also on an NTFS-formatted volume and, when copying, the destination folder is marked for encryption.

After analyzing the various alternative technologies for safeguarding confidential data and comparing them with RMS, Microsoft IT determined that RMS met all of its requirements. Key reasons were:

  • Deploying a single solution simplified the task of applying the needed solution for end users. Only one tool was needed for all situations.

  • No alternative technologies offered the combination of features found in RMS, all of which are necessary to protect confidential data, regardless of the storage medium on which the data is located.

  • By relying on one rather than multiple solutions to help protect data, Microsoft IT simplified enterprise administrative and troubleshooting tasks.

RMS Technology

When someone attempts to open a rights-protected document or e-mail message, RMS identifies the consumer through the Simple Mail Transfer Protocol (SMTP) e-mail address assigned to the consumer's Active Directory logon account. RMS then compares this identification with the list of rights associated with the protected content. If the specified consumer has been granted user rights, either individually or through inclusion by means of a distribution group, the RMS server issues a use license to the consumer. Note: If the SMTP address specified in the list of rights is for a distribution group, Active Directory has to perform a lookup to determine if the end-user account object is associated with the distribution group.

Licenses
For a consumer to open documents protected by RMS-enabled applications, a digital license is needed from the RMS server. There are two types of licenses: publishing and use.

Publishing License A publishing license is created when a document (including an e-mail message) is originally protected. Every document protected gets its own publishing license. RMS provides for the creation of publishing licenses in two ways: online and offline. Online publishing requires connectivity with the RMS server, whereas offline publishing does not. IRM in Office Professional Edition 2003 always publishes its content offline. To do so, the RMS client computer generates a publishing license without contacting the RMS server. However, for the publishing license to be generated, the offline client must have already been activated and received its publishing certificate. The publishing certificate is generated by the RMS server and downloaded to the client computer when its first piece of rights-protected content is published, requiring online access to the RMS server.

Use License A use license is required to consume the protected content. A RMS-enabled application uses the use license to decrypt the content, and then enforces the specific usage restrictions assigned to the consumer. Each protected piece of content requires its own use license.

The RMS server generates use licenses in response to a valid license request, which is typically made every time a consumer who has rights to a protected e-mail message or document opens that item. Use licenses can be stored and reused to open a protected document, depending on the rights policy. In cases with Office Professional Edition 2003 documents, if the consumer has write access to the file, the use license is appended to the protected document file. The user can then open the protected content again on any computer that has been activated with that user’s account without requiring network access to the RMS server until the use license expires.

Conversely, with Outlook 2003 e-mail messages, the use license itself is stored locally on the end user’s computer. Because Microsoft IT uses Outlook 2003 with cached mode enabled, Outlook 2003 was configured to automatically obtain use licenses for rights-protected e-mail messages during its synchronization process with an Exchange server. Microsoft IT specifically enabled this by setting a registry subkey during installation. If Microsoft IT had left the default setting in place, at the first time the end user attempted to open a rights-protected e-mail or document, a dialog box would have appeared, asking whether the user wanted to permanently enable this behavior or not. If enabled, this option would have set the same registry subkey that Microsoft IT preset during installation.

Some policies can be set to expire use licenses after each time a user accesses protected content. In these cases, the user is required to have online access to the RMS server to receive another use license before that content can be re-opened.

Types of Rights Available
Using RMS-enabled applications, such as Word 2003, Excel 2003, and PowerPoint 2003 from Office Professional Edition 2003, a document owner can apply rights to a document file through one of three methods:

  • Default rights applicable to all consumers (such as Read or Change)

  • Customized combinations of rights assigned to each specified individual or group of consumers

  • Templates created by the RMS administrator to apply a predefined set of rights to a predefined set of individuals or groups of consumers

Alternatively, e-mail senders have the option of using Outlook 2003 to apply rights to the message and any unprotected Word, Excel, or PowerPoint document attachments that might be included. By default, the only rights setting that Outlook 2003 offers is a read-only rights for e-mail messages and any attached document files from applications that support RMS. However, a customized rights policies template for Outlook 2003 can be used to expand the number of rights offered.

Each of the rights available in IRM in Office Professional Edition 2003 offers or limits certain activities that a consumer can perform with the protected content. The rights that IRM makes available can grant or deny consumers permission to read, save, copy, modify, print, and forward protected objects. User rights can also be set to expire on a preset date. Table 2 discusses the details of what each of these rights does to protect content.

Table 2. IRM Rights and Their Definitions

Right

Description

Full control

This right provides the consumer with the same abilities given to the publisher. This right acts as if no rights restrictions have been applied. It is typically enabled only for an individual who is a member of a larger group of consumers for which rights that are more restrictive have been applied. It can also be used to transfer ownership of a document.

Change

This right enables the consumer to read, edit, and save changes to a protected document (but not print).

Read

This right enables the consumer to read a protected document but not print, edit, save, or copy (and with Outlook 2003, also not forward).

Document expiration

This right expires the consumer’s ability to open a protected document at a date set by the publisher.*

Print content

This right denies the consumer the ability to print protected content.

Allow users with read access to copy content

This right enables the consumer to read and copy content of a protected document to the clipboard but not print, edit, or save.

Access content programmatically

This right enables protected content to be accessed by another application programmatically.

Users can request additional permissions

This right enables the consumer to contact the publisher at a specified e-mail address to request an upgrade in the rights assigned.

Allow users with earlier versions of Office to read with browsers supporting Information Rights Management

This right enables protected content to be read in Microsoft Internet Explorer through RMA.

Require a connection to verify a user’s permission

This right sets the use license to expire immediately after the protected content has been accessed. As a result, the consumer must have online access to the RMS server to get another use license every time the document is opened.

* Document expiration does not destroy the document. Only the right to open the document is expired.

Note:* *IRM rights in Office 2003 can be applied only to the entire document and not to parts of the document.

By default, not all document types in Office Professional Edition 2003 offer the ability to set all of the rights available in IRM. Table 3 lists the policy restrictions available in the RMS-enabled applications within Office Professional Edition 2003.

Table 3. Applicable Policy Restrictions

Outlook 2003

Word 2003, Excel 2003, and PowerPoint 2003

Read (cannot forward, print, save, or copy)

Full control
Change content but no printing
Read (cannot print, save, or copy)
Read with copy content permission
Print content
Document expiration
Enable content access programmatically
Require new license with every access
Provide e-mail address for users to request upgraded rights
Enable content access by means of RMA

Rights are applied to objects hierarchically. For example, assume that a Word 2003 document file (created in Office Professional Edition 2003) is attached to an Outlook 2003 e-mail message. If rights were not applied to the document prior to being attached but are subsequently applied to the e-mail message, the attached document inherits the rights applied to the e-mail message. If rights were applied to the attached document prior to the attachment, the document’s rights are unaffected by e-mail rights.

In Outlook 2003, a message can be expired at a certain date through the Expiration setting under Options. If the Do Not Forward (the read-only setting) option is selected and message expiration is set, the expiration setting is enforced, by IRM.

Note:* *Expired content does not delete itself—it only locks out the consumer. The publisher and members of the Super User distribution group are still able to open the content.

Customized RMS Templates Available from Microsoft IT
The RMS-enabled applications in Office Professional Edition 2003 support the use of preconfigured, default, rights-setting policy templates to allow enterprises to define the most commonly needed standardized sets of rights for safeguarding documents.

If the feature requiring a new use license with every access is used with a template, rights policies can be dynamically changed after the document has been published or sent in e-mail. This way, the company retains the option to further restrict or loosen control on one or more users at any time.

For example, with Outlook 2003 e-mail, the only default assignable IRM setting is read-only. Through an RMS template, customizable rights beyond the default can be applied. All of the RMS-enabled applications in Office Professional Edition 2003 support the same policy templates.

Microsoft IT offers users at Microsoft four RMS templates to use for protecting Office Professional Edition 2003 e-mail messages and documents. All of these templates define the intended audience, based on the use of specific company distribution groups and the specific rights provided to that audience. The templates are identified as follows:

  1. Microsoft Confidential

  2. Microsoft Confidential Read Only

  3. Microsoft FTE Confidential

  4. Microsoft FTE Confidential Read Only

With the first two templates, the distribution group used is the Microsoft All Staff distribution group. This group includes all Microsoft full-time employees, contractors, and vendor staff. Any person not included in this distribution group, such as people outside the company, will not be able to open content protected when this template is used to protect content. The second template modifies the first template with the application of restrictive read-only rights.

The third and fourth templates use the Microsoft full time employee (FTE) only distribution group. Any person not included in this distribution group—such as contractor and vendor staff, along with anyone outside the company—cannot open any content protected with this template. The fourth template applies the restrictive read-only rights to the FTE distribution group.

The master version of a policy rights template resides in the RMS database and is always used when a use license is created so that the most recent policy set by the RMS administrator is enforced. Each template created must be exported to each RMS client computer that needs to use the template. These local versions of the templates do not need to be updated every time the RMS administrator updates the template, because the RMS server uses its own copy when evaluating the rights specified in the template. However, templates still need to be available locally for a user to select them when performing offline publishing, as in the case of Office 2003.

Encryption Used with RMS
When content is published through RMS, it can be encrypted with either Data Encryption Standard (DES) 56-bit encryption or Advanced Encryption Standard (AES) 128-bit encryption. The publishing application determines the strength of encryption used. Office 2003 always uses AES 128-bit encryption to protect its content. Symmetric key encryption—the type of encryption used by RMS-enabled applications—uses the same key to encrypt and decrypt content.

All RMS servers, client computers, and user accounts also have a public and private pair of 1,024-bit Rivest-Shamir-Adleman (RSA)–based encryption keys. RMS uses the public and private keys to encrypt the symmetric key along with the rights policy data in the publishing license and the use license. RMS also uses the public and private keys to digitally sign RMS certificates and licenses, ensuring only properly authorized users and computers can open and use protected information.

Process Used by IRM to Generate and Retrieve LicensesTo publish data with RMS technologies enabled, document publishers follow the same logical and fundamentally interlinked workflow that they already use for their information, such as sending an e-mail message or posting to a SharePoint website.

Figure 1 summarizes how RMS works when users publish and consume rights-protected content, as with Office Professional Edition 2003 applications and IRM policies.

RMS Summary

Figure 1. Process of generating and retrieving licenses for rights-protected content

Note:* *This process assumes that both the publisher and the consumer have already been activated.

This process includes the following steps:

  • An author creates a document that contains confidential content by using an Office Professional Edition 2003 application, such as Word 2003, Excel 2003, or PowerPoint 2003. To customize the usage rights of the document, the author clicks the Permission toolbar button, which displays the Permission dialog box. On the first page of the Permission dialog box, the author can assign either Read-only or Change rights to all consumers or to specific individuals andor distribution groups. If the author needs greater control, he or she can click the More Options button to assign Full Control to individuals and/or distribution groups, or further modify the Read-only or Change rights. From this dialog box, the author can further customize the settings by using all of the rights listed earlier in Table 2.

  • Office Professional Edition 2003 always publishes content offline. However, to enable that function, a publishing license, also known as the Client Licensor Certificate (CLC), must first be installed on the publishing computer. The CLC, generated by the RMS server, is encrypted with a random symmetric key and the RMS server public key and is therefore unique to each publishing computer. After the CLC is installed, the publisher no longer needs online access to the RMS server to publish content. One CLC is used to publish all offline content generated from the publishing computer.

Note:* *If the publisher has never before published rights-protected content, a CLC has not yet been installed. The publishing computer requests a CLC from the RMS server upon the first instance of publishing rights-protected content. The RMS server generates the unique CLC and sends it to the publishing computer, thereby enabling Office Professional Edition 2003 to publish rights-protected content offline.

  • The Office Professional Edition 2003 application uses the installed CLC to generate and sign the document’s publishing license. Then, RMS encrypts the document file with the random symmetric key and binds the publishing license to the document file. The random symmetric key used to encrypt the protected file is joined with the rights policy assigned to the encrypted object and encrypted with the public key of the RMS server. Only the RMS server that issued the CLC to the publisher can issue licenses to decrypt and open the symmetric key-encrypted content. The publishing license contains the Uniform Resource Locator (URL) of the RMS server.

Note:* *If the author is using an RMS-enabled application that performs online file publishing, a CLC is never created; nor is one used as part of the publication process. Instead, the application generates a symmetric key and sends a request for a publishing license directly to the RMS server. The request includes the symmetric key and the usage policies. The RMS server generates a publishing license, encrypts a random symmetric key with the server public key, and returns the publishing license to the application. Online publishing requires this process for each document published.

  • The author distributes the protected document.

  • A consumer receives the rights-protected Office Professional Edition 2003 document through a regular distribution channel, such as e-mail, a SharePoint website, or removable disk storage media, and opens it by using either an RMS-enabled Office 2003 application or Internet Explorer with the RMA.

  • The Office Professional Edition 2003 application sends a request for a use license to the RMS server that issued the CLC used to protect the content. The request includes the consumer's Rights Management User Account certificate (RAC), containing the consumer's public key, the publishing license, containing the encrypted symmetric key that encrypted the file, and the rights policy information.

  • The RMS server validates that the consumer is authorized, checks that the consumer is a named user, and creates a use license. During this process, the server decrypts the symmetric key by using the private key of the server, re-encrypts it by using the public key of the consumer, and adds it to the use license, which contains the rights specified in the rights policy information of the use license request. This information includes any relevant conditions to the use license, such as the expiration, an application, or an operating system exclusion. This step ensures that only the intended consumer can decrypt the symmetric key and thus decrypt the protected file.

  • When the validation is complete, the RMS server returns the use license to the consumer's client computer.

  • After receiving the use license, the RMS client software component examines both the use license and the consumer's RAC to determine whether any certificate in either chain of trust requires a crosscheck against a certificate revocation list (CRL). If so, the RMS client software retrieves a current copy of the CRL from the location specified in the use license. The RMS client then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the protected document file, the Office 2003 application renders the data, and the consumer can exercise the rights that he or she has been granted.

Secure Sockets Layer Connections Used for All RMS Communications
Microsoft IT configured RMS such that all communications between clients and the RMS servers are conducted through Secure Sockets Layer (SSL) tunnels, regardless of whether the connection passes through the corporate firewall or not. This extra precaution ensures the security of the data transmitted.

RMS Licensing Outside the Firewall
The RMS licensing process functions essentially the same way whether the content consumer is within the publisher’s network boundary or outside it. For content consumers at Microsoft attempting to open internally licensed rights-protected content outside the corporate network boundary, Microsoft IT placed an RMS server in a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet) between its firewalls, enabling its users with Internet connections to receive the use licenses needed to open protected content. The minimum technical requirements were a valid RAC for the consumer and online access to the RMS server that issued the publishing license. Microsoft IT also required its external users to successfully enter their Windows authentication credentials before a use license was provided.

Microsoft IT decided to enable valid consumers of rights-protected content to open that content when located outside the Microsoft corporate firewall. Embedded within the publishing license of a protected document is a pair of URLs (one internal, one external) for the server that created the document’s publishing license (or in the case of the use of a CLC, the server that issued the CLC). The Office 2003 application first attempts to connect to that RMS server with the intranet URL to get the use license. If the internal URL fails to resolve, the application then attempts to use the external URL. As long as the client computer is connected to the Internet, the RMS server can be accessed. However, because the user is not authenticated on the Microsoft corporate network, the consumer will first be prompted for valid user name and password credentials. After the credentials have been validated, the use license (and, if necessary, a temporary RAC) can be issued, enabling the client to open the protected content.

Note:* *For any computer on which the consumer has not logged on with domain credentials, such as an employee’s home computer, the enterprise RMS server issues a temporary RAC for opening rights-protected e-mail and documents after prompting for the consumer’s logon credentials. The temporary RAC is only valid for 30 minutes. The employee’s home computer will need to download a new temporary RAC to open rights-protected content if any existing temporary RAC has expired.

Caveats for Semi-Trusted Computers
Microsoft IT classifies employee-owned home computers running Microsoft Windows XP that are not managed by Microsoft IT but are used to access corporate e-mail by means of OWA as semi-trusted computers. Employee-owned mobile devices that are used to read corporate e-mail are also classified as semi-trusted computers.

The ability of the content consumer to open rights-protected e-mail messages and documents depends on the ability of the consumer’s computer to acquire and use digital licenses. Because of the wide variety of hardware computing platforms and possible operating system and software configurations, and because Microsoft IT does not manage these computers, properly configuring semi-trusted computers to open rights-protected e-mail messages and documents can be challenging for the end user.

Use of RMA to Open Rights-Protected Content Consumers not yet using Office 2003 are able to view rights-protected Outlook 2003 e-mail messages and attached Office 2003 documents after they install the RMA for Internet Explorer. Because RMA is a viewer that runs within Internet Explorer, RMA enforces the rights set by the publisher, but cannot enable the consumer to edit protected content, even when that right was granted to the consumer. RMA requires the client computer to have online access to the RMS server for receiving a use license.

Consumers can always use RMA to view Outlook 2003 messages, but other rights-protected document types created in Office Professional Edition 2003 applications must explicitly specify that RMA can be used when the publisher applies the IRM policies. The publisher enables the RMA viewing policy in documents by selecting the Allow users with earlier versions of Office to read with browsers supporting Information Rights Management check box in the More Options section of the Permissions dialog box in Word 2003, Excel 2003, and PowerPoint 2003.

To install RMA on a semi-trusted computer, the logged-on user account must have sufficient permissions (such as administrator permissions on computers running Microsoft Windows XP Professional). Any semi-trusted computer on which the consumer has permissions to install software can be enabled to view rights-protected e-mail messages and attached documents through RMA.

Limits on Creating Rights-Protected Content Although consumers have the ability to view rights-protected content through RMA, the only way to publish rights-protected content is from applications within Office Professional Edition 2003, such as Word 2003, Excel 2003, PowerPoint 2003, and Outlook 2003. In the future, third-party applications designed to support RMS will also enable the publication of rights-protected documents.

Limits on Mobile Devices At the time of this writing, there are no downloadable RMS client viewers, such as RMA, available for users opening and using rights-protected e-mail and documents on mobile devices. In addition, neither Pocket Word nor Pocket Excel supports opening rights-protected documents.

Business Benefits of Deploying RMS

Microsoft realized several benefits after Microsoft IT deployed RMS combined with the IRM feature in Office Professional Edition 2003. RMS fills a technology gap that no other product serves, both in the e-mail space and with other business productivity documents, in helping users manage who can open their content and how their content can be used or shared.

The benefits that RMS technologies provide can be classified into three categories: enterprise, end user, and IT.

Enterprise Benefits
The following benefits are most applicable to enterprises.

Protection of Intellectual Property The ability to protect intellectual property within Office Professional Edition 2003 e-mail messages and documents safeguards Microsoft corporate assets. Only authorized consumers can decrypt and open rights-protected messages and documents. Unauthorized consumers are unable to open encrypted content at all, whereas the document usage abilities of authorized consumers are limited to the rights settings granted by the publisher.

By protecting confidential business data, Microsoft and its business partners can feel more assured that the sensitive information they create, as well as related written reports and e-mail discussions, will remain confidential.

Greater Sharing of Sensitive Information The content protection of IRM reduces the risk of unintentional exposure of confidential materials. The data publishers' confidence, derived from that reduction of risk, enables them to take greater advantage of Outlook and SharePoint websites for disseminating sensitive business information. Because this information is available, recipients can make better, faster decisions, thereby improving business agility.

This confidence enables Microsoft and its business partners to use business-efficient means of transmitting confidential information between one another, such as e-mail and secured intranet websites, to remain highly flexible and agile to respond to changing business and market conditions.

Rick Devenuti, the Microsoft Chief Information Officer (CIO) and Corporate Vice President, Services, believes the business value offered by protecting sensitive business data with RMS is clear. “Prior to the deployment of Information Rights Management with Office 2003, the leadership team at Microsoft didn’t have the ability to control the usage and distribution of sensitive information, such as financial forecasts. Prior to IRM, internal information would be clearly marked ‘Do Not Forward,’ but we didn’t have a reliable enforcement method. With IRM, financial forecasts can be rights management protected, reducing the probability of them being distributed or used inappropriately.”

Application Support RMS is a platform that can be incorporated into both commercial applications and internally developed LOB applications to help protect information. This solution makes it possible to incorporate protection across the entire range of corporate information. Microsoft IT, the team deeply involved in the design and implementation of over 1,500 internal LOB applications at Microsoft, is busy designing next-generation LOB applications that are RMS enabled to better safeguard confidential data. For more information about the RMS software development kits (SDKs), go to https://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx.

Common RMS Language RMS technology uses eXtensible rights Markup Language (XrML) version 1.2.1 as the common language for expressing rights, which enables organizations to minimize the investment required to take advantage of RMS technology. XrML is a flexible, extensible, and interoperable standard equipped to meet any organization’s needs, regardless of industry, platform, format, media type, business model, or delivery architecture.

End-User Benefits
The following benefits of offering RMS in the enterprise apply to end users.

Simple Tools for Users Document publishers can assign usage policies to their content by using any application that is RMS enabled, such as Office Professional Edition 2003 or any internally developed LOB application written to support RMS. Usage policies specify who can open the information, the specific rights granted to each of the consumers, and how long those consumers can view or use the protected content. Specified users can open the rights-protected content with a simple click of a mouse, as they would any other file. Verification of usage policies is transparent to users.

Powerful Document Protection Features RMS technology enables persistent file-level protection, extending and enhancing existing network security efforts. Content owners can specify usage policies for their data, such as print, copy, and expire, giving them more features and options for protecting that information on the company intranet and in some extranet scenarios.

IT BenefitsThe use of RMS as the solution to safeguard confidential data offers the following benefits to the enterprise IT department.

Ease of Implementation RMS technology is designed to minimize the effort required by enterprises to implement an RMS solution. Administrators can easily set up and configure their RMS system, connect it to other enterprise-critical servers such as those running Active Directory, connect it to external services, build and enforce usage policies, and establish trusted entities outside the organization. Flexible options make it easy to deploy a single-server configuration or a global, distributed RMS system topology. As a stateless Web service, RMS can easily scale up or out to meet enterprise growth needs.

Ease of Administration Administrative features of RMS, such as revocation lists and exclusion policies, provide a new level of control for sensitive and proprietary content at Microsoft. In addition, comprehensive logging allows Microsoft IT to monitor licensing activity, including granted and denied requests.

The general use of rights policy templates enables an enterprise to define and roll out communication policies that are consistent across the organization and digitally enforced. RMS administrators design and control the content of the templates, and store them on the RMS servers for the enterprise publishing community to use. RMS administrators can easily modify the template definitions of approved consumers and the rights they are granted within a rights-protected document. Templates offload the effort of determining who should be granted user rights and what types of rights the intended consumer should receive from the publisher, simplifying the process the publisher needs to follow. Furthermore, when modifications are made to a template, all past, present, and future content based on that template will inherit the new rights when a use license is issued.

Deployment

Microsoft IT differs from the IT organizations of other large enterprises in one significant way: Microsoft IT plays a significant role in the enterprise software development process as the “first and best customer” of Microsoft. In that role, it deploys Microsoft products into a production environment well before they are available to any other Microsoft enterprise partners and customers. In addition, Microsoft IT strives to be the model enterprise for deployment of those products. However, Microsoft IT does not deploy every Microsoft product. Rather, it focuses only on those products that are targeted toward large enterprise organizations and for which there is a clear and compelling business case for deploying the products within Microsoft.

Approach and Strategy
As with any major deployment in Microsoft IT, the key to success for the RMS deployment was careful planning. Microsoft IT obtained topology diagrams, product specifications, hardware and scalability estimates, and other product documentation published by the RMS product group that could help plan the deployment and identify the hardware needs. The performance goals that Microsoft IT had for RMS included a less than 5 percent impact on network domain controllers and a completion rate of at least 95 percent of all licensing requests within five seconds.

Microsoft IT studied the projected network traffic that RMS would add to its infrastructure, based on RMS product group deployment information provided in the Deploy.chm file (a component of the RMS installation). The product group established a benchmark measurement of Windows RMS by using a 1-gigahertz (GHz) Intel Pentium 4 server that had four processors and 1 gigabyte (GB) of random access memory (RAM). In this configuration, the RMS server delivered approximately 100 licenses per second.

The capacity planning figures in Table 4 were provided by the RMS product group for estimating the usage requirements for an RMS system.

Table 4. Estimated Usage Requirements for RMS

Transaction

Occurrence

Client-to-server bandwidth usage (KB)

Server-to-client bandwidth usage (KB)

License request

Repeated for every user and for every piece of content

22

10

RMS machine activation

Windows RMS initialization traffic only

1

200

RMS account certification

Windows RMS initialization traffic only

10

16

Client enrollment

Windows RMS initialization traffic only

11

10

Microsoft IT also recognized that the Active Directory query traffic generated by RMS could potentially affect network throughput. However, Microsoft IT determined this would not be a major factor if RMS servers were deployed in close proximity to the global catalogs. The exception would be if a failure of all global catalogs at a site caused a failover to another site over a connection that did not support the same capacity throughput.

Table 5 provides baseline data on the bandwidth usage of RMS transactions that can be used to assess the effect of Active Directory query traffic on a network.

Table 5. Baseline Data for Active Directory Traffic Bandwidth Usage

Transaction

Windows RMS to global catalog bandwidth usage (bytes)

Global catalog to Windows RMS bandwidth usage (bytes)

Windows RMS connection establishment (ldap_bind)

1,600

200

Windows RMS group-membership evaluation (ldap_search)

200

100

Note:* *Numbers must be applied in context. For example, if the user belongs to 15 groups, 200 bytes would be required for the search request from RMS, and 1,500 bytes (100 bytes × 15) would be required for the response from the global catalog.

Analysis of the projected usage of RMS within Microsoft IT’s network infrastructure showed the impact to be negligible. Table 6 illustrates the specific effects that RMS has had on the Microsoft corporate network.

Table 6. RMS Network Load Metrics within Microsoft IT

Monitored site name

Average bytes sent

Maximum bytes sent

Average bytes received

Maximum bytes received

Number of requests

Machine Activation

511,687

39,698,882

1,974

139,646

226,508

User Certification

17,823

1,228,016

13,185

880,856

338,925

Publishing

18,242

325,430

19,532

305,515

136,927

Licensing

17,618

1,319,349

54,652

3,171,780

992,692

Using the information gathered during the planning phase, Microsoft IT decided on the deployment topology, the number and class of servers to order, and the service availability requirements.

In January 2003, Microsoft IT began preparations for its initial RMS deployment. Based on the RMS product group projections and the results of Microsoft IT lab testing, Microsoft IT predicted that approximately 2 percent of all e-mail messages and attached business productivity documents sent within Microsoft would use IRM to enforce policy. This figure was based on Microsoft IT’s knowledge of its user base, the likelihood of the general population to adopt new technologies, and to what degree the new technology would be used within the company.

Note:* *The usage estimate figure will be different for each deployment, and each enterprise deploying RMS will have to make its own determination on the projected need for and use of RMS technology. After an enterprise makes this estimate, it can determine the capacity planning requirements.

Scalability test data provided by the RMS product development group revealed that in the case of Microsoft IT, two standard-configuration servers would handle the load for all users within the company. This configuration included dual Intel Pentium 4 2.4-GHz computers with a 512-kilobyte (KB) Level-2 (L2) memory cache and 512 megabytes (MB) of RAM, set up as a load-balanced cluster pair.

To accommodate unanticipated usage growth, in addition to future expansion of RMS to LOB applications and other Microsoft and partner applications, Microsoft IT upgraded the RMS server specification to a four-processor, 2.4-GHz computer with 1 GB of RAM.

The number of RMS server clusters that Microsoft IT needed to deploy was largely dictated by the corporate Active Directory infrastructure. RMS, by design, initially looks in the account logon forest for issuing RACs and licenses. To offer all user accounts access to RMS technologies, Microsoft IT deployed a load-balanced RMS cluster in all corporate network forests that contain user logon accounts. Besides the main corporate forest, three other forests are used with logon accounts at Microsoft, primarily for testing of cross-forest functionality of enterprise software and to isolate other developmental testing efforts.

To simplify administration and troubleshooting issues with RMS, Microsoft IT chose to route all document publishing licensing requests to the main corporate forest RMS cluster, where over 90 percent of all Microsoft logon accounts are located. Routing publishing license requests to the main corporate forest resulted in higher availability and scalability requirements than those of the other three logon forests. To meet the higher overall workload, Microsoft IT added a third, identically configured RMS server to the primary corporate logon load-balanced cluster for failover support in cases of hardware failure.

Additionally, in order to meet its internal security requirements for protection of the RMS server’s private key, Microsoft IT elected to include nCipher nShield hardware security modules (HSMs) on its RMS server specification.

Microsoft IT uses Microsoft SQL Server™ 2000 for the required RMS transaction log database in each forest. This provides the ability to use transaction log shipping as a means to maintain a warm standby secondary server. Microsoft IT concluded that it would need a four-processor, 2.4-GHz computer with 1 GB of RAM and configured with 10 GB of available data storage space for the RMS and system database servers. In total, Microsoft IT purchased 13 servers for deploying RMS to all for forests with logon user accounts.

The final step in determining the deployment topology was identifying the connectivity methods for which Microsoft IT wanted to support RMS licensing. In particular, Microsoft IT determined that users need to have the ability to obtain licenses while not logged on to the corporate network. Microsoft IT decided to place RMS behind servers running Microsoft Internet Security and Acceleration (ISA) Server 2000, thus allowing Microsoft IT to use externally accessible URLs for RMS.

Figure 2 shows the load-balanced RMS cluster from the main corporate forest.

RMS Topology

Figure 2. RMS topology for the main corporate forest

The actual deployment of RMS, including installation and provisioning, was straightforward. The majority of time spent during the installation consisted of preparatory steps not directly tied to the RMS product itself. Work included the following:

  1. Pre-deployment planning. The following planning steps were required prior to the actual deployment of software:

    • Develop end-user usage scenarios

    • Determine extranet usage needs

    • Prepare database backup and disaster recovery plan

    • Design template definitions with the legal department

    • Create RMS client deployment plans

    • Create end-user computer settings for distribution

    • Create RMS service accounts with appropriate permissions

    • Create service URLs

    • Acquire SSL certificates

    • Establish required cross-forest trust policies

    • Create data retention and recovery policy

    • Establish Super User group membership policy

    • Perform cluster size planning

    • Acquire computer hardware

  2. Preparing servers. Microsoft IT set up and configured the server hardware for both RMS and SQL Server as necessary.

  3. Installing and configuring HSMs. Besides the hardware setup and Windows Server 2003 and SQL Server 2000 installations, installing and configuring the nCipher nShield hardware security modules consumed most of the setup time—approximately one hour per RMS server. Microsoft IT provisioned the first server in the root cluster, and then they copied the private key of the first server to the local HSM for each additional server in the cluster. Microsoft IT also copied the SSL certificate of the first server to each additional server in the cluster.

  4. Setting up RMS on root servers. The end-to-end setup of RMS on the root server in each load-balanced cluster took approximately 20 minutes. Each additional RMS server took no more than five minutes to install and join to the existing cluster.

  5. Setting up databases. At the completion of the RMS setup, database administrators configured the recovery model for the RMS databases. Database administrators also set up database maintenance plans to perform database and log backups, database consistency checks, and log shipping, as appropriate. Microsoft IT implemented a simple recovery model for the directory services and logging databases, with a full recovery model and transaction log shipping on the configuration database.

It took approximately one month for Microsoft IT to order, configure, and deploy the RMS servers. The expenditure on hardware to implement RMS within Microsoft IT totaled approximately U.S. $56,000.

Client Deployment Pilots
Deploying Office 2003 to clients, though still relatively straightforward, required more effort. It is standard operating procedure for Microsoft IT to make some configuration changes to client installation packages prior to making them available to clients. Specifically for IRM, Microsoft IT chose to chain the installations of both the RMS client and RMA to the Office Professional Edition 2003 installations to provide a seamless experience for its users.

Note:* *Chaining the installation of the RMS client and RMA to the installation of Office Professional Edition 2003 was just one of the possible installation options available. Other IT organizations may choose to deploy the RMS client and RMA by means of Microsoft Systems Management Server (SMS) or by using Group Policy objects (GPOs).

After the RMS server infrastructure was in place, Microsoft IT prepared for its initial IRM pilot deployments during the company-wide deployment of a beta version of Office Professional Edition 2003.

Microsoft IT typically performs client deployments in staged rollouts to provide the best chance for success. Microsoft IT controlled access to the RMS pilots by disabling IRM in the beta versions of Office Professional Edition 2003 by default. Microsoft IT began with a small deployment to 50 selected clients for a one-week pilot. A week later, Microsoft IT expanded the pilot to members of the messaging team in Microsoft IT, the Rights Management Services product group, the Exchange product group, and the Office product group.

In total, approximately 5,000 Office Professional Edition 2003 beta users were configured to participate in the second pilot for a two-week period. Microsoft IT provided each of these eligible pilot participants with a special RMS client installation script that enabled IRM functionality in their beta Office Professional Edition 2003 installation. However, usage of the service during the second pilot was quite light (likely because both the publisher and the consumer needed to have IRM capabilities, and not many users were fully aware of how to use IRM), so despite the large number of eligible participants, the pilot was small enough to be easily managed.

During the pilot, many varied usage scenarios were run to test the functionality of the features and determine the load they placed on the infrastructure. As of the Office Professional Edition 2003 beta refresh release several months later, Microsoft IT enabled IRM functionality for all user installations company wide.

Machine Activation and User Certification
Before an RMS client can be used on a client computer, a series of activation and certification processes must be completed. The machine activation and user certification process is automatically started when the RMS client is deployed through GPO or SMS, or when the RMS client is first used on a client computer if not activated during installation. In total, two new certificates and a custom dynamic-link library (DLL) are installed on each client computer that uses the RMS client.

The RMS client begins the activation process by activating the client computer itself. To activate the client computer, the RMS client obtains and installs a highly secure DLL file, known as the lockbox. The lockbox, a secure repository loaded into the client computer’s memory, is where all of the encryption and decryption of rights-protected content occurs.

Figure 3 illustrates how the machine activation and user certification process works.

RMS Machine Activation Service

Figure 3. Machine activation and user certification process

The activation process includes the following steps:

  1. The client computer polls Active Directory for the location of the RMS Certification servers in that forest, which is stored in a ServiceConnectionPoint object. Alternatively, the client computer can employ registry settings.

  2. The client computer obtains the URL for the activation service on the RMS servers from Active Directory.

  3. The client computer sends the RMS server a computer activation request. The activation request includes the client computer’s unique hardware ID.

  4. The RMS server proxies the request and forwards it through the corporate firewall (which, in the case of Microsoft IT, uses ISA Server) by using an SSL connection.

  5. The activation request is delivered to the RMS Machine Activation Service, an activation service hosted by Microsoft on the Internet.

Note:* *All corporate environments deploying RMS will need to have Internet access available to enable client activation through the hosted RMS Machine Activation Service.

  1. The RMS Machine Activation Service takes the client computer hardware ID included with the activation request and securely compiles the custom lockbox DLL, ensuring that the lockbox would be invalid on any another computer.

  2. Upon completion, the RMS Machine Activation Service sends the new lockbox back through the ISA Server firewall by means of an SSL connection.

  3. The lockbox is passed through the firewall to the originating RMS server.

  4. The lockbox file is installed on the client computer.

Note:* *To install the lockbox file, the logged-on user account must have administrator access on the client computer. For environments that do not permit users to have administrator access to their own systems, the RMS client software can be deployed through GPO or SMS, which will cause the computers to be activated at the time of installation. Users can still download and install their RACs and CLCs, and create and retrieve licenses without administrator access to their computers.

  1. The activation process on the client computer presents the active Windows logon credentials to the RMS Certification server to receive a RAC.

  2. The RAC, which includes the user’s public and private key pair and all valid SMTP e-mail addresses associated with that user account, is built from information contained in Active Directory and installed on the client computer. Both of these activities use the RMS Certification servers located in the same forest as the user account.

    With all subsequent publishing requests and all licensing requests, the RAC is sent along with the request. The RAC is used to authenticate the user with the RMS server, thereby enabling the RMS server to grant the request.

  3. A third, optional RMS component that Microsoft IT elected to install during the initial activation is the CLC, which enables an author to publish content with rights protection without needing an active connection to the RMS server. The CLC, unique to each user’s RAC, contains the public key of the RMS server. The same CLC is used to publish all content originating from the activated user on the activated computer. The CLC is, by default, obtained from the RMS Certification server. If the organization deploys sub-enrolled RMS Licensing servers, the CLC can be obtained from them through registry overrides.

Note:* *Office Professional Edition 2003 uses the CLC because only offline publishing is supported in the product. Applications that perform online publishing do not use a CLC.

As part of the Office Professional Edition 2003 deployment process at Microsoft, Microsoft IT automatically activated RMS for both the computer and the user account.

Service and Support
The additional support requirements for Microsoft IT for implementing RMS and IRM at Microsoft were minimal. The reasons for the minimal support requirements were as follows:

  • The Microsoft IT end-user support teams absorbed RMS end-user support duties. No additional support personnel were needed.

  • The Exchange Server Support (ESS) team in Microsoft IT absorbed RMS server administration duties. No additional administrator personnel were required.

  • The RMS SQL Server databases were backed up through existing SQL Server support infrastructure. No additional infrastructure was needed.

  • The RMS server infrastructure used Microsoft Operations Manager (MOM) for server monitoring by using the existing Microsoft IT MOM monitoring infrastructure. No changes were needed there, other than the installation of an RMS-specific MOM management pack (which is bundled with the RMS download). The RMS development team created the new management pack specifically for monitoring the status of RMS servers and activity on those servers.

In terms of people resources, Microsoft IT wanted to confirm its assumptions on how the RMS and IRM deployment would affect call volume to its internal Help Desk (Tier 1 in the support system at Microsoft), as well as service requests escalated to Tier 2 end-user and server support teams. The number of support calls specifically related to RMS and IRM on the Microsoft IT Help Desk turned out, as expected, to be quite small. In the last four months of 2003, Microsoft IT received an average of 50 calls per month related to RMS and IRM, of which approximately 80 percent were handled and closed by Tier 1 Help Desk. The number of calls related to RMS and IRM is insignificant, considering that Help Desk receives an average of approximately 11,000 calls per week. Approximately two-thirds of the calls that Microsoft IT received were resolved as either user training issues or non-RMS-specific issues.

Because Microsoft IT estimated that the majority of IRM usage would come from Outlook 2003, administration of RMS servers at Microsoft was assigned to the ESS team, a 24-hour, seven-days-a-week support organization consisting of three shift leads and 15 front-line operations analysts. ESS monitors the entire Microsoft worldwide Exchange infrastructure in addition to all issues associated with Unified Messaging, fax services, and Terminal Services. ESS uses MOM for event monitoring and alerting of the RMS servers. MOM is the standard tool for monitoring all applications and tools for which ESS is responsible. Alerts raised through MOM immediately notify this group to potential issues and automatically generate service requests in the event tracking system. The total impact of RMS on the ESS team was an additional two alerts per day for Tier 2 server support, and only 5 percent of those alerts related to a server issue that needed to be addressed. It takes an estimated two hours per week for one support manager to provide ongoing management of the RMS infrastructure.

Training To educate the Help Desk and other support staff for the deployment of RMS and IRM, Microsoft IT used deployment guides and product help available from the Office 2003 and RMS product groups. These materials consisted mainly of the publicly available Office 2003 and RMS deployment guides. These materials were presented to the Microsoft IT Help Desk staff in the United States and Dublin in a single, one-hour-long session for each shift. Additionally, Microsoft IT subject matter experts wrote several knowledge base articles for use by the Help Desk and the Tier 2 end-user support teams. Microsoft IT did not conduct any further support-team training specific to RMS and IRM, in part to validate the ease with which RMS and IRM can be deployed in an enterprise.

Microsoft IT also produced and published user training—in the form of an informational e-mail message and online content—prior to the deployment of RMS. As with the training materials used for the support teams, Microsoft IT produced this content primarily from materials that the Office 2003 and RMS product groups made available.

Employing Super Users for Document Recovery Document recovery is a key area of support in the Microsoft IT environment. RMS enables Microsoft IT to have a person or team of people assigned membership in an RMS Super User distribution group for efficient document recovery. If RMS rights are applied to a key document and the publisher subsequently becomes incapacitated or leaves the company before the policies can be removed, the Super User group can enable the editing or complete removal of the policies set by the original publisher. Microsoft IT has limited membership in the Super User group to a small number of highly trusted individuals. In addition, only in specifically defined business cases can a member of the Super User group intervene to annul the policies of a rights-protected document.

Having a means to remove publisher-assigned policies is sound corporate policy. Like most businesses and organizations, Microsoft considers all intellectual material that employees create at work by using its corporate network and computing resources to be Microsoft property. Microsoft needs to retain the ability to recover its property if, for example, a malicious user intentionally protects a document with IRM policies. Additionally, the ability to recover rights-protected documents is necessary for legal reasons in cases of discoverability in a court of law.

A member of a Super User distribution group on an RMS server is automatically granted full control rights to any rights-protected content published by that server. To ensure that this trust is not abused, Microsoft IT has specific business processes in place for when Super User permissions are used to open any rights-protected e-mail messages and documents.

The ESS team in Microsoft IT was assigned administrator rights on all RMS servers. The corporate security team within Microsoft IT is responsible for the Super User distribution group and manages the membership of that group. Both groups are notified anytime someone with rights assigned by membership in the Super User group attempts to open rights-protected content.

RMS first generates an event code in the RMS server’s event log anytime a license has been granted to a Super User member. The MOM RMS management pack captures this event and generates an alert message on the MOM console for the ESS team administrators who monitor RMS server activity. MOM also automatically sends e-mail messages to the corporate security team and other key members of the ESS team. This Super User accountability feature is built into RMS.

Note:* *The Super User feature can be left disabled until it is needed. At that time, it can be temporarily enabled, used as required, and then disabled again. This ability allows for tighter control by requiring a specific request to trigger the use of Super User permissions only when they are needed.

Lessons Learned and Best Practices

By thoroughly evaluating and deploying an RMS server infrastructure and using the IRM client technology in Office Professional Edition 2003, Microsoft IT learned several valuable lessons that can be applied as best practices in most other RMS/IRM deployment plans. Some of these lessons and best practices were learned during deployment, and others were learned as outcomes of the deployment. They can be divided into three general categories: deployment, security, and administration.

Deployment
The following lessons and best practices were derived from Microsoft IT’s experience in deploying RMS and IRM.

Educate Users To take full advantage of the technology, users must be told that the service exists and taught how to properly use it. An organization can educate users by creating self-help training content and knowledge base articles, developing a dedicated intranet website for posting training materials and frequently asked questions (FAQs), and regularly advertising and discussing the service addition with employees during the deployment. Success in informing the user base on where to find the information needed to properly use the service will minimize the effect on the organization’s help desk.

Run a Pilot Introduce RMS to the enterprise in a pilot deployment project with a limited set of users in a small, controlled area. During the pilot, test all of the desired enterprise-usage scenarios, including any templates that are planned.

When the first pilot is successfully completed, if the size of the eventual rollout is expected to include a very large number of users, conduct a second pilot to a larger (but still closely monitored) group of users. After identifying and considering scaling issues, begin the rollout to the rest of the organization, as resources and time permit. Remember that employees running earlier versions of Office than Office Professional Edition 2003 can use RMA as needed to read rights-protected e-mail and documents prior to their own upgrade to Office Professional Edition 2003.

At Microsoft, successively larger groups of consumers were sent rights-protected e-mail simultaneously to stress test the RMS licensing infrastructure. Microsoft IT considered the deployment of RMS and IRM officially complete when a rights-protected e-mail message was successfully sent to the company All Staff distribution group, and all valid consumers were able to read it.

Consider Network Bandwidth Carefully consider network bandwidth constraints before adding new services to the existing core IT services. It is likely that the network was designed with different assumptions, necessitating the careful management of the risk of business disruption. Microsoft IT’s experience in deploying RMS technology with a new server infrastructure and license distribution demonstrated that the Microsoft corporate network bandwidth was not significantly affected.

Deploy All RMS Servers with a Failover Option All servers supporting RMS in a forest should be deployed with at least two servers to support server failover in case of catastrophic hardware failure. This advice also includes the RMS transaction logging servers, which are used with every RMS transaction.

Choose the Best Client Deployment Model Enterprises need to determine whether they want to deploy RMS clients by using SMS, using GPO, or chaining the RMS client to another deployment, as Microsoft IT did with the Office Professional Edition 2003 deployment. Microsoft IT knew that only about 75 percent of the computers in the enterprise were connected to SMS (the rest consisted of test computers, secondary portable computers, and computer labs used within the company). Microsoft IT does not use GPO to deploy software bits to clients; the use of GPO is reserved for distributing policies. Instead, Microsoft IT uses SMS for automating software distribution.

All Microsoft staff use Office Professional Edition 2003 as their business productivity application suite. Most employees installed Office Professional Edition 2003 at a later beta development stage. As such, Microsoft IT knew upgrades to the final release of the code would be required, so Microsoft IT added the provision to install and activate the RMS client to the installation script of Office Professional Edition 2003 from the Microsoft IT software distribution servers.

Use Configuration GPO to Enforce Corporate Settings When beta versions of Office Professional Edition 2003 were released internally, some users in Microsoft installed the applications from distribution servers not managed by Microsoft IT (such as those used internally by the Office 2003 development team), bypassing the custom Microsoft IT installation scripts that routed all IRM document licensing requests to the main corporate forest. As a result, Microsoft IT was forced to use a GPO to deploy a subkey change in the client registry. This change revised a registry subkey setting on client computers that were outside the Microsoft IT standard to override the default RMS service discovery setting, which pointed to Active Directory in the user’s logon forest, which in turn (by default) referred the user to the RMS servers located in that same forest.

Address User Rights Windows XP Professional requires the logged-on user account to have administrator permissions to install software. If an organization mandates that its employee users cannot have administrator rights, SMS can be used to install application and certificate files in a different user context than the logged-on user. SMS can then effectively mimic an administrator logon and complete the installation.

Automatically Retrieve Use License for Outlook Microsoft IT uses Outlook 2003 in cached mode, which means Outlook 2003 does not need to maintain a constant connection with the Microsoft Exchange Server 2003 server to send and retrieve e-mail. Microsoft IT modified its Office Professional Edition 2003 installation script to update the registry subkey that controls whether client computers automatically retrieve use licenses for Outlook e-mail messages. This subkey setting prevents the appearance of a dialog box—which asks the user if he or she wants Outlook to automatically retrieve the use license for all rights-protected e-mail messages received—at the first time a rights-protected e-mail message or document attachment is sent to that e-mail client. Microsoft IT preset the automatic use-license download, which is a best practice that the Office Professional Edition 2003 product group recommends.

Consolidate Licensing Across Forests With multiple forests, use the RMS Certification load-balanced cluster in one forest to serve publishing and licensing requests for the entire enterprise. This action simplifies administration tasks and minimizes troubleshooting work when all publication licenses come from the same source. Deploy registry subkeys to users from other forests to point them to this cluster. Use the RMS clusters of the other forests only for expansion of distribution lists and account activation.

Security
The following security lessons and best practices were derived from Microsoft IT’s experience in implementing and managing RMS and IRM.

Use LDAP Signing to Secure Network Communications Communications between RMS and the global catalog should be digitally signed. Signing Lightweight Directory Access Protocol (LDAP) traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. Windows Server 2003 enables LDAP signing and encrypting by default. It is recommended that organizations use Windows Server 2003 for their Active Directory servers to be able to implement this best practice.

Do Not Use SQL Server Authentication Mode For the highest level of security, do not configure SQL Server to support SQL Server authentication. In SQL Server authentication mode, credentials are passed in plaintext in the connection string, so it is recommended that SQL Server is configured to support only Windows authentication.

Enforce Access Restrictions Ensure that only those personnel who need to administer RMS have:

  • Membership in the Administrators or RMS Service Group local groups on the RMS server

  • The Log on Locally permission

  • Terminal Services user access on the Remote Desktop Protocol (RDP) connection configuration

In addition, ensure that the discretionary access control lists (DACLs) that are configured for the servers restrict access to only essential personnel.

To support group expansion across forests, RMS automatically grants read access to directory services to all authenticated users who have domain credentials. To increase security, remove this access from the DACL and replace it with each service account that is in the different forests.

Secure SQL Server Databases Allowing unprotected database communications is a high security risk. To help prevent malicious users from capturing or modifying logged data, secure SQL Server databases by configuring either SSL or Internet Protocol Security (IPSec) to provide encrypted channels.

Do Not Deploy Any Additional Services on RMS Servers After provisioning RMS on a server, do not use this server to run any websites or additional services. If services other than the RMS services are run on RMS servers, conflicts that can result in security issues may occur. Isolating RMS on its own dedicated servers helped the Microsoft IT team predict and manage workload. Isolation also prevented the introduction of software incompatibilities that may have compromised the integrity or functionality of the RMS service.

Create a Dedicated User Account to Use As the RMS Service Account For security reasons, it is highly recommended that a special user account is created for use as the RMS service account. This account should not be used for any other purpose and should not be given any additional permissions.

Use an HSM to Protect Private Keys Instead of using software encryption, use an HSM to protect RMS private keys. Using an HSM improves the security of private keys by keeping private keys in tamper-resistant hardware and never exposing them to software-based attacks.

Use the Windows RMS Service Group to Manage Access to RMS Administration Add members to the Windows RMS Service group, identifying those domain users or domain Global groups that are responsible for administering RMS in an organization instead of adding them to the local Administrators group. Then, use Internet Information Services (IIS) Manager to grant the group administrative permissions to the Windows RMS Administration virtual directory (_wmcs).

Note:* *If RMS is running on a domain controller, create a Domain Local security group and use the same name as the domain controller.

For even higher security, remove the domain users from the local Users group, and then add the users and groups who are members of the Windows RMS Service group to the local Guests group.

Administration
The following lessons and best practices were derived from Microsoft IT’s experience in managing and administering RMS and IRM.

Centralize Servers in a Single Location It is a best practice to centralize RMS server deployment as much as possible (within the known constraints of link reliability and network bandwidth). Centralizing the RMS servers simplified server administration duties for the Microsoft IT team.

Prepare for RMS Server Monitoring Issues The majority of failures with RMS are external to RMS itself. When these kinds of failures occur, RMS typically posts the error message Event ID 9 to the server application event log. There is a broad range of conditions that generate Event ID 9, which identifies general error conditions in RMS. Many of these events are benign unless occurring in high volumes, though individual events may occur frequently.

To filter out error messages that are not related to a problem with RMS itself, Microsoft IT altered the prerelease version of the MOM management pack for RMS by creating a consolidation event in MOM to consolidate instances of Event ID 9 within a 60-second timeframe. An alert is generated when four or more of the exact same Event ID 9 error messages are received on the same server within the 60-second window.

Using this modified MOM management pack for RMS, the RMS server support team now gets an average of two alerts per day for RMS for the entire enterprise. Of those alerts, approximately 95 percent have been proven false positives from unrelated, benign conditions that nevertheless occurred in rapid succession. Of the remaining, valid alerts, most have been caused by environmental conditions. The modification that Microsoft IT made to the MOM management pack for RMS to create a consolidation event was so successful that the MOM development team incorporated it into the final shipping version of the RMS management pack.

Monitor the Size of the Logging Message Queue Use System Monitor to regularly monitor the size of the outbound logging message queue. If the queue size grows substantially, verify that the logging listener service is operating correctly. If a malicious user causes the logging listener service to stop, the outbound logging message queue will grow and eventually exceed the disk space of the RMS server. If this occurs, the server will deny requests.

Manage Growth in the Logging Database Every RMS licensing request received by the Microsoft IT RMS servers is logged in the RMS SQL Server database. The usage of RMS and IRM within Microsoft during the pilot and initial full deployment stages was generating growth in the logging database of about 1 GB per week, with a projection of 1 GB per day after actual usage estimates were realized.

To manage this rapid growth, Microsoft IT developed a series of scripts and created a secondary, separate database to serve as a logging database archive. The scripts pull out the data that is most relevant for usage reporting and store it in an efficient database format to conserve disk space. Microsoft IT also implemented a script that keeps only the past seven days of raw data on a rolling basis within the RMS logging database. Any eight-day-old data is archived to the Microsoft IT–developed database. The Microsoft IT–developed logging database archival process is available as a free download as part of the RMS server toolkit. For links to the RMS server toolkit and other useful RMS technologies, go to https://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx.

Develop Policy Templates RMS templates, such as those created by Microsoft IT for use with Office Professional Edition 2003, enable enterprises to define what types of official, global RMS policies they want their staff to use as publishers of confidential content. Templates can be made to easily protect company confidential content, attorney/client privileged content, business partner content, and more. The IT group of any large enterprise organization should involve the corporate legal and security teams in brainstorming what is needed to enforce corporate communication policies.

Perform Frequent Backups of the Configuration Databases The configuration databases store information that is vital to the functioning of RMS. In addition, the load-balanced RMS cluster configuration database stores the key pairs for the entire installation. If regular backups are performed, RMS can be quickly restored if a database server fails.

Microsoft IT also recommends that any enterprise deploying RMS should have at a minimum a log-shipped secondary (a warm standby backup) server available in case the shared disk drive storage in the load-balanced RMS cluster has a catastrophic failure. A warm standby server will enable the IT team to recover RMS service with a minimum of delay. Microsoft IT backs up its logs every three minutes, so in a worst-case scenario, the databases can be restored to within three minutes of failure, minimizing the effect of a service outage.

Conclusion

Microsoft benefited from the deployment of the RMS server infrastructure and its counterpart IRM within Office Professional Edition 2003 in several ways. The protective content user rights made available through IRM offer a highly granular level of control over how information is used and shared. Unique user rights for Office Professional Edition 2003 documents can be assigned to separate individuals and distribution groups. IRM protects the confidential contents of business e-mail and documents from unintended consumers through the use of 128-bit encryption, can limit the time that protected content can be opened, and allows authors to define how their content can be used or shared. RMS enables an organization to create rights policy templates that provide the organization with uniform way to protect sensitive information.

At the same time, as evidenced by the ever-growing IRM usage numbers in Microsoft IT, RMS and IRM have filled an important data protection gap for Microsoft staff. Many groups within Microsoft IT, in addition to the legal and human resources departments at Microsoft, have begun adopting RMS and IRM for their trustworthy messaging needs in lieu of other, older alternatives, such as S/MIME. This adoption is due in large part to the easy setup and usability features in Office Professional Edition 2003, as well as the configuration work done by Microsoft IT to make the installation of IRM seamless to Microsoft users. The support data gathered by Microsoft IT further reflects the ease of use of these products and the relatively small administrative burden that RMS has introduced on the Microsoft corporate network infrastructure.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information over the World Wide Web, go to:

https://www.microsoft.com/rms

https://www.microsoft.com

https://www.microsoft.com/technet/itshowcase

For any questions, comments, or suggestions on this document, or to obtain additional information about Microsoft IT Showcase, please send e-mail to:

showcase@microsoft.com