This documentation is archived and is not being maintained.
Office Space Information Rights Management In Office 2003
Alok Mehta, PhD, is the CTO and Senior VP of AFS Technologies Inc. in Weston, MA where he is in charge of technology research and development. Alok has published several research papers on component-based software engineering and Web development. Reach him at email@example.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
Today's knowledge workers deal with sensitive information all the time. This information comes in a variety of formats such as Microsoft Word, Excel, PowerPoint®, and e-mail documents, and it must all be protected from unauthorized access and distribution. For a long time, there has been a need for a technology that can encrypt this kind of information, allowing access to authorized persons only, and enforcing those rights restrictions everywhere that a document goes. In addition, authors should be able to define the duration for which recipients can read a document, as well as whether they can print, forward, edit, extract its contents, or save an unprotected version.
It should also be possible to extend these restrictions to other documents as well. In other words, restrictions should be policy-based, which in turn should be template-based, so that organizations can easily define custom policies. Finally, this access control should integrate into applications already in use by these organizations.
IRM to the Rescue
Information Rights Management (IRM) is a new feature of Microsoft® Office 2003 designed to enhance collaboration methods by allowing the restrictions previously discussed to be placed in Word 2003, Excel 2003, PowerPoint 2003, and Outlook® 2003 documents. To this end, IRM uses encryption, permissions, and ownership to restrict unauthorized access.
IRM relies on Active Directory® and Microsoft Windows® Rights Management Services (RMS)—a new service offered in Windows Server™ 2003—and extends RMS to Microsoft Office 2003. RMS handles the licensing, machine certification/activation, user enrollment, and administrative functions. RMS is the engine on which IRM runs. RMS in turn relies on Windows Server Active Directory and uses Microsoft SQL Server™ to store configuration data. For more about RMS, see the sidebar "The Foundation of IRM."
On the desktop, creating or viewing protected documents requires an RMS-enabled application. See the sidebar "Requirements to Set Up IRM and RMS" for more detailed information.
IRM is an information protection technology that offers persistent file-level protection. Once permission for a document or e-mail message has been restricted with IRM, these restrictions will always travel with the document or the e-mail message as part of the contents of the file in order to prevent sensitive information from being printed, forwarded, or copied by any unauthorized individuals.
Figure 1 RMS and IRM Interaction
In this column, I will explore the IRM feature and and how RMS works in the background. I'll also briefly look at how to use IRM in Word 2003, Excel 2003, PowerPoint 2003, and Outlook 2003 from the IT professional's point of view. Refer to Figure 1 for an overview of how RMS and IRM interact. It's important to note that RMS and IRM are not information security per se, but rather information protection and policy enforcement. This can of course be a component of one's information security strategy.
Rights for E-mail Messages in Outlook 2003
The Foundation of IRM
IRM runs on the RMS engine. RMS for Windows Server 2003, which includes both server and client components, is an information protection service that works with RMS-enabled applications to encrypt digital information to protect it from unauthorized use. RMS provides the building blocks displayed in a simple Web-based user interface, as shown here:
Encryption The process by which data is transformed with electronic keys: RMS encrypts information, making access conditional on the successful validation of the trusted parties. Once information is encrypted, only trusted parties that are granted usage rights under the specified conditions can decrypt the information in an RMS-enabled application or browser.
Permission Granted to individuals, groups of users, and applications that are trusted participants in an RMS system. By establishing trusted parties using licenses and certificates, RMS can restrict access to only trusted participants.
Ownership Defines how a specific trusted entity can use the information. Examples of named rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire.
RMS allows the owner of a document to perform the following actions using a simple browser-based user interface:
Create rights-protected files and containers Users who are trusted parties in an RMS system can easily create and manage protected files using familiar authoring applications and tools that incorporate RMS technology. In addition, RMS-enabled applications allow users to apply centrally defined and officially authorized rights policy templates such as Company Confidential.
License and distribute rights-protected documents The certificates issued by an RMS system identify trusted parties that can publish or view rights-protected documents. Users who are trusted in an RMS system can assign usage rights and conditions to information they want to protect via an RMS-enabled application. These usage policies specify who can use the information and what they can do with it. In a process that is generally transparent to the users, the RMS system validates the trusted parties and issues the publishing licenses that contain the specified usage rights and conditions for the information. The information is encrypted using the electronic keys from the RMS-enabled application and the certificates of the trusted parties. After the information is encrypted by this mechanism, only the trusted parties specified in the publishing licenses can decrypt and use that information. Users can then distribute the rights-protected documents to other users in their organization via e-mail, internal servers, or external sites to enable trusted external partners to access the information.
Acquire licenses to decrypt rights-protected documents Recipients who are trusted can open or view rights-protected documents by using trusted computers and applications. These RMS-enabled applications enforce the usage rights that were defined by the author of the information. In a process that is transparent to the recipient, the RMS server, which has the public key that was used to encrypt the information, validates the recipient's credentials and then issues a use license that contains the usage rights and conditions that were specified in the publishing license. The information is decrypted using the electronic keys from the end-user license agreement and the certificates of the trusted parties. The usage rights and conditions are then enforced by the RMS-enabled application. Once again, the usage rights attached to the document are persistent and enforced everywhere that the information travels.
E-mail is now one of the primary methods of communication within and between institutions. E-mails that contain confidential information can be easily forwarded, even accidentally, to a competitor or a vendor. Rights-protected e-mail helps protect against leaks, especially the accidental type. IRM can be used in Microsoft Office Outlook 2003 to help prevent e-mail forwarding, cutting, pasting, copying, editing, or printing. Protected messages are always encrypted, and when the sender assigns rights to the message, Outlook 2003 enforces the prescribed rights by disabling the restricted commands so that the receiver can not forward, edit, copy, or print its contents. In addition, Office 2003 documents attached to protected messages inherit the same restrictions and are protected too.
How IRM Protects
Here's an example of how IRM works with Outlook 2003 to implement privacy.
John is an executive who needs to send his team a private e-mail with a Word 2003 document attached. Using RMS, his company has created an Organization Private template that automatically applies all of the appropriate rights as predefined by John's IT group. John selects the template for his e-mail message, which also imparts the same set of restrictions to the attached Word 2003 document. The Organization Private template says that only employees within the organization can read the information. As employees open the e-mail and the attachment, RMS-enabled Outlook 2003 and Word 2003 enforce the rights and restrictions on the document. Also specified by the Organization Private template, employees cannot cut, copy, save, or edit either the e-mail message or the attached Word document to an unsecured format. If they try to digitally share this information outside of the organization, the unauthorized recipient will not be able to open the e-mail or the Word document.
Now imagine that a team member sends a request to John asking permission to share the e-mail and attachment to an outside team that is working on the same project. The outside team uses a hosting provider for its RMS solution and is a trusted partner of John's company's RMS solution. John applies the appropriate rights for the outside team and then sends the e-mail to members of that team, who can then view the e-mail and the document.
How IRM Works in Excel, PowerPoint, and Word
Office 2003 documents can be protected on a per-user or group basis based on Active Directory. Each user or group can be given a set of permissions according to the rights defined by document owner. These rights allow the user to read, change, or have full control over the document.
IRM disables commands that the particular recipient does not have the right to execute. In addition to the aforementioned restrictions, owners can also set document expiration dates (which can be extended). After expiration, the document still exists, but it cannot be opened by anyone other than the owner.
If an unauthorized recipient attempts to open a protected document, a message is displayed to inform the user that it is rights-protected. The document owner has the option of providing their e-mail address in that message so the unauthorized recipient can request rights to access the document.
The following scenario illustrates how IRM works to implement privacy.
In RMS-enabled Word 2003, Steve uses the permissions option to set the rights for a document that he needs to share with another user, Nancy, in their branch office. Steve posts his document to an internal file server. Nancy then receives an e-mail from Steve pointing her to the document's location. According to the rights that Steve set for the document, Nancy can view and edit it for one week only. She downloads the document to her laptop and opens it up for review. Because the rights are persistent, they remain with the information, even if the laptop is not connected to the LAN.
After a week, Nancy determines that she needs additional time to review the document. As she can no longer open the doc, she requests that Steve grant her more time to continue reviewing it. Steve grants the permission by extending the expiration date and reposts the document. Nancy downloads this updated version and is able to continue reviewing the document as defined by the usage rights.
Enforcement of rights is performed at the application level. Office 2003 is currently the only application from Microsoft that can create rights-protected docs. Microsoft provides a free Rights Management Add-on for Internet Explorer that will enable users without Office 2003 to view a rights-protected document. This add-on is available for download from Rights Management Add-on for Internet Explorer.
Authoring an IRM Document
If you take a look at Figure 2, you'll see how a document or e-mail is protected with RMS. The steps illustrated in the figure are explained here:
1 The author receives a client licensor certificate from the RMS server the first time they apply rights protection to a document. This step enables offline publishing of rights protected documents in the future.
Figure 2 RMS Protection
2 Using an RMS-enabled application, the author creates a file and defines a set of usage rights and conditions for that file. A publishing license is then generated that contains the usage policies. The application then encrypts the file with a symmetric key, which is then encrypted with the public key of the author's RMS server. The key is then inserted into the publishing license and the publishing license is bound to the file. Only the author's RMS server can issue use licenses to decrypt this file. The author then distributes the file.
Requirements to Set Up IRM and RMS
You will need Microsoft Windows Server 2003 with Windows Rights Management Services (RMS) to enable IRM in Office 2003. RMS is designed to make the most of existing infrastructure investments by using Active Directory Discovery and Windows NT LAN Manager (NTLM) authentication. At the server level, the following is needed to run RMS:
- Windows Server 2003 with RMS server software. RMS is a new service for Windows Server 2003 Standard, Enterprise, Web, and Datacenter editions.
- Internet Information Services.
- Windows Server Active Directory service (Windows Server 2000 or later). Active Directory accounts are used to acquire and use licenses.
- A database, such as Microsoft SQL Server to store configuration data.
To take advantage of this new technology, you must also install the RMS Client. You will need administrative rights to install this client on your computer and ensure it functions properly. The following must be installed at the client machine:
- RMS Client software.
- An RMS-enabled application is required for creating or viewing rights-protected content.
Microsoft Office 2003 includes four RMS-enabled applications available from Microsoft: Outlook 2003, Word 2003, Excel 2003, and PowerPoint 2003. Microsoft Office Professional Edition 2003 is required for creating or viewing rights-protected Microsoft Office System documents such as spreadsheets, presentations, and e-mail messages.
Other Office 2003 Editions allow designated users to view and edit rights-protected documents if they have been given those rights by the author. They cannot create rights-protected content.
Microsoft also offers a free trial for customers who do not have Windows Server 2003. This service will enable users to share documents and messages with restricted permission using Microsoft .NET Passport as the authentication mechanism, as opposed to Active Directory. Please visit the Office Web site at for free trial service of IRM.
3 A recipient receives a rights-protected file through any distribution mechanism and opens it using an RMS-enabled application or browser. If the recipient does not have an account certificate on the current computer, the user will now be issued one.
4 The application sends a request for a use license to the RMS server that issued the publishing license for the protected information. The request includes the recipient's account certificate, which contains the recipient's public key, and the publishing license, which contains the symmetric key that encrypted the file. A publishing license issued by a client licensor certificate includes the URL of the server that issued the certificate. In this case, the request for a use license goes to the RMS server that issued the client licensor certificate and not to the actual computer that issued the publishing license.
5 The RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license.
6 During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the public key of the recipient, and adds the encrypted session key to the use license. This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration of an application or operating system exclusion. When the validation is complete, the licensing server returns the use license to the recipient's client computer.
7 After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a revocation list. If so, the application checks for a local copy of the revocation list that has not expired. If necessary, it retrieves a current copy of the revocation list. The application then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the file, the application renders the data, and the user may exercise the rights they have been granted.
This process is essentially the same whether the recipient is within the publishing organization or outside of it. The recipient is not required to be inside the author's network or domain to request a use license. All that is required is a valid account certificate for the recipient and access to the licensing server that issued the publishing license.
RMS can be set up to enable external sharing of rights-protected documents. Users can share information with other trusted users over the Internet. This deployment offers the same level of protection as an intra-company RMS deployment because an RMS server must license the rights that are attached to a rights-protected file.
The process of deploying RMS consists of the following steps:
Hardware Setup See the hardware, software, and infrastructure requirements described in Enabling Information Protection in Microsoft Office 2003 with Rights Management Services and Information Rights Management.
RMS Server Setup Install, enroll, and register the RMS server software. During the enrollment process, the administrator installs RMS server software on the root server. The version of RMS installed on the server and the organization's URL is collected, and a public/private key pair is created. The server sends the public key along with the RMS version and URL information to the RMS Server Enrollment Service in a request for a RMS Licensor Certificate. The RMS Server Enrollment Service returns the RMS Licensor Certificate. Enrollment using the RMS Server Enrollment Service is required for at least one server within every RMS system. Servers added subsequently to the RMS root cluster use the same RMS Licensor Certificate. When you add a new server to an existing root installation or licensing-only server cluster, the new server is not explicitly enrolled because it takes on the entire existing configuration of the cluster.
RMS server(s) can be configured along with Windows Load Balancing Services (WLBS), and there are several possible topologies of RMS server configurations. Figure 3 shows a typical RMS topology.
Figure 3 RMS Topology
RMS Client Setup Every client computer that will participate in the RMS system must be set up so that it is established as a trusted entity within the system. Client computer setup consists of verifying the presence of the RMS Client component and activating the client computer. After a client computer is set up, the infrastructure is in place to permit users with RMS-enabled applications to publish and consume rights-protected data. Each client computer must have the RMS Client component installed. This component is available from the Windows Update Catalog or from the Microsoft Download Web site. In the next version of Windows, the client component will be built into the operating system. Software deployment tools such as Microsoft Systems Management Server (SMS) can ensure that clients have the component installed or can rely on the installation of an RMS-enabled app to initiate the request to the Windows Update Catalog for the component. This component is required by RMS-enabled apps and is used for the client activation process.
Register RMS Users When a user attempts to use RMS (for example, by using IRM in Microsoft Office 2003 programs), the following occurs. First, the machine obtains a certificate that activates it as a computer capable of creating protected content. The user then obtains a certificate that associates him or her with that computer, and enables the creation of protected content.
IRM deployment depends upon RMS deployment. As RMS is deployed, IRM deployment is as simple as installing the RMS Client at the desktop and deploying Office 2003. The client machine and each user then receive a certificate allowing IRM usage as I described in the previous subsection "Register RMS Users."
To protect sensitive information such as customer data, financial reports, product specifications, and confidential e-mail messages, you need a strategy. Information Rights Managements and Windows Rights Management Services help protect information through persistent usage policies, which remain with the information no matter where it goes. If you intend to use Windows Server 2003, you should consider an RMS/IRM solution. RMS is simple to set up and IRM very easy to use, so I highly recommend these two technologies as part of your overall data security solution.