Plan for Information Rights Management in Office 2010

 

Applies to: Office 2010

Topic Last Modified: 2012-11-26

Banner stating end of support date for Office 2010 with link to more info

Information Rights Management (IRM) technology in Microsoft Office 2010 helps organizations and information workers control sensitive information electronically by enabling users to specify permissions for accessing and using documents and messages.

This article contains a summary of IRM technology and how it works in Office applications, together with links to more information about how to set up and install the required servers and software to implement IRM in Office 2010.

In this article:

  • IRM overview

  • How IRM works in Office 2010

  • Setting up IRM for Office 2010

  • Configuring IRM settings for Office 2010

  • Configuring IRM settings for Outlook 2010

IRM overview

Information Rights Management (IRM) is a persistent file-level technology from Microsoft that uses permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by unauthorized people. Once permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file.

Note

The ability to create content or e-mail messages that have restricted permission by using IRM is available in Microsoft Office Professional Plus 2010, and in the stand-alone versions of Microsoft Excel 2010, Microsoft Outlook 2010, Microsoft PowerPoint 2010, Microsoft InfoPath 2010, and Microsoft Word 2010. IRM content that is created in Office 2010 can be viewed in Microsoft Office 2003, the 2007 Microsoft Office system, or Office 2010.
For more information about IRM and Active Directory Rights Management Services (AD RMS) features that are supported in Office 2010, Office 2007, and Office 2003, see AD RMS and Microsoft Office Deployment Considerations.

IRM support in Office 2010 helps organizations and knowledge workers address two fundamental needs:

  • Restricted permission for sensitive information   IRM helps prevent sensitive information from unauthorized access and reuse. Organizations rely on firewalls, logon security-related measures, and other network technologies to help protect sensitive intellectual property. A basic limitation of using these technologies is that legitimate users who have access to the information can share it with unauthorized people. This could lead to a potential breach of security policies.

  • Information privacy, control, and integrity   Information workers often work with confidential or sensitive information. By using IRM, employees do not have to depend on the discretion of other people to ensure that sensitive materials remain inside the company. IRM eliminates users' ability to forward, copy, or print confidential information by helping to disable those functions in documents and messages that use restricted permission.

For information technology (IT) managers, IRM helps enable the enforcement of existing corporate policies about document confidentiality, workflow, and e-mail retention. For CEOs and security officers, IRM reduces the risk of having key company information fall into the hands of the wrong people, whether by accident, thoughtlessness, or through malicious intent.

How IRM works in Office 2010

Office users apply permissions to messages or documents by using options on the ribbon; for example, by using the Restrict Editing command on the Review tab in Word. The protection options available are based on permission policies that you customize for your organization. Permission policies are groups of IRM rights that you package together to apply as one policy. Office 2010 also provides several predefined groups of rights, such as Do Not Forward in Microsoft Outlook 2010.

Using IRM with an RMS server

Enabling IRM in your organization typically requires access to a rights management server that runs Windows Rights Management Services (RMS) for Windows Server 2003 or Active Directory Rights Management Services (AD RMS) for Windows Server 2008 or Windows Server 2012. (It is also possible to use IRM by using Windows Live ID to authenticate permissions, as described in the next section.) The permissions are enforced by using authentication, typically by using Active Directory directory service. Windows Live ID can authenticate permission if Active Directory is not implemented.

Users do not have to have Office to be installed to read protected documents and messages. For users who run Windows XP or earlier versions, the Excel viewer (https://go.microsoft.com/fwlink/p/?LinkId=184596) and Word viewer (https://go.microsoft.com/fwlink/p/?LinkId=184595) enable Windows users who have the correct permission to read some documents that have restricted permission, without using Office software. Users running Windows XP or earlier versions can use Microsoft Outlook Web App or the Rights Management Add-on for Internet Explorer (https://go.microsoft.com/fwlink/p/?LinkId=82926) to read e-mail messages that have restricted permissions, without using Outlook software. For users who run Windows 8, Windows 7, Windows Vista Service Pack 1, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012, this functionality is already available. The Active Directory Rights Management Services client software is included with these operating systems.

In Office 2010, organizations can create the permissions policies that appear in Office applications. For example, you might define a permission policy named Company Confidential, which specifies that documents or e-mail messages that use the policy can only be opened by users inside the company domain. There is no limit to the number of permission policies that can be created.

Note

Windows SharePoint Services 3.0 supports using IRM on documents that are stored in document libraries. By using IRM in Windows SharePoint Services, you can control which actions users can take on documents when they open them from libraries in Windows SharePoint Services 3.0. This differs from IRM applied to documents stored on client computers, where the owner of a document can choose which rights to assign to each user of the document. For more information about how to use IRM with document libraries, see Plan document libraries (Windows SharePoint Services) (https://go.microsoft.com/fwlink/p/?LinkId=183051).

With AD RMS on Windows Server 2008, users can share rights-protected documents between companies that have a federated trust relationship. For more information, see Active Directory Rights Management Services Overview (https://go.microsoft.com/fwlink/p/?LinkId=183052) and Federating AD RMS (https://go.microsoft.com/fwlink/p/?LinkId=183053).

Also with AD RMS, Microsoft Exchange Server 2010 offers new IRM-protected e-mail functionality including AD RMS protection for Unified Messaging voice mail messages and Microsoft Outlook protection rules that can automatically apply IRM-protection to messages in Outlook 2010 before they leave the Microsoft Outlook client. For more information, see What’s New in Exchange 2010 (https://go.microsoft.com/fwlink/p/?LinkId=183062) and Understanding Information Rights Management: Exchange 2010 Help (https://go.microsoft.com/fwlink/p/?LinkId=183063).

For more information about how to install and configure RMS servers, see Windows Server 2003 Rights Management Services (RMS) (https://go.microsoft.com/fwlink/p/?LinkId=73121) and Windows Server 2008 Active Directory Rights Management Services (https://go.microsoft.com/fwlink/p/?LinkId=180006).

Using IRM without a local RMS server

In a typical installation, Windows Server 2003 with RMS or Windows Server 2008 with AD RMS enables using IRM permissions with Office 2010. If an RMS server is not configured on the same domain as the users, Windows Live ID can authenticate permission, instead of Active Directory. Users must have access to the Internet to connect to the Windows Live ID servers.

You can use Windows Live ID accounts when you assign permissions to users who need access to the contents of a restricted file. When you use Windows Live ID accounts for authentication, each user must specifically be granted permission to a file. Groups of users cannot be assigned permission to access a file.

Setting up IRM for Office 2010

Applying IRM permissions to documents or e-mail messages requires the following:

  • Access to RMS for Windows Server 2003 or AD RMS for Windows Server 2008 to authenticate permissions. Or, authentication can be managed by using the Windows Live ID service on the Internet.

  • Rights Management (RM) client software. RM client software is included in Windows Vista and later versions or available as an add-in for Windows XP and Windows Server 2003.

  • Microsoft Office 2003, 2007 Microsoft Office system, or Office 2010. Only specific versions of Office enable users to create IRM permissions.

Setting up RMS server access

Windows RMS or AD RMS manages licensing and other administrative server functions that work with IRM to provide rights management. An RMS-enabled client program, such as Office 2010, lets users create and view rights-protected content.

To learn more about how RMS works and how to install and configure an RMS server, see Windows Server 2003 Rights Management Services (RMS) (https://go.microsoft.com/fwlink/p/?LinkId=73121), Windows Server 2008 Active Directory Rights Management Services (https://go.microsoft.com/fwlink/p/?LinkId=180006), and Understanding Information Rights Management: Exchange 2010 Help (https://go.microsoft.com/fwlink/p/?LinkId=183062).

Installing the Rights Management client software

RM client software is included in Windows Vista and later versions of Windows. Separate installation and configuration of the necessary RMS client software is required on Windows XP and Windows Server 2003 to interact with RMS or AD RMS on the computer that is running Windows or the Windows Live ID service on the Internet.

Download the RMS Client Service Pack (https://go.microsoft.com/fwlink/p/?LinkId=82927) to enable users on Windows XP and Windows Server 2003 to run applications that restrict permission based on RMS technologies.

Defining and deploying permissions policies

As in Office 2003 and the 2007 Office system, Office 2010 includes predefined groups of rights that users can apply to documents and messages, such as Read and Change in Microsoft Word 2010, Microsoft Excel 2010, and Microsoft PowerPoint 2010. You can also define custom IRM permissions policies to provide different packages of IRM rights for users in your organization.

You create and manage rights policy templates by using the administration site on your RMS or AD RMS server. For information about how to create, configure, and post custom permissions policy templates, see Windows Server 2003 Rights Management Services (RMS) (https://go.microsoft.com/fwlink/p/?LinkId=73121) and Windows Server 2008 AD RMS Rights Policy Templates Deployment Step-by-Step Guide (https://go.microsoft.com/fwlink/p/?LinkId=183068). For Exchange Server 2010 Outlook protection rules, see Understanding Outlook Protection Rules: Exchange 2010 Help (https://go.microsoft.com/fwlink/p/?LinkId=183067).

The rights that you can include in permissions policy templates for Office 2010 are listed in the following sections.

Permissions rights

Each IRM permissions right listed in the following table can be enforced by Office 2010 applications configured on a network that includes a server that runs RMS or AD RMS.

IRM right Description

Full Control

Gives the user every right listed in this table, and the right to change permissions that are associated with content. Expiration does not apply to users who have Full Control.

View

Allows the user to open IRM content. This corresponds to Read Access in the Office 2010 user interface.

Edit

Allows the user to configure the IRM content.

Save

Allows the user to save a file.

Extract

Allows the user to make a copy of any part of a file and paste that part of the file into the work area of another application.

Export

Allows the user to save content in another file format by using the Save As command. Depending on the application that uses the file format that you select, the content might be saved without protection.

Print

Allows the user to print the contents of a file.

Allow Macros

Allows the user to run macros against the contents of a file.

Forward

Allows an e-mail recipient to forward an IRM e-mail message and to add or remove recipients from the To: and Cc: lines.

Reply

Allows e-mail recipients to reply to an IRM e-mail message.

Reply All

Allows e-mail recipients to reply to all users on the To: and Cc: lines of an IRM e-mail message.

View Rights

Gives the user permission to view the rights associated with a file. Office ignores this right.

Predefined groups of permissions

Office 2010 provides the following predefined groups of rights that users can choose from when they create IRM content. The options are available in the Permission dialog box for Word 2010, Excel 2010, and PowerPoint 2010. In the Office application, click the File tab, click Info, click the Protect Document button, select Restriction Permission by People, click Restrict Access, and then click Restrict permission to this document to enable the permission options listed in the following table.

IRM predefined group Description

Read

Users with Read permission only have the View right.

Change

Users with Change permission have View, Edit, Extract, and Save rights.

In Outlook 2010, users can select the following predefined group of rights when they create an e-mail item. The option is accessed from the e-mail by clicking the File tab, Info, and then Set Permissions.

IRM predefined group Description

Do Not Forward

In Outlook, the author of an IRM e-mail message can apply Do Not Forward permission to users in the To:, Cc:, and Bcc: lines. This permission includes the View, Edit, Reply, and Reply All rights.

Advanced permissions

Other IRM permissions can be specified in the advanced Permission dialog box in Word 2010, Excel 2010, and PowerPoint 2010. In the initial Permission dialog box, click More Options. For example, users can specify an expiration date, let other users to print or copy content, and so on.

By default, Outlook enables messages to be viewed by a browser that supports Rights Management.

Deploying rights policy templates

When the rights policy templates are complete, post them to a server share where all users can access the templates or copy them to a local folder on the user's computer. The IRM policy settings that are available in the Office Group Policy template (Office14.adm) file can be configured to point to the location where the rights policy templates are stored (either locally or on an available server share). For information, see Configure Information Rights Management in Office 2010.

Configuring IRM settings for Office 2010

You can lock down many settings to customize IRM by using the Office Group Policy template (Office14.adm). You can also use the Office Customization Tool (OCT) to configure default settings, which enables users to configure the settings. In addition, there are IRM configuration options that can only be configured by using registry key settings.

Office 2010 IRM settings

The settings that you can configure for IRM in Group Policy and by using the OCT are listed in the following table. In Group Policy, these settings are under User Configuration\Administrative Templates\Microsoft Office 2010\Manage Restricted Permissions. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

IRM option Description

Active Directory time-out for querying one entry for group expansion

Specify the time-out value for querying an Active Directory entry when expanding a group.

Additional permissions request URL

Specify the location where a user can obtain more information about how to access the IRM content.

Allow users with earlier versions of Office to read with browsers…

Enable users without Office 2010 to view rights-managed content by using the Rights Management Add-in for Windows Internet Explorer.

Always expand groups in Office when restriction permission for documents

Group name is automatically expanded to display all the members of the group when users apply permissions to a document by selecting a group name in the Permission dialog box.

Always required users to connect to verify permission

Users opening a rights-managed Office document must connect to the Internet or local area network to confirm by RMS or Windows Live ID that they have a valid IRM license.

Disable Microsoft Passport service for content with restricted permission

If enabled, users cannot open content created by a Windows Live ID authenticated account.

Never allow users to specify groups when restricting permission for documents

Return an error when users select a group in the Permission dialog box: ''You cannot publish content to Distribution Lists. You may only specify e-mail addresses for individual users.''

Prevent users from changing permission on rights managed content

If enabled, users can consume content that already includes IRM permissions, but cannot apply IRM permissions to new content nor configure the rights on a document.

Specify Permission Policy Path

Display in the Permission dialog box permission policy templates found in the folder that is specified.

Turn off Information Rights Management user interface

Disable all Rights Management-related options within the user interface of all Office applications.

URL for location of document templates displayed when applications do not recognize rights-managed documents

Provide the path of a folder that contains customized plain-text wrapper templates to be used by previous versions of Office that do not support rights-managed content.

For more information about how to customize these settings, see Configure Information Rights Management in Office 2010.

Office 2010 IRM registry key options

The following IRM registry settings are located in HKCU\Software\Microsoft\Office\14.0\Common\DRM.

Registry entry Type Value Description

CorpCertificationServer

String

URL to corporate certification server

Typically, Active Directory is used to specify the RMS server. This setting lets you override the location of the Windows RMS specified in Active Directory for certification.

RequestPermission

DWORD

1 = The box is checked.

0 = The box is cleared.

This registry key toggles the default value of the Users can request additional permissions from check box.

CloudCertificationServer

String

URL to custom cloud certification server

No corresponding Group Policy setting.

CloudLicenseServer

String

URL of the licensing server

No corresponding Group Policy setting.

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

The Permission dialog box uses Outlook to validate e-mail addresses entered in that dialog box. This causes an instance of Outlook to be started when restricting permissions. Disable the option by using this key.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\DRM\LicenseServers. There is no corresponding Group Policy setting.

Registry entry Type Value Description

LicenseServers

Key/Hive. Contains DWORD values that have the name of a license server.

Set to the server URL. If the value of the DWORD is 1, Office will not prompt to obtain a license (it will only get it).

If the value is zero or there is no registry entry for that server, Office prompts for a license.

Example: If ‘https://contoso.com/_wmcs/licensing = 1’ is a value for this setting, a user trying to obtain a license from that server to open a rights-managed document would not be prompted for a license.

The following IRM registry setting is located in HKCU\Software\Microsoft\Office\12.0\Common\Security. There is no corresponding Group Policy setting.

Registry entry Type Value Description

DRMEncryptProperty

DWORD

1 = The file metadata is encrypted.

0 = The metadata is stored in plaintext. The default value is 0.

Specify whether to encrypt all metadata stored inside a rights-managed file.

For Open XML Formats (for example, docx, xlsx, pptx, and so on), users can decide to encrypt the Microsoft Office metadata stored inside a rights-managed file. Users can encrypt all Office metadata. This includes hyperlink references, or leave content as not encrypted so other applications can access the data.

Users can choose to encrypt the metadata by setting a registry key. You can set a default option for users by deploying the registry setting. There is no option for encrypting some of the metadata: all metadata is encrypted or none is encrypted.

In addition, the DRMEncryptProperty registry setting does not determine whether non-Office client metadata storage — such as the storage that is created in Microsoft SharePoint 2010 Products — is encrypted.

This encryption choice does not apply to Microsoft Office 2003 or other previous file formats. Office 2010 handles earlier formats in the same manner as 2007 Office system and Microsoft Office 2003.

Configuring IRM settings for Outlook 2010

In Outlook 2010, users can create and send e-mail messages that have restricted permission to help prevent messages from being forwarded, printed, or copied and pasted. Office 2010 documents, workbooks, and presentations that are attached to messages that have restricted permission are also automatically restricted.

As an Microsoft Outlook administrator, you can configure several options for IRM e-mail, such as disabling IRM or configuring local license caching.

The following IRM settings and features can be useful when you configure rights-managed e-mail messaging:

  • Configure automatic license caching for IRM.

  • Help enforce an e-mail message expiration period.

  • Do not use Outlook for validating e-mail addresses for IRM permissions.

Note

To disable IRM in Outlook, you must disable IRM for all Office applications. There is no separate option to disable IRM only in Outlook.

Outlook 2010 IRM settings

You can lock down most settings to customize IRM for Outlook by using the Outlook Group Policy template (Outlk14.adm) or the Office Group Policy template (Office14.adm). Or, you can configure default settings for most options by using the Office Customization Tool (OCT), which enables users to configure the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

Location IRM option Description

Microsoft Outlook 2010\Miscellaneous

Do not download rights permissions license information for IRM e-mail during Exchange folder sync

Enable to prevent license information from being cached locally. If enabled, users must connect to the network to retrieve license information to open rights-managed e-mail messages.

Microsoft Outlook 2010\Outlook Options\ E-mail Options\ Advanced E-mail Options

When sending a message

To enforce e-mail expiration, enable and enter the number of days before a message expires. The expiration period is enforced only when users send rights-managed e-mail and then the message cannot be accessed after the expiration period.

For more information about how to customize these settings, see Configure Information Rights Management in Office 2010.

Outlook 2010 IRM registry key options

The Permission dialog box uses Outlook to validate e-mail addresses that are entered in that dialog box. This causes an instance of Outlook to start when permissions are restricted. You can disable this option by using the registry key that is listed in the following table. There is no corresponding Group Policy or OCT setting for this option.

The following IRM registry setting is located in HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DRM.

Registry entry Type Value Description

DoNotUseOutlookByDefault

DWORD

0 = Outlook is used

1 = Outlook is not used

Disable the option by using this key.