How to Use Information Rights ManagementPublished: July 16, 2007

2007 Microsoft Office

Technical White Paper

Abstract: Information Rights Management (IRM) is an information protection technology built into 2007 Microsoft® Office that works in conjunction with Rights Management Services (RMS) in Microsoft Windows Server 2003. IRM, along with RMS, gives organizations and users more control over how information in Microsoft Office documents and email messages can be used by recipients. With IRM, the creator or sender of a document or message can specify who can open it and whether those allowed access can make changes to it, print, forward or copy it or perform other actions with the information it contains. This paper focuses on benefits and limitations of IRM and best practices in planning, deploying and managing IRM.

How IRM fits into a comprehensive defense-in-depth strategy Protecting data from unauthorized access and misuse requires a defense-in-depth strategy that utilizes multiple layers of technology. Organizations have multiple mechanisms in place to protect data from different types of threats and under different circumstances. IRM fits into a defense-in-depth strategy by protecting data in Word, Excel, PowerPoint, and InfoPath files, no matter where those files may live. This can be protection from printing, forwarding, copying, or other practices that could result in an inadvertent leak of sensitive information. Thereby enabling organizational polices to be enforced, and document control to be established.

Layered data protection In a layered data protection plan, technologies work together like member of a team, each with its own area of responsibility. For example:

Information Protection

Rights management technologies such as IRM/RMS prevent users who receive protected data from copying it or forwarding it to others who are not authorized.

Access control technologies such as share permissions and NTFS permissions prevent unauthorized users from accessing data to which they do not have permissions.

File encryption technologies such as EFS prevent unauthorized users from opening data files that have been encrypted.

Whole disk encryption technologies such as BitLocker prevent unauthorized users from booting a lost or stolen portable computer and accessing its data.

Threat Management

A firewall technology such as ISA Server controls the perimeter of the network and prevents unauthorized users from gaining access to the network and thus to the data stored there.

An anti-spyware technology such as Windows Defender prevents spyware from copying data and sending it outside the network.

An antivirus technology prevents viruses and worms from destroying data and prevents Trojan horses and other malicious software from being used to take control of the computer and thus access its data.

Access control vs. usage controlMost of the data protection technologies mentioned in the preceding section have one thing in common: they limit access to data. Access controls generally work to keep others from being able to view or use the data. But sometimes you need to allow others to access data, but you want to limit how they use that data once they have access to it.

Rights management technologies can provide both access and usage control. With IRM/RMS, you specify that only certain users are able to access the protected documents or messages, but you can go further and specify what those users to whom you give access can (and can’t) do with the content.

Because IRM/RMS gives you the ability to control what happens to a document or message after it reaches the recipient, these technologies play a unique and important role in an organization’s defense-in-depth data protection strategy.

What You Can Do with IRMThe IRM component in Office 2007 applications works in conjunction with RMS server and client components to restrict specified uses of documents and messages that are created by and opened with those applications.

Note:IRM-protected documents and messages can be created in Office 2007 Professional Plus and Enterprise editions. Office 2007 Standard edition applications can be used to open and view IRM-protected documents and messages, but not to create them.

When IRM is enabled, users can assign access permissions to certain types of files created with Office 2007 applications. Permissions can prevent recipients of those files from:

Forwarding Copying Modifying Printing Faxing Cutting and pasting content to or from the restricted file Using the default Print Screen (PRT SC) key to copy the content

When IRM protection is applied, the restricted actions are grayed out as menu options. You can also set an expiration date on IRM-protected content so that it cannot be viewed or used after that date. RMS can even detect whether there is measurable difference between an RMS client computer and the RMS server, thus preventing users from turning back the clock to try to access an expired IRM-protected document or message.

IRM protection can be applied to Word documents, Excel workbooks, PowerPoint presentations and templates and InfoPath forms as well as Outlook 2007 email messages and XML Paper Specification (.xps) files. XPS provides a fixed-layout format that’s platform independent (similar to PDF) and gives you an electronic view of the document contents identical to the way it will look when printed. The XPS Document Writer, which is included in Windows Vista and can be downloaded and installed in earlier versions of Windows, can be used to create XPS files from any application.

You can apply different scopes of restrictions, depending on your needs. IRM permissions can be set on the following bases:

Per user Per document Per group (requires Active Directory) Per library (in Microsoft Office SharePoint Server 2007)

Unlike EFS encryption, IRM permissions stay with a document when it is sent across the network. When you apply IRM protection to an email message, attachments to that message that were created with Microsoft Word, Excel or PowerPoint are also automatically IRM-protected.

Understanding the roles of IRM and RMSMicrosoft’s Rights Management Services provides the foundation on which organizations can build a strategy for protecting documents and email messages created in Microsoft Office from inadvertently mishandled by recipients. An RMS server running Microsoft Windows Server 2003 serves as a central repository for information used to identify what rights have been granted to particular users and to verify the credentials of those users. Information Rights Management is the component in the RMS-enabled application that enforces those rights; IRM is to RMS what Microsoft Office Outlook is to Exchange.

Digital certificates are used to identify trusted entities. RMS client software on the recipient’s computer communicates with the RMS server. The RMS client software for Microsoft Windows 2000 and

Microsoft Windows XP can be downloaded from the Microsoft web site and installed to give those operating systems RMS capability. The RMS client is built into Microsoft Windows Vista.

Benefits and limitations of IRM IRM can be used to control access to documents via encryption and usage of data created by RMS-enabled applications when exchanged with other users within the organization. With the proper deployment and configuration of the RMS servers, it can also be used to protect data exchanged with users outside the organization.

Following are some scenarios in which IRM can be beneficial.

IRM usage scenariosIRM can be used to protect data in the following scenarios:

You need to provide a user in a part of the organization the ability to view a spreadsheet containing financial information but you want to limit his or her access to the file so that it will be unavailable after two days.

You need to send a confidential email message with a sensitive attachment to another internal user but you want to restrict that user from forwarding the message to anyone else or save a copy of the attachment.

You need to allow a colleague within the organization to review a report in the form of a Word document that contains sensitive information, but you want to restrict the colleague from making any changes to the document.

IRM/RMS can be used in each of these cases to accomplish your objective.

Limitations of IRMIRM protection can only be applied to data that’s created by an RMS-enabled application. If you create a file in a program that is not RMS-aware, you can’t apply IRM rights to it.

IRM protection makes it difficult for recipients to copy the contents of messages and documents and share those contents with others. However, IRM permissions are enforced only by RMS-enabled applications. There are ways a determined malicious user can work around IRM to make a copy of content:

Manually copy the content by hand or retype it into another document. Take a photograph of the content displayed on the computer monitor. Use a third party screen capture utility to capture a graphic of the content displayed on the

monitor. Use a keystroke logger to capture the content of the protected document or message when it is

being created.

In each instance, however, clear evidence of malicious intent is evident and the RMS database provides a starting point for investigations. In addition, malicious software programs such as viruses, Trojans and some spyware programs may be able to capture and transmit the content of IRM-protected documents, or corrupt or delete it.

Of course, it is possible that IRM-protected documents and messages can be accessed by an individual who obtains the credentials of a user to whom IRM permissions have been assigned and who logs on as that authorized user. IRM is an information protection technology that operates in conjunction with security mechanisms, not a substitute for them.

Technical overview of the rights management processIRM/RMS creates restricted or protected content, which is information in a file or stream that is encrypted and requires a license to decrypt it. A Rights Account Certificate (RAC – also referred to as a GIF or Group Identity Certificate) issued by the RMS server for your user account that enables it to create, access and use IRM-protected content on a specific computer.

RMS Web servicesRMS runs as a set of Web applications on Microsoft Internet Information Services (IIS), which perform the following services:

On the RMS root server or cluster: provide server licensor certificates to licensing-only servers that allow them to issue publishing and use licenses

On the RMS root server or cluster: provide RMS account certificates to users that allow them to get publishing and use licenses from the licensing servers

On the RMS root server or cluster: issue RMS account certificates to users. On the RMS root server or cluster and on licensing-only servers: issue publishing licenses to

users that allow them to create and distribute IRM-protected documents and messages On the RMS root server or cluster and on licensing-only servers: issue use licenses to users that

allow them to view and use IRM-protected content Decommission IRM-protected content to make it unprotected (if you enable this service, all

other services will be disabled)

The web services also provide a management interface by which RMS administrators can configure and manage the RMS services.

RMS certificates and licensesThe RMS client computers are identified as trusted entities by RMS machine certificates. Users are identified as trusted entities by rights account certificates. Publishing licenses are required to publish (distribute) IRM-protected content. Use licenses are required to view or use IRM-protected content.

Both the computer and user must be identified as trusted entities before the user can obtain a license, and IRM-protected content can only be created or viewed in an RMS-enabled application.

An RMS machine certificate contains the public key of the computer. The corresponding private key is contained in a software construct called the lockbox. An RMS account certificate contains the user’s public RMS key and the user’s private key that is encrypted with the computer’s public key.

Client licensor certificates allow users to create and publish IRM-protected content when the computer is not connected to the network and doesn’t have access to the RMS server. A client licensor certificate contains the public key of the server that issued it and the public key of the certificate itself. It also contains the private key of the certificate, which is encrypted by the public key of the user who requested the certificate.

Licenses are created using the Extensible Rights Markup Language (XrML), an open standard that is interoperable with other rights management systems. For more information, see the XrML Web site at http://www.xrml.org.

The RMS trust hierarchyThe RMS trust hierarchy starts with the Microsoft Enrollment and Activation services at the top of the chain. Next come the RMS root server or cluster (which is the top of the chain within the organization). Beneath that are licensing-only servers (which are optional). These components all work in conjunction with the Active Directory and a SQL database. The role of each is explored in more detail in the section titled “Components of the Rights Management Environment” later in this paper.

Planning an IRM deployment Because the rights management environment involves many components, it’s important to plan your deployment carefully, taking into account the existing hardware, operating systems, and organizational needs.

Components of the rights management environmentMany different components on the network work together at the server, client and application levels to protect documents and messages through rights management. These include the RMS servers, RMS client computers and RMS-enabled applications. These components also rely on a SQL database and the Active Directory services to make the rights management process work.

Together, these components enable users to create, publish, distribute and consume IRM-protected content. Despite all the components involved and all that’s going on “under the hood,” the process is relatively transparent to users, who are not required to know the details of obtaining account certificates, publishing licenses and use licenses.

RMS servers

An organization may have one or more RMS servers. The RMS root server (or root cluster) handles the RMS certification and licensing of trusted entities. This includes certification of the RMS licensing-only servers. Users must be certified before they can create protected content and assign usage rights to it. The root certificate is issued by Microsoft. In small to midsize organizations, the root server or cluster provides all RMS services. A cluster consists of multiple physical servers represented by the same URL.

The next level in the RMS server hierarchy in a large organization consists of licensing-only servers. These servers issue publishing licenses to enable certified users to assign rights and distribute protected content, and use licenses to enable certified users to view and use protected content.

RMS servers must run Windows Server 2003 or above with Internet Information Services (IIS) and ASP.NET enabled. RMS must be installed in an Active Directory domain with domain controllers running Windows 2000 server SP3 or above.

If you anticipate a large number of client requests for RMS licenses, you can deploy RMS servers in a cluster and use Network Load Balancing (NLB) to distribute the client requests across the servers.

When a user requests an RM account certificate from the server, the user’s account information and hardware information are used to create a permission code. The permission code is encrypted to protect the information in it from access by other users or malicious software. When the RM account certificate expires, the user must download another if he or she want to keep creating and using IRM-protected documents and messages.

RMS client softwareThe RMS client software is built into the Windows Vista operating system. It can be downloaded for installation on previous operating systems, including Windows 2000, Windows XP and Windows Server 2003. The IA64 Edition of the RMS client is available for Itanium-based systems.

Installation of the RMS client SP1 and SP2 creates a machine certificate during the installation process. The machine certificate contains the computer’s public RMS key. The installation process also creates the “lockbox,” a software construct that is tied to a hardware identifier and contains that computer’s private RMS key. This is all done locally and is called self-activation. The original RMS client required the activation service on a server to send the machine certificate and lockbox to the client computer.

The RMS client reads and interprets the licenses issued by the RMS licensing server and enforces the usage rights and conditions that are defined in the publishing license.

RMS-enabled applications IRM-protected content can only be created and viewed with RMS-enabled applications. RMS-enabled applications work with the RMS client software. Some RMS-enabled applications include:

Microsoft Office 2003 and 2007

Microsoft Internet Explorer (version 5.01, 5.5 and 6.0) with the rights management add-on

Internet Explorer 7 XPS Viewer

Mobile Office applications in Windows Mobile 6

Applications created or extended using the Microsoft Windows Rights Management Services Software Developer’s Kit (SDK)

The RMS-enabled application performs the following tasks:

1. When a user wants to send protected content, the application sends a request to the RMS licensing server for a publishing license.

2. When a publishing license is issued, the RMS-enabled application generates the symmetric keys used to encrypt the IRM-protected content.

3. When a certified user receives protected content and attempts to open it with an RMS-enabled application, the application sends a request to the RMS licensing server for a use license.

4. When a use license is issued, the RMS-enabled application uses the key issued by the RMS system to decrypt the content.

Each IRM-protected document or message is encrypted with a different randomly-generated symmetric key. Thus, if an unauthorized user gained access to the key to one IRM-protect file, that key would be useless in opening other IRM-protected files.

The RMS-enabled application can use rights policy templates to provide centralized control over usage policies within the organization.

SQL serverRMS requires a database running on Microsoft SQL Server 2000 with SP3a or above, or the Microsoft SQL Desktop Engine (MSDE). MSDE should be used only for testing, as you are unable to view logging information or change the data in the configuration database under the MSDE licensing terms. If you use MSDE, you have to install it on the RMS server itself.

The SQL server contains the following databases:

RMS configuration database

Logging database

Directory services database

The databases can be run on the same or separate SQL servers. You might also have one SQL server for the databases of the RMS root server or cluster and another for the licensing server (s).

The RMS account certificates that identify users as trusted entities are stored in the configuration database on the RMS root server or cluster.

Active Directory

The RMS server uses the Microsoft Active Directory services to authenticate the identities of RMS/IRM users and resolve group memberships when the publishing license grants rights to a group. The Global Catalog stores the service discovery location of the RMS root server or cluster.

When a user sends a request for a publishing or use license, the request starts with a query to Active Directory for the URL of the server Web service. This service then provides the URL for the license request itself.

When RMS is provisioned, it creates two security groups:

A local security group called the RMS Service Group, which contains the service account under which RMS runs. The administrator can specify the user account to be used as the RMS service account. You can run the RMS Web services as the Local System account or as a domain user account.

The Super Users Group, the members of which can decrypt all IRM-protected files and remove the IRM protections. By default, this group is empty. You can create a new group or use an existing Active Directory group to use as the Super Users Group. Members of the RMS Super Users Group can view IRM-protected content sent to someone else in the domain.

Client computers are not required to be domain members in order to be RMS clients.

Planning RMS server deploymentThe RMS infrastructure requires, minimally:

A Windows Active Directory domain controller

A SQL database server

An RMS root certification server that is joined to the domain (additional licensing servers are optional)

The first step in planning your RMS server deployment is to determine the server topology:

Basic RMS topology: a one-tier structure in which a single RMS server or cluster of RMS servers perform all certification, licensing and publishing.

Distributed RMS topology: a two-tier structure in which a root RMS server or cluster issues certificates and subordinate licensing-only servers issue publishing and use licenses.

This decision is based on the size of your organization and number of anticipated license requests. For detailed information on selecting an RMS topology, see “Determining Your RMS Topology” at http://technet2.microsoft.com/WindowsServer/en/library/14002ade-53b2-4315-90f1-c0b96e5f20611033.mspx?mfr=true.

You also need to consider:

Whether you will want to exchange IRM-protected content with users outside the organization, and if so, how you will do so. See the section titled “IRM and External Users” later in this paper.

Whether you will use a hardware-based cryptographic service provider (CSP) for a greater level of security for the RMS keys used to encrypt and decrypt content. If so, the hardware security module (HSM) should be installed on the servers before RMS is configured.

Whether you need to deploy RMS across multiple forests (this requires special planning, as discussed in “Deploying RMS Across Forests” at http://technet2.microsoft.com/WindowsServer/en/library/14002ade-53b2-4315-90f1-c0b96e5f20611033.mspx?mfr=true).

How to secure the RMS Web services via access control lists (ACLs) and Secure Sockets Layer (SSL), as discussed in “Securing the RMS Deployment” at http://technet2.microsoft.com/WindowsServer/en/library/14002ade-53b2-4315-90f1-c0b96e5f20611033.mspx?mfr=true.

Planning RMS client deploymentThe RMS client software must be installed on every computer that will be used to create and consume IRM-protected content. The RMS client is built into Windows Vista. For Windows 2000 or Windows XP clients, you can deploy the client software using:

Systems Management Server (SMS)

Group Policy Software Installation

Scripts

Scripted deployment gives you the most control over the process of installing the client software. For more information on how to deploy the client via SMS, Group Policy and scripting, see http://technet2.microsoft.com/WindowsServer/en/library/14002ade-53b2-4315-90f1-c0b96e5f20611033.mspx?mfr=true. Note that the provided scripts don’t work with Windows Vista because the RMS client is already included in the Vista operating system.

Planning RMS-enabled application deploymentAn RMS-enabled application is required to create or consume IRM-protected content. Users who have been issued RMS account certificates (trusted users) can create IRM-protected content using Microsoft Word 2007, Excel 2007, PowerPoint 2007 and Outlook 2007.

Recipients who do not have an RMS-enabled application installed can view (but cannot change) IRM-protected content with Internet Explorer 5.5 or 6 with the rights management add-on. The rights management add-on for Internet Explorer can be downloaded at

http://www.microsoft.com/downloads/details.aspx?FamilyId=B48F920B-5AF0-46B4-994F-2F62582CC86F&displaylang=en. The RMS client software should be installed before the IE add-on.

Internet Explorer 7 on Windows Vista opens IRM-protected content in the XPS Viewer. With the XPS Viewer, you can also apply RMS-based permissions to documents.

Enabling IRM in Office 2007If you are using the Windows 2000 or Windows XP operating system, the first step before you can use IRM in Office 2007 is to install the Windows RMS Client Service Pack 1 or above. If you are using the Windows Vista operating system, the RMS client software is preinstalled. If you attempt to open an IRM-protected message or document and the RMS client is not installed, Office 2007 will prompt you to download and install it.

Installing the Windows RMS client in Windows 2000 or XPYou can download the Windows RMS client Service Pack 2 for x86 computers from the Microsoft Download Center at http://www.microsoft.com/downloads/details.aspx?FamilyID=02DA5107-2919-414B-A5A3-3102C7447838&displaylang=en. If you have a previous version of the Windows RMS client installed, the old version will be replaced. For Itanium-based computers running Windows Server 2003 64 bit (Itanium) or Windows XP Professional 64 bit (Itanium), download the IA64 Edition RMS client at http://www.microsoft.com/downloads/details.aspx?familyid=EC889D50-8819-4CF0-952C-1F7CE6BE381E&displaylang=en.

You can uninstall the Windows RMS client via the Add/Remove Programs applet in Control Panel.

Obtaining a Rights Management account certificateBefore you can use IRM, you must obtain an RM account certificate from the RMS server. If your organization has an internal RMS server, you can use it for exchanging IRM-protected documents and messages with other users who have access to the server. If your organization doesn’t have an RMS server, or you want to exchange IRM-protected documents and messages with someone who doesn’t have access to the internal RMS server, you can use Microsoft’s free trial Information Rights Management service. You can find more information about the free trial service at http://office.microsoft.com/en-us/help/HA010721681033.aspx.

The service requires you to log on with a Windows Live ID (formerly .NET Passport). You can obtain a Windows Live ID account at the Windows Live ID web site at https://accountservices.passport.net/ppnetworkhome.srf?vv=450&lc=1033.

Your email address links your user account to the RM account certificate. The RM account certificate is downloaded to your computer. If you want to create IRM-protected documents or messages on a different computer, you must download an RM certificate to it. Each certificate is unique to a specific user and computer pair. There is a server-imposed limit on the number of computers to which a user can download an RM account certificate. The Microsoft free trial service allows you to download a standard RM account certificate for a specific Windows Live account to a maximum of 26 computers. If

you want to use IRM-protected content on a public computer, you can download a temporary RM account certificate (which expires in 15 minutes) to that computer.

Obtaining a publishing licenseBefore you can create and distribute (publish) a specific IRM-protected document or message, you must obtain a publishing license. Publishing licenses can be obtained from:

The RMS root server

An RMS licensing server, or

An RMS-enabled application with a client licensor certificate.

When the publishing license is issued by an RMS-enabled application, it’s called offline publishing. The publishing license contains the usage rights granted by the author/sender of the IRM-protected content. The publishing license also contains the symmetric key for decrypting the content of the IRM-protected document or message. This key is encrypted with the public key of the server that issues the license.

This process is repeated for every IRM-protected message or document that you create and distribute.

Obtaining a use licenseBefore you can use Office 2007 applications to open an IRM-protected message or document, you must obtain a use license from the RMS server. The server will check your credentials and issue the license. A use license can only be issued to the users (or groups) that are granted rights in the publishing license.

The use license contains information about the level of access that you have been granted to the message or document. It also contains a symmetric key for decrypting the content of the IRM-protected document or message. This key is encrypted with the public key of the user. The use license is digitally signed by the private key of the server that issues it.

This process is repeated for every IRM-protected message or document that you attempt to open.

How to use IRM to protect Word, Excel, PowerPoint, and InfoPath filesIRM permissions can be applied to Word 2007 documents and templates with the following file extensions: .doc, .docx, .docm, .dot, .dotx and .dotm.

IRM permissions can be applied to Excel workbooks and templates with the following file extensions: .xls, .xlsx, .xlsm, .xlt, .xltx, .xltm, .xlsb, .xla, and .xlam.

IRM permissions can be applied to PowerPoint 2007 presentations and templates with the following file extensions: .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsx, and .ppsm. IRM permissions can also be applied to Office theme files (.thmx).

IRM permissions can be applied to InfoPath 2007 forms with the following file extensions: .xml.

Using Rights Policy Templates

Don’t confuse document templates with RMS rights policy templates. IRM templates can be applied to document templates such as .dot and .dotx (Word templates), .xlt and xltx (Excel templates) and .pot and .potx (PowerPoint templates) in the same way they’re applied to individual documents.

Custom IRM rights policy templates are created from the RMS Administration web site on the RMS server and stored in the Configuration database on the SQL server and in a shared template folder on the RMS server and distributed to RMS client computers. The custom rights policy templates then show up as options in RMS-aware applications. Custom templates make it easy to apply a predefined set of rights to predefined individuals or groups.

For example, the RMS administrator might create a template called “Expire in 3 days” that can be used to set a standard expiration period on documents, without going through the process of manually setting the expiration date in the Permission dialog box. For information on how to create custom templates, see http://technet2.microsoft.com/Office/en-us/library/fbd209b7-d960-4b19-b2f1-f128fed18e3e1033.mspx?mfr=true

To apply a custom template to a file in Word, Excel or PowerPoint 2007:

1. Save the file.2. Click the Microsoft Office button at the top left corner of the window.3. Click Prepare, then select Restrict Access and select the template you want to apply.

Applying IRM permissions without custom templatesIf no custom templates have been provided, or none of the custom templates fit your needs, you can apply IRM permissions individually to files. To restrict permissions to a document, document template, workbook or presentation created with Word 2007, Excel 2007 or PowerPoint 2007, follow these steps:

1. Save the file.2. Click the Microsoft Office button at the top left corner of the window.3. Click Prepare, Select Restrict Permission, then select Restricted Access.4. In the Permission dialog box, check the Restrict permission to this document checkbox.5. In the Read and Change boxes, enter the email addresses of users to whom you want to give

permission to read and/or modify the document.6. Click the More Options button.7. In the Permission dialog box, you can check boxes to specify additional permissions, including an

expiration date for the document, permission to print content, allow users with read access to copy content and allow programmatic access to the document. You can also provide your email address by which users can request additional permissions or require a connection to verify a user’s permission. Finally, you can set these permissions as the default for all documents, workbooks, forms and presentations that have restricted permissions.

You can give different levels of permission to different users. The levels of control include:

Full control: these users can do anything with the file that the creator/owner can do, including giving permissions to other users and opening documents that have expired.

Change: these users can modify the file and save the changes, but cannot print it. Read: these users can only view the file; they cannot make any changes, copy or print it.

After you assign permissions, a message appears in the Message Bar, stating that the document, workbook or presentation has restricted permissions. If you email an IRM-protected file to a person who does not have permissions to it, the recipient will not be able to open it but will see a dialog box whereby the recipient can change user accounts or request permission from the creator/owner of the file who applied the IRM protection.

How to use IRM to protect Outlook emailIRM permissions can be applied to Outlook 2007 email messages to prevent recipients from forwarding, printing or copying the content. The person who creates and applies IRM protection to the message is called the conversation owner. The conversation owner has full rights to the message, with no restrictions. Recipients are allowed to view additional content when replies are sent by any member of the conversation thread, but replies have the same restrictions on forwarding, copying and printing as the original message.

To restrict permissions to an email message created with Outlook 2007, follow these steps:

1. Create a message in Outlook.2. Click the Microsoft Office button at the top left corner of the message window.3. Click Permission, then select Do Not Forward.4. A message will appear in the Info bar of the message, stating that recipients can read this

message but cannot forward, print or copy content, and specifying the email address of the sender who created the message and granted the permission (the conversation owner).

5. Click the Send button to send the message.

If the email administrator has created custom permission policies to be used by email users in your organization, those policies will also appear as options along with the Do Not Forward selection.

IRM-protected messages are marked with a special icon in the Outlook mailbox. The recipient must obtain an RM account certificate, if he or she doesn’t already have one, in order to open and view the message. The recipient cannot view an IRM-protected message in Outlook’s preview pane. Recipients who don’t have Microsoft Outlook 2007 can use the Rights Management Add-on for Internet Explorer to view (but not reply to) IRM-protected messages. However, you won’t be able to view attachments in IE.

If you have attached a document, workbook or presentation created in Word 2007, Excel 2007 or PowerPoint 2007, it will have the same IRM permissions as the email message to which it is attached, except that if the file was given IRM permissions in the Office program in which it was created, those permissions will be retained.

Note that you cannot use IRM permissions in Outlook 2007 to cause an email message to expire; however, you can use Outlook 2007’s Delivery Options feature to set an expiration date on an email message.

Managing your IRM environmentYou can manage your RMS servers through the administration Web site. The Global Administration page is used to provision and unprovision RMS servers and change the RMS service account. It’s accessible only on the local RMS server you are managing. The Administration Home page is accessed from the Global Administration page and is used to get information about the cluster and configure trust policies, rights policy templates, logging settings, RMS proxy settings, security settings, certification settings, exclusion policies and other settings for the cluster.

IRM and external users If you want your internal users to be able to share IRM-protected content with others outside the organization, across the Internet, you can set up your root certification server’s URL (which the client computers use to obtain publishing and use licenses) to be accessible via the Internet. Another option is to set up a separate licensing server for external users.

You can create internal accounts for the users outside the LAN and allow them to access the network via VPN. The accounts can have an internal mailbox or an external mailbox. When your users grant rights for IRM-protected content to an external user, they must use the appropriate email address associated with the external user’s account.

Your firewall will need to be configured to allow external computers to use TCP port 80 or TCP port 443 to make Simple Object Access Protocol (SOAP) requests over HTTP or HTTPS.

For best security, you can create a forest in Active Directory just for external accounts and set up a separate root certification server or cluster that faces the Internet. External users get their RMS certificates from this root server/cluster. You’ll need to establish a trust relationship between the external and internal RMS servers so that the external server can issue use licenses for content that was published through the internal server and the internal server can issue use licenses for content that was published through the external server.

If your internal users need to exchange IRM-protected content with users from another organization that has RMS deployed, you can establish a trust relationship by having the other organization export its RMS server licensor certificate and importing it to your licensing server that faces the Internet.

The easiest way to exchange IRM-protected content with external users is to use the Microsoft Certification Server hosted on the Internet. This service uses Windows Live ID/.NET Passport accounts. The machine and account certificates are issued directly by Microsoft. The author/sender of IRM-protected content must use the recipient’s Windows Live ID/.NET Passport account when granting rights to the content.

Rights Policy TemplatesYou can create rights policy templates to apply consistent IRM protection rules across the organization. Templates are added, deleted and edited via the RMS Administration Home page on the RMS server. Rights policy templates are stored in the configuration database on the SQL server, and copies of all templates are stored in a shared folder on the network, where they are available to RMS client computers.

A rights policy template defines the users and rights that apply, and how the template is applied to the content. You can control the distribution of the templates and thus control which templates can be used by which users.

Rights policy templates can specify:

Which users and groups can obtain use licenses for content published using the template.

What rights each user or group has for the content.

Expiration policies (whether content expires, when content expires, whether licenses must be renewed after a specific time period).

Whether a new use license is required every time the content is accessed.

Whether the author still has rights to the content after expiration.

Whether IRM-protected content can be viewed in a trusted browser or must be viewed in the application by which it was created.

Revocation policies (whether a revocation list is required, how long a revocation list is valid) and revocation lists.

For more details on how to work with rights policy templates, see “Managing Rights Policy Templates” at http://technet2.microsoft.com/WindowsServer/en/library/14002ade-53b2-4315-90f1-c0b96e5f20611033.mspx?mfr=true.

Developing RMS-enabled applicationsYour in-house developers can create RMS-enabled applications, or extend existing applications to make them RMS-enabled, using the Microsoft Windows Rights Management SDK. It can be downloaded at http://www.microsoft.com/downloads/details.aspx?FamilyId=3C918424-40E6-4CB9-BCBD-E89686F036A3&displaylang=en.

With the SDK, developers can build applications that will both publish and consume IRM-protected content, or applications that can only publish IRM-protected content.

Maintaining the IRM environmentFollowing a set of best practices will keep your RMS environment operating properly. These include:

For performance and security reasons, your RMS servers should be dedicated to that function. You should not run additional services on them.

Ensure that the SQL server has enough disk space for the large amounts of data created by the logging service. The logging and configuration databases are stored on the same server by default. You can move the logging database to a separate server.

You should monitor the RMS server to detect problems and potential problems. You can use Microsoft Operations Manager (MOM) with the RMS MOM Pack.

You should back up the configuration database(s) on a regular basis.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

2007 Microsoft Corporation. All rights reserved.