Rights Management Services
RMS stands for “Rights Management Services” and as the name indicates it is a Microsoft Windows information protection technology that uses encryption and a form of selective functionality denial from limiting access to documents such as corporate emails, office documents etc. RMS technology works with RMS client enabled application in order to safe guard digital information from unauthorized use.
Companies can use this technology to encrypt information stored in such document formats, and restrict unauthorized users from accessing them or modifying them. It is also possible to set the restrictions for a period of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors.
You might think that normal NTFS permission along with password protection techniques that’s used in office documents can achieve this task. Yes, we can achieve this goal, but from an organization point of view, using RMS we have more control for administrating the rights for users on the documents.
Major Components of the rights management environment
We have already discussed that RMS is a client-server technology model. So we get introduced to a few of the common components that are involved in Right Management environment.
This includes the RMS servers, RMS client computers and RMS-enabled applications. These components also rely on a SQL database and the Active Directory services to make the rights management process work. Together, these components enable users to create, publish, distribute and consume IRM-protected content.
1. RMS servers
RMS servers must run Windows Server 2003 (any editions except web edition) or above with Internet Information Services (IIS), Message Queuing, and ASP.NET enabled. A minimum of 512 MB RAM is recommended with 40 GB of hard disk space. RMS server can work with single Network adaptor. As far as the Fie system, Microsoft recommends NTFS.RMS must be installed in an Active Directory domain with domain controllers running Windows 2000 server SP3 or above.
You can download the RMS from the following Link: http://go.microsoft.com/fwlink/?LinkId=73722
2. RMS client software
The RMS client software is built into the Windows Vista based operating system. It’s available for a free download for any other previous operating system including Windows 2000, Windows XP and Windows Server 2003.
Download the RMS client from http://go.microsoft.com/fwlink/?LinkId=67736.
If you are using a 64-bit version of Windows XP Professional or Windows Server 2003, download the 64-bit version of the RMS client http://go.microsoft.com/fwlink/?LinkId=67935.
3. RMS-enabled applications
IRM-protected content can only be created and viewed with RMS-enabled applications. RMS-enabled applications work with the RMS client software. Some RMS-enabled applications include:
1. Microsoft Office 2003 and 2007
2. Microsoft Internet Explorer (version 5.01, 5.5 and 6.0) with the rights management add-on
3. Internet Explorer 7 XPS Viewer
4. Mobile Office applications in Windows Mobile 6
5. Applications created or extended using the Microsoft Windows Rights Management Services Software Developer’s Kit (SDK)
4. SQL server
RMS requires a database running on Microsoft SQL Server 2000 with SP3a or above, or the Microsoft SQL Desktop Engine (MSDE). MSDE should be used only for testing, as you are unable to view logging information or change the data in the configuration database under the MSDE licensing terms. If you use MSDE, you have to install it on the RMS server itself.
The SQL server contains the following databases:
- RMS configuration database
- Logging database
- Directory services database
The databases can be run on the same or separate SQL servers. The RMS account certificates that identify users as trusted entities are stored in the configuration database on the RMS root server or cluster.
5. Active Directory
The RMS server uses the Microsoft Active Directory services to authenticate the identities of RMS/IRM users and resolve group memberships when the publishing license grants rights to a group. When a user sends a request for a publishing or use license, the request starts with a query to Active Directory for the URL of the server Web service. This service then provides the URL for the license request itself.
Information Rights Management
Information Rights Management (IRM) is an information protection technology built into Microsoft® Office 2007 that works with Rights Management Services (RMS) in Microsoft Windows Server 2003.
IRM helps organizations and its users to control how the information can be used. With the help of IRM, the creator or sender of a document or a message have complete control to specify who can open/edit/ print, forward or copy it or perform any other actions with the information it contains.
An RMS server running Microsoft Windows Server 2003 serves as a central repository for information used to identify what rights have been granted to particular users and to verify the credentials of those users. Information Rights Management is the component in the RMS-enabled application that enforces those rights; IRM is to RMS what Microsoft Office Outlook is to Exchange.
Actions that can be controlled with IRM:-
When IRM is configured properly, users can assign access permissions to certain types of files created with Office 2007 applications for certain users. Here are a few actions that can be controlled using IRM
1. Editing the content
2. Forwarding a file
3. Copy/cut/paste the content as text
4. Printing the file
6. Using the default Print Screen (PRT SC) key to capture the image of the content
As discussed, IRM protection can be applied to any office documents such as Word files, Excel workbooks, PowerPoint presentations and templates and InfoPath forms as well as Outlook 2007 email messages.
Limitations of IRM
Here are some of the limitations of IRM
1. Content corruption due to hardware failure or any kind of viruses
2. Taking a photograph of the content displayed on the screen
3. Manually writing down the contents
4. Using a third party screen capture utility to capture screenshot
5. Using a keystroke logger to capture the content of the document when it is being created.
IRM-protected documents and messages can be created using Office 2007 Professional Plus and Enterprise editions only and not using Office 2007 Standard edition. Standard edition can be used to open and view IRM-protected documents