Security

Control your documents with Office 2003's Information Rights Management

Learn how Office 2003's Information Rights Management (IRM) works and how you can use it to control access and editing permissions on the documents produced by your users.


Digital Rights Management (DRM) has become a controversial subject as software companies, the music industry, and other producers of intellectual property have moved to use technology to prevent copyright infringement. With Office 2003, Microsoft has gone beyond the concept of protecting its own interests and built in a way for those who use its software to create intellectual property to protect enterprise copyrights, restrict the distribution of sensitive data, and control what can be done with a document by users who have been granted access.

This feature is called Information Rights Management (IRM), and it's supported by Word 2003, Excel 2003, PowerPoint 2003, and Outlook 2003 in Microsoft Office Professional Edition 2003. When you create a Word document, for example, you can specify exactly who can view it, restrict users from redistributing it, and even set a date on which their access will expire. In this article, we look at how rights management works in Office 2003 and how you can put it to use in your organization.

Add-on for Internet Explorer
Microsoft also plans to provide a free add-on component for Internet Explorer that can be used to view IRM-protected documents (with rights intact) by those who aren't running Office 2003. This means your decision to use rights management protection doesn't depend on whether users have Office 2003 installed.

How IRM works
IRM is the Office 2003 component of a larger technology called Windows Rights Management (RM), which is implemented through the Rights Management Services installed on a Windows Server 2003 server. Thus, IRM doesn't work as a stand-alone feature; you need a server running RMS to use it (however, the RMS server doesn't have to be on your own network; you can use the service provided by Microsoft). This allows home and small office users of Office 2003 to benefit from some of the IRM features, but it doesn't provide the full control and functionality of having your own in-house RMS server.

You might be wondering how rights management improves on the access controls already available in Windows. After all, with modern versions of Windows and Office, you can already restrict access to your documents in a number of ways. You can restrict access:
  • By setting share permissions on documents shared across the network.
  • By setting NTFS permissions to protect documents accessed both locally and remotely.
  • By encrypting documents stored on the disk via the Encrypting File System (EFS).
  • By password-protecting your documents with Office's Security function.

The problem with all these methods is that they are, in essence, all or nothing solutions. Although you can use share and NTFS permissions to prevent someone from modifying the original document, there is nothing to prevent that person from saving it as a new document or copying its contents and redistributing it to others. This can be a major problem when you need to give access but also need to ensure that the material doesn't go any further than those to whom you specifically grant that access.

IRM gives you a way to protect e-mail messages, Word documents, Excel spreadsheets and PowerPoint presentations, making it much more difficult for the recipient to pass them on. (Of course, someone who's determined enough could always use innovative methods such as capturing or even photographing the screen, but this would provide a graphic representation and not an electronic document.)

RMS uses digital certificates to validate the identities of users. The certificates are issued by the RMS server based on either Windows authentication (for in-house RMS servers) or Passport account authentication (for Microsoft's trial RMS service). The Rights Management Service is an ASP.NET Web service that uses the Extensible Rights Markup Language (XrML). Rights management protection works at the file level, so that even when the file goes outside the organization or network, the protection is still built into the file itself.

One of the benefits of having an in-house RMS server is the ability to create templates based on your permissions policies so that you can define a particular permissions configuration to apply to groups of documents.

Using IRM to protect your documents
You can't just begin using IRM immediately. There are several preliminary steps you must take to deploy the technology. First, if you're deploying rights management within the organization, you'll need to set up and activate a Windows Server 2003 RMS server and then install the RM Update on the client machines running Office 2003. Because IRM is certificate-based, users must obtain a certificate from the RMS server.

After the infrastructure is in place, using IRM is easy. We'll use Microsoft Word in our examples, but remember that you can also protect other Office documents (and e-mail messages). In fact, we expect that a common use for IRM will be allowing others to view your PowerPoint presentations without the fear that they will copy or redistribute them.

If you want to restrict certain people from accessing a Word 2003 document using IRM, start by clicking File | Permission or click the Permission button on the toolbar, as shown in Figure A.

Figure A
Click Permission on the File menu to restrict access using IRM.


This will open a Select User dialog box, as shown in Figure B. If you have no RMS server deployed and you have a Passport account, your account name will appear here.

Figure B
Select a user account (validated by the internal RMS server or a Passport account for the Microsoft trial service).


Instead of seeing the Select User dialog box, you might be prompted to install the RMS client software, as shown in Figure C. Clicking Yes will download the client (msDRMClient.msi).

Figure C
Click Yes to install the Rights Management client (msDRMClient.msi).


Client software can be deployed via Group Policy
The client software is an .msi package and thus can be deployed to computers or users in the organization using Windows Group Policy Software Installation.

Double-clicking the file will deploy the Windows Rights Management client Setup Wizard. If you have neither a Passport account nor an internal RMS server, you can sign up for Microsoft's IRM service by clicking Add and completing the Service Sign-Up Wizard, the first page of which is shown in Figure D.

Figure D
You can sign up to use Microsoft's IRM service if you don't have an RMS server.


You'll be asked if you already have a Passport account (and given the opportunity to create one if you don't). You'll have to log on to the Passport server and then specify the e-mail address that was used for the Passport account, as shown in Figure E.

Figure E
To receive an RM certificate from the Microsoft service, you must specify your Passport e-mail address.


Next, you'll be asked to select the certificate type:
  • Standard certificate: allows you to create, view, and use restricted content on the computer and can be renewed.
  • Temporary: allows you to open restricted content on the computer. Only good for a limited time and cannot be renewed.

Select the certificate type, as shown in Figure F.

Figure F
You'll be prompted to select either a Standard or Temporary RM certificate.


When an RM certificate has been created and successfully downloaded to the computer, you'll receive notification that the wizard is complete, as shown in Figure G.

Figure G
When the certificate has been downloaded, click Finish to complete the wizard.


When you have an RM certificate installed on your machine, you can use rights management to protect documents and view protected documents.

Now when you click the Permission option in the File menu and select Restrict Permission As, you can select your account (for which you just downloaded an RM certificate) in the Select User box to create or open content. After you do, the Permission dialog box will be displayed, and you can enter the e-mail addresses of any users to whom you want to give Read or Change permission, as shown in Figure H. Typing the first few letters of the address will provide you with choices from your address book.

Figure H
You can select users to whom you want to give Read or Change permission, or click the More Options button.


Clicking the More Options button will allow you to set additional permissions for the selected users, such as:
  • Permission to print the content.
  • Permission to copy the content.
  • Permission to access the content programmatically.

You can also set an expiration date, after which the user will not be able to access the document. In addition, you can choose to allow users who don't have Office 2003 to use their Web browser (IE with the information rights add-on) to read the document. Figure I shows these choices.

Figure I
You can set additional permissions after selecting More Options.


The permissions you've set on the document will now appear in the Shared Workspace task pane at the right of the document, as shown in Figure J.

Figure J
The permissions information appears in the Shared Workspace task pane, which automatically opens to the right of the document.


Reading IRM-protected documents
If a user tries to open an IRM-protected document in an earlier version of Word, he or she will see a notification that permission is restricted, as shown in Figure K. Note that the user will be able to see the document title.

Figure K
A user will not be able to open the document in an earlier version of Word.


Users will be notified of restrictions
Attempts to open the protected document in any other program (NotePad, IE without the Rights Management add-on installed, etc.) will result in the same notification that permission is restricted.

To open the document in Office 2003, the user might need to install the updated Rights Management client, create a Passport account, and download an RM certificate if these haven't been done previously. The first time the user tries to open the file, a dialog box might appear stating that Office must connect to the RMS server to verify the user's information, as shown in Figure L.

Figure L
Office needs to connect to the RMS server to verify the user's identity.


The user will be able to do with the document whatever you specified when you set permission. For example, if you gave the user Read permission, the user can view the document. But if the user tries to save the document, the Save, Save As, and Save As Web Page options will be grayed out, as shown in Figure M. Likewise, all options in the Send To menu are grayed out so that the user cannot forward the document to a mail or routing recipient, Exchange folder, or other location.

Figure M
A user with Read permission will not be able to save the document.


The IE Rights Management add-on
If a user tries to open an IRM-protected document and does not have Office 2003 installed, the user will be directed to the Internet Explorer Web site for the Rights Management add-on.

Download the add-on
You can download the add-on from Microsoft's IE Web site. This is beta software that expires Nov. 1, 2003. The final version is expected to be released later in 2003.

The same restrictions are enforced when the user opens a protected document with IE as when he or she uses Office 2003 applications. The currently available beta of the Rights Management add-on can only be installed on IE 6.0 running on Windows 2000 or Windows XP. The Rights Management client software must also be installed. Note that IE with the add-on is used only to view IRM-protected documents; it cannot be used to protect documents.

Built-in rights management
Protecting digital content has become increasingly important in today's business environment. Previously, protecting one's intellectual property required special programming skills or the use of specific third-party software. Now, rights management is built into the next version of Microsoft Office and can be used to restrict others from misusing the content without completely denying them access.

The rights management feature in Office promises to solve many of the problems associated with safeguarding the rights of intellectual property owners/creators and providing better security than ever for sensitive information.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks