Security

TechRepublic Tutorial: Is Windows Rights Management a conspiracy or customer value?

Decide whether Windows Rights Management is a help or hindrance to your organization


By Tim Landgrave

The ABM (Anything But Microsoft) modem lights are flickering like fireflies this month with the impending general availability of Microsoft’s new Office System 2003. It’s not because Microsoft has updated its Office Suite with more usability features and deeper XML integration. What has the ABMers fuming is the inclusion of the Microsoft Windows Rights Management (MWRM) system in the new Office platform. They view MWRM as Microsoft’s attempt to fend off competition from products such as StarOffice or OpenOffice.org by cutting off those products’ ability to access documents created by Office 2003.

A recent post on Slashdot.org fumed, "Even if the developers of a competing office suite could figure out how to get their software to open an Office 2003 document, doing so would be a DMCA [Digital Millennium Copyright Act] violation, since they'd be bypassing an anti-circumvention device." Let's look at the real customer value Microsoft will deliver with MWRM and why the ABM distrust of Redmond shouldn’t deter corporations from investigating this important new technology.

Why rights management is important
Corporations spend millions of dollars creating intellectual property (IP) in the form of documents, spreadsheets, and presentations. Then they spend more millions trying to prevent malicious or unintended users from accessing it. But even with all of the firewalls, user IDs, directory security schemes, e-mail confidentiality, and encryption features, they can’t stop a user from distributing the IP once he or she actually gains possession of it by opening the document for the first time. Once the document is opened, the user may save it to hard storage such as a CD or floppy drive for dissemination, print it out and fax it to a hundred of their closest friends, or simply forward a new e-mail with the unprotected document attached.

Rights Management (RM) systems solve this problem by embedding information about how the document may be accessed and who may access the information contained in the document. These protections remain in place whenever the document is accessed. For example, a document creator may prevent the document from being printed out, saved, or forwarded to keep paper copies from being widely distributed. These restrictions will remain in place regardless of how the document is transported (e-mail, portable storage, etc.) and where the document goes (inside or outside the corporate firewall). Microsoft is the first vendor to release an end-to-end RM access and management system.

How Microsoft has implemented its RM features
Microsoft’s RM implementation is based on Windows Server 2003, the Microsoft Office System 2003, and a new product, Rights Management Services, which was designed for Windows Server 2003. These services include a server component that can be installed on any version of Windows Server 2003 at no additional charge. Any users who will be creating or consuming rights-protected documents will also have to install client software that can interpret the licensing information embedded in the document. Although the software can be downloaded and installed at no charge, customers must purchase a Client Access License (CAL) for every internal user who needs to take advantage of the RM features. To allow companies to share their documents with external users, Microsoft has also released a WRMS External Connector license allowing these users to consume protected documents without purchasing their own CALs.

To activate RM features, an Office 2003 user creates a file using Word, Excel, PowerPoint, or Outlook and then indicates which rights should be granted to particular users. Users can be defined in several ways, including by Windows identity and by public e-mail address. When the recipient attempts to open the document for the first time, the client-based RM software attempts to validate the recipient's identity with either a local or remote WRMS server. If successful, the user is granted the access defined within the document.

With the extensions Microsoft has defined within WRMS, organizations not only can define common templates that enforce common scenarios (like "company confidential" or "attorney-client privilege") but also set up complex workflow scenarios that define and enforce document rights at each stage of the workflow process. This deep level of rights management integration with the Microsoft platform has prompted the non-Microsoft community to begin an all-out assault on Microsoft’s attempts to help companies protect their IP.

Why the fear is unfounded
Given that most of the ABMers are also part of the open source community, they share a general disdain for anything proprietary or closed. But Microsoft has done its homework this time. The only thing MWRM closes is an unauthorized user or a hacker’s ability to crack open Office documents that contain a corporation’s IP without the proper permissions. And the entire system is based on an emerging Internet standard called XrML, a rights expression language that defines the digital information policies allowing users of trusted systems within a trusted environment to define the rights users should have with the documents they produce. Their concerns are based on ignorance, not knowledge.

Any platform that implements the XrML standard and can access the Web services that deliver the necessary licenses can access the underlying document. This allows software developers on any platform to interoperate with MWRM to guarantee that the documents produced by their systems will be used by recipients only in the manner the creator intended.

Editor's Picks

Free Newsletters, In your Inbox