Rights management for SMBs

Your have security mechanisms in place to keep unauthorized persons from accessing important documents, but how do you keep authorized persons from misusing those documents – copying them, printing them or forwarding them to others? Rights management to the rescue!

If you think rights management pertains only to digital music and movies, think again. Small and mid-size businesses produce content every day, much of which needs to be protected from misuse.

You probably already have many mechanisms in place to prevent unauthorized users from accessing information on your network. These would include perimeter protection such as firewalls, access controls such as share level and file level permissions, and encryption of sensitive documents. So you may be wondering why you need yet another layer of data protection.

All of the above security mechanisms are designed to keep people from accessing information. But sometimes you need to allow others to access information. The problem is that once you give them access, you may lose control over what they do with that information.

Tips in your inbox
TechRepublic's free SMB Strategies newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.
Automatically sign up today!

For example, you want to allow another user to read a document or spreadsheet you've prepared--but you don’t want that user to make copies of it. Or you need to send information via email, but you don’t want the recipient to forward that message to others. Maybe you’d prefer that the user not even be able to go back and read the message a month later.

That’s where rights management comes in. Just as the music companies and movie studios use digital rights management (DRM) technology that allows you to use their products in a certain way but prevents you from engaging in prohibited uses, such as making copies, you can use rights management to control what users can do with the documents and emails you send them.

One solution is Microsoft’s Rights Management Services (RMS) and Information Rights Management (IRM) technologies. You can use RMS/IRM to extend your control over information even when you must share it with others.

What are RMS and IRM?

RMS and IRM work together to provide rights management for documents created with Microsoft Office. RMS is built into Windows Server 2003 R2 and Longhorn Server. RMS client software is built into Windows Vista and is available for Windows 2000 and XP as a free download at http://www.microsoft.com/downloads/details.aspx?FamilyId=A154648C-881A-41DA-8455-042D7033372B&displaylang=en.

IRM is the rights management component in RMS-enabled applications such as Microsoft Office and Internet Explorer. IRM is a part of Office 2003 and 2007.

How it does it

With RMS/IRM, you can control what a recipient can do with an Office document or an email message created in Microsoft Office. You can:

  • Prevent the recipient from copying text from the message or document.
  • Prevent the recipient from printing the message or document
  • Prevent the recipient from forwarding an email message.
  • Set an expiration date, after which the recipient won’t be able to access the message or document.

The recipient needs Office 2003 or 2007 or Internet Explorer to open an RMS-protected message or document. If a user tries to open it in an earlier version of Office, another application (such as Notepad or Open Office) or a third party email client, access will be denied.

It's important to note that although the RMS-enabled application will prevent users from copying, forwarding or printing the protected information (by graying out those options in the menus), a determined person could still use screen capture utilities, use a digital camera to take a photo of the information on-screen, or even make a handwritten copy of the information. RMS/IRM makes it difficult, but not impossible to misuse the protected information.

How it works

RMS/IRM uses digital certificates to identity trusted entities. Here is a simplified explanation of the process:

  1. The RMS client creates a protected message or document in an RMS-enabled application.
  2. A publishing license is created that enumerates the usage rights that apply to the message or document.
  3. The RMS server has the public key that was used to encrypt the information. When the recipient tries to open the protected message or document, the RMS server verifies the recipient’s credentials.
  4. The RMS server issues a use license containing the usage rights specified in the publishing license.
  5. The keys from the end-user license and XrML certificates are used to decrypt the information.
  6. The RMS-enabled application enforces the usage rights.

How to deploy RMS

To deploy RMS in your organization, you need one or more Windows RMS servers. When you install an RMS server, it goes through the server enrollment process, whereby a public key from your root RMS server is signed by the Microsoft Enrollment Service. After you configure the root server, you can configure additional servers.

You’ll also need a SQL database. RMS uses this for storing configuration and policy information and for logging. MSDE can be used in a low volume environment if you have only one RMS server.

The RMS client software must be installed on machines that will use RMS-enabled applications, unless they’re running Windows Vista. The client component is activated automatically the first time a user tries to create protected content or view a protected message or document.

The client must be running RMS-enabled applications such as Office 2003 or 2007 to create and view protected content.

The RMS server issues XrML certificates to associate user accounts with specific computers. The certificates contain a key pair (public and private key) that’s used to license information for that user.

Customizing RMS

Microsoft makes a Software Developer’s Kit (SDK) for RMS available so that your in-house programmers can create custom RMS applications or add RMS functionality to their existing applications.

Administrators can use rights policy templates to set conditions such as set a set of recipients or Active Directory groups or how long a use license remains valid. Administrators can also create revocation lists to take away users’ ability to access rights-protected information. This is used if an employee leaves the company or a private key is compromised.


Even if you have a good security strategy to keep unauthorized persons from accessing information, you may need a way to control what authorized persons do with information after they get it. If you use Microsoft server and client operating systems and productivity software, you can leverage the RMS/IRM technologies to make it more difficult for recipients of information to misuse it.