SolutionBase: Securing information with Windows Rights Management Services

Learn how to secure data with Windows Rights Management Services.

Most companies go to great lengths to protect data. All of your efforts to secure files basically boil down to how much you trust your employees. You have always been able to control access to files through authentication and permissions, but until now it has been impossible to control what an authorized individual does with the files once he or she gains access. This is where Windows Rights Management Services (RMS) comes in. RMS offers persistent security that stays with a file, no matter where that file may go.

A practical example
For example, suppose that I had some super secret Microsoft Word document explaining how I was going to take over the world. Normally, I would grant a couple of highly trusted people access to the document and pray that they didn’t pass the document on to anyone else.

With Windows Rights Management, in addition to the normal permissions on the file server where I keep my secret plans, I could actually build permissions into the document saying that only certain people were allowed to access the document. That way, if one of my trusted staff members gave a copy of the document to someone else, that someone else would be unable to open the document.

Beyond passwords
As you know, for years now it has been possible to password-protect Microsoft Office documents. RMS goes way beyond password protection. After all, it’s way too easy for someone to pass a document along to someone else with an e-mail message that says something like: “Here’s the document that I told you about. The password to open the document is Scarab.”

Speaking of e-mail messages, RMS can even be applied to an e-mail message. For example, years ago I worked for an insurance company that was having some financial problems. The president of the company sent out a confidential e-mail message to the managers telling them that 20 percent of the staff was to be laid off. Although the message was supposed to be confidential, one of the managers forwarded the e-mail to her entire staff, who in turn forwarded the message to a bunch of other people. By the end of the day, pretty much everyone in the company had seen the memo. Sure, the manager who leaked the memo was promptly fired, but the damage had already been done.

If this situation were to occur today, the president could actually integrate RMS into the e-mail message. This would prevent the message from being forwarded to anyone except for those people he specifically designated. He could even go so far as to put a time bomb in the message so that the message would “self-destruct” after a specific length of time or after being opened.

Implementing Windows Rights Management Services
Obviously, RMS is a very useful technology, but you are probably wondering how it works. There are two primary components to RMS. First, there’s RMS itself. This is a server-level component that provides the authentication services. Second, there is the client component. Typically, the client component is embedded into an RMS-enabled application such as Microsoft Office 2003. There is also a software developer's kit that developers can use to build RMS security into custom applications.

Although RMS is designed to run on Windows Server 2003, it does not ship with Windows Server 2003. Instead, it is a downloadable add-on. You can download RMS from Microsoft's Windows Server 2003 Web site. The RMS setup file consists of a 2.12 MB self-extracting executable file.

Although RMS is a free add-on, there are some licensing requirements that you need to be aware of before you install it. As I explained earlier, RMS rides on top of Windows Server 2003. Therefore, everyone who uses RMS either to protect data or to access protected data requires a Windows Server 2003 client access license. Additionally, each RMS user also requires an RMS Client Access License (also called a RMS User CAL). This license costs about $37 per user. As an alternative, you can purchase device-specific RMS client access licenses instead of user-specific licenses.

The problem with this type of licensing, however, is that it makes it difficult to allow RMS security to be used by those outside of your company. Because of this, Microsoft also offers an RMS External Connector License. The RMS External Connector License grants unlimited RMS access to anyone outside of your company. The price for an RMS External Connector License is $18,066 per RMS Server.

Although RMS does have some rather stringent license requirements, there is an upside. Up to two users may access an RMS server simultaneously (for administrative purposes) without an RMS Client Access License.

The prep work
Before you can install RMS, you need to do a little bit of prep work on your server. RMS is dependent on IIS, so you must verify that IIS is installed. Furthermore, IIS must be given a certificate so that it can provide secure communications.

There really isn’t much documentation available on RMS. When I was working on this article, I had no idea that IIS required a certificate in order for RMS to work (although looking back, it makes sense). You can actually make it all the way through the installation and configuration process without IIS having a certificate. However, when you eventually try to attach an RMS client to the server, you will get an error message telling you that Internet Explorer is set to work offline.

It took me days to figure out the real cause of the problem. What was happening was that the RMS client was passing an HTTPS request to the server. The server didn’t have a certificate and therefore could not support HTTPS.

Once IIS is installed, you must install the Message Queuing service on your Windows 2003 server. To do so, open the server’s Control Panel and select the Add/Remove Programs option. When you do, you will see the Add/Remove Programs dialog box. Click on the Add/Remove Windows Components button to display a list of the various Windows components. Select the Application Server option and click the Details button. This will cause Windows to display a list of the various Application Server Components. Select the check box next to Message Queuing and click OK. Click Next and Windows will copy the necessary files. Click Finish when the file copy process completes.

One last bit of prep work that you must perform is to open the Active Directory Users And Computers console, right-click on each user’s account, and select the Properties command from the resulting shortcut menu. This will reveal the user’s properties sheet. Check out the General tab and make sure that the e-mail address is filled in. Even if the user doesn’t actually have an e-mail address, RMS absolutely will not work unless this field is filled in for each user. In my test environment, after I had deployed RMS, I kept receiving an error message that said “An Unexpected Error Has Occurred” every time that I tred to connect to the server with an RMS client. It took me a week to figure out that the problem was related to the fact that my Administrator account didn’t have an e-mail address.

Installing RMS
Now that the Message Queuing service is installed, it’s time to install RMS. To do so, copy the RMS Setup file to your Windows 2003 server and double-click on it. When you do, Windows will extract the Setup files and will display the Windows Rights Management Services Setup Wizard.

Click Next to bypass the welcome screen, and you will see the end user license agreement. Accept the license agreement, click Next, and you will be prompted for the path to install RMS to. Enter the desired path and click Next, followed by Install, to begin the installation process. After the necessary files are copied, click Close to complete the installation process.

After you have installed RMS, the next thing that you have to do is provision it. The provisioning process creates the root certification server and configures all of the services and resources necessary for RMS to support certification. The provisioning process is done through IIS. You must select a Web site to act as the host for the provisioning process. Using the server’s default Web site is fine because RMS simply borrows the site. After the provisioning process is complete, RMS no longer needs IIS.

To begin the provisioning process, click the Start button and then select the All Programs\Windows RMS\Windows RMS Administration command. When you do, you will see a screen similar to the one shown in Figure A.

Figure A
You must use a Web interface to provision RMS.

Now, click the Provision RMS On This Web Site link next to the default Web site. When you do, you will see the screen shown in Figure B. As you can see in the figure, you are asked whether you want RMS to use a local database or a remote database. Just enter the name of a SQL server in your organization that can be used to store RMS data.

Figure B
You must supply the name of a database server and the name for an RMS service account.

Next, you will be asked to specify the RMS account. The RMS account must be a different account than the one that was used to install RMS. If RMS will only be running on a single server, you can use the local system account. However, the local system account has access to practically everything on the server, so there are some serious security implications to using the local system account in a production environment.

After entering the service account credentials, scroll down and you will see the fields shown in Figure C. The first thing that you must enter on this portion of the screen is the URL used by the root certification cluster. By default, http://servername/_WMCS will be used.

Figure C
You must enter a cluster URL, private key protection enrollment, and some RMS proxy settings.

Next, you must enter a password that will be used to encrypt the RMS private key in the database. After entering the encryption password, enter the server licensor certificate name. By default, this is the same as the server name. You also have the option of listing an administrative contact.

If your network uses a proxy server, then you will have to enter the proxy server’s URL and the IP address range for the local address table.

The final portion of the provisioning screen allows you to enter the name of a file that contains a public key that can be used to sign the revocation list. This is useful in disaster recovery situations. After you finish filling in all of the various fields, click Submit and then go get yourself a cold drink because the provisioning process takes a while to complete.

When the provisioning process completes, you must specify the RMS connection point. To do so, go to http://servername/_wmcs/admin/default.aspx. Now, scroll to the bottom of the page and click the link that says RMS Service Connection Point. When you do, you will see a screen that allows you to set the RMS connection point by simply clicking the Update button.

Installing the client component
Before you will be able to use RMS to restrict access to anything, including Microsoft Office documents, you must install the client component onto your workstations. To do so, you will need to download the RMS client from Microsoft's Windows Rights Management Client Web site. The download consists of a 3.59 MB self-extracting executable file. Microsoft Office 2003 also contains an option for downloading the latest RMS automatically from within Office.

After downloading the RMS client, copy it to the workstation (or access it through a network drive), and double-click on it. When you do, Windows will extract the files from the Setup files in the RMS client file and will launch the Setup wizard. When the Setup wizard begins, click Next to bypass the welcome screen. You will then see the Windows Rights Management Client Privacy Statement. This is basically just a statement indicating that the RMS client does not try to personally identify you to Microsoft or keep information about your system on file for an extended period of time. Click Next and you will be asked to accept the end user license agreement. After you accept the license agreement, the installer will copy the necessary files to the workstation. Click Close to complete the installation.

Once you have installed the client component, you can test it by opening Microsoft Word 2003. Select the Permissions | Restrict Permission As command from Word’s File menu. When you do, Word will take a minute or two to negotiate a connection with your RMS server. After the negotiation process completes, you may see a screen asking you if you want to create RMS permissions by using a .NET Passport account or a Microsoft Windows account. If you see this screen, it means that RMS didn’t validate the user’s credentials somewhere, and you need to go back and figure out what went wrong.

What you should see instead is a screen asking you which user account you want to use in order to create or open restricted content. Select your account and click OK. At this point, you will see the screen shown in Figure D. This screen allows you to enter the e-mail addresses of users who are allowed to read or make changes to the document.

Figure D
Enter the e-mail addresses of the users who are allowed to read or make changes to the document.

If you would prefer to have some slightly more advanced configuration options, then click the More Options button and you'll see the screen shown in Figure E. As you can see in the figure, this screen allows you to set an expiration date for the document. After the expiration date, the document “self-destructs.” You can also control whether specified users are allowed to print or copy the document’s content or access it programmatically. You can even allow users to browse a document with previous versions of Office and to request additional permissions to a document.

Figure E
The Permission dialog box gives you greater control over a document’s permissions.

Trust, but verify
Although you may go to great lengths to protect the documents on your network, it’s too easy for an employee with authorized access to a document to copy the document and pass it on to someone outside of the company. RMS will prevent this type of information disclosure by limiting who can open the document, even if the file itself leaves your network.