A "data chaperone"
The idea behind RMS is that the protection you can give to any piece of information is persistent -- it travels with the data and can't be stripped from it arbitrarily. A specific example of this would be an email that could only be opened by the person it's sent to, and it could not be printed, forwarded or copy/pasted. Another example might be a document that is set to expire; after a certain period of time has elapsed, the document self-destructs and cannot be reopened.
The rules are set and managed on a central server, but are also designed to travel with the data in such a way that the rules will still work even when the server's not accessible or where there is no network connectivity at all. This way, the data is "chaperoned" no matter where it goes.
Individuals or smaller organizations that want to protect data typically use encryption of some kind, but Rights Management Services has some advantages over using standalone encryption. For instance, if you use a public/private key pair encryption system to encrypt a file and send it to someone, the minute they decrypt the file they have unlimited use of it. By contrast, RMS lets you control what can be done with the file even after it has arrived: Each specific action that can be done with a file has its own rules.
RMS also hooks into the operating system on the client side to prevent the protected data from being hijacked out. An RMS-aware application, for instance, does not allow screenshots to be taken of any RMS-protected data.
The pieces of the puzzle
To deploy Rights Management Services in an organization, you'll need the following pieces:
- The RMS Server itself (a 2 MB component). The server component is free to anyone running a licensed copy of Windows Server 2003.
- An installation of Windows Server 2003 or better.
- An Active Directory repository.
- An installation of IIS 6.0 or better.
- A database server such as SQL Server or Microsoft Data Engine. (You can use other databases, but they must be able to support Transact-SQL and Microsoft SQL Server-specific function calls.)
- RMS-enabled applications, such as the aforementioned Office 2003, for creating and viewing most protected data.
- Client access licenses for RMS. Every user who creates or views data protected in RMS will need a separate client access license. They average about $37 per user.
The most obvious and widely used RMS-enabled applications are programs in Microsoft Office 2003. You can also make Internet Explorer into an RMS client through an add-on, which allows people to view or print RMS-enabled documents (if they're allowed to do so), but not edit them. You can protect plain HTML files with RMS using the RMS software development kit (SDK), and then view it in an RMS-enabled copy of IE.
If you have an existing internal application written in C++ that you want to make compatible with RMS, Microsoft provides a software development kit to do that.
IRM: The bare bones version
For those who don't want to deal with setting up a whole RMS infrastructure, there are other options. Office 2003 has a stripped-down version of some of RMS's technology, called Information Rights Management. IRM, as it's abbreviated, costs nothing and works in conjunction with a Microsoft Passport/Windows Live ID account as a way to allow people to exchange protected documents. Both the sender and the recipient of the information need an account, but many of the same content restrictions that can be applied in RMS can be used in IRM as well.
Note that Microsoft has not guaranteed that IRM will continue to be used in the future -- it may be discontinued at some point in favor of another, for-pay service -- but for now it's a useful way to experiment with rights management on a small scale to see how effective it is.
Microsoft Rights Management Services has limits
Even though RMS supplies a high degree of protection against information theft, it still has its limits. For example, a third-party screenshot application that doesn't honor RMS could be used to get around RMS's restrictions (provided it could be installed in the first place); for that matter, one could simply take a picture of the monitor with a camera or copy down the data by hand. In addition, RMS cannot guarantee that the person you've sent a document to will not misuse it in some way. But that, of course, is a problem that no amount of technology will ever solve.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in June 2006