In the course of their jobs, workers compile documents containing sensitive or confidential information or create original content that might be subject to plagiarism. In addition to share and file level permissions that can be set on your document files, Microsoft provides a number of ways that you can secure documents. Some of these were available in earlier versions of their software, including EFS encryption (introduced with Windows 2000) and document password protection (included with the last several versions of Word). With Windows Server 2003 and Office 2003, however, Microsoft gives us another tool for controlling access to documents – one that lets you share content in a limited manner and control not only who can view it, but what those who view it can do with it and even how long they have it available for viewing. This is accomplished through Windows Rights Management and it is implemented via a rights management server (a Windows Server 2003 machine with the rights management service installed).
In this article, we’ll take a look at what RMS is, how it works and how it integrates with Office 2003.
Windows Rights Management Components
RMS gives organizations the ability to use digital rights management (DRM) technology, already used by software vendors and the music and movie industries to protect their copyrighted products. There are two “pieces” to Windows Rights Management:
- The rights management service installed on an RM server, which is a web service that uses ASP.NET and XML. This product will be released later this year.
- Information Rights Management (IRM), the component in Office 2003 that is used to set rights on documents created in Word, PowerPoint, Excel and Outlook.
- The client update software, available for download from the Microsoft web site.
- The Rights Management add-on for Internet Explorer, available for download from the Microsoft web site.
NOTE: For more information about Windows Rights Management services, see http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/rmenterprise.mspx. The Internet Explorer add-on can be downloaded at
http://www.microsoft.com/windows/ie/downloads/addon/rmupdate.asp.
The rights management service is based on public key cryptography, using digital certificates to identify users and determine their access rights. The RMS server issues the certificates. When an internal RMS server is set up in the organization, it uses Windows authentication for issuance of the certificates. Microsoft also has available at this time a trial RMS service; its RMS server can be accessed over the Internet. To use the service, you need a Passport account.
How IRM and RMS Work Together
The RMS service must be installed and activated on a Windows Server 2003 computer in an Active Directory network (AD is used for authentication), or you must use Microsoft’s RMS service. To create protected documents, you must use an application that is RMS-enabled. At this time, that includes Word 2003, PowerPoint 2003, Excel 2003 and Outlook 2003. You also need to install the RM client update software on the computer that is running Office 2003. Other users with whom you want to share the protected documents must either have the Office 2003 programs installed or must download and install the Rights Management add-on for Internet Explorer, which allows you to access protected documents through the browser.
Using IRM to create a Protected Document
To assign RM permissions to a document created in an Office 2003 program, click File | Permission. As shown in figure A, the default is Unrestricted Access.
FIGURE A
If you want to allow a user to view the document, but you don’t want him/her to be able to distribute it to others, select Do Not Distribute from the menu. This will display the Permission dialog box that is shown in Figure B.
FIGURE B
As you can see, you can enter users’ email addresses or select them from the Address Book. If you want the users to be able to read the document but do nothing to it, enter them in the Read text box. If you want them to be able to edit the document, but want to keep them from copying or printing it, enter them in the Change text box.
You can set permissions more granularly, or cause the user’s access to the document to expire completely on a specified date, by clicking the More Options button. This will display the dialog box shown in Figure C.
FIGURE C
Remember that any users who are assigned rights with IRM will need to have certificates from an RM server. To open the document, they might have to install the client update software if this is the first time they’ve opened an RM protected document. If they don’t already have Passport accounts, they’ll need to create them. Finally, they’ll have to download RM certificates.
If you don’t have an RM server, you can use Microsoft’s public RM services for a trial period. If no RM server is found, you’ll be asked if you want to sign up for a free trial of the Microsoft RM service, as shown in Figure D.
FIGURE D
When a document has been protected with IRM/RMS, users who have not been specifically given permissions will not be able to open the document. Even if you have given the user permission, he/she won’t be able to view the document unless:
- Office 2003 is installed on his/her machine, or
- The Internet Explorer add-on is installed and you have given permission for users to read the document with the browser (by checking the appropriate checkbox shown in Figure C).
The user will instead receive a message that says: “Permission for this document is currently restricted. This document can only be opened by using Microsoft Office 2003 or later. You can request the author of the document to send a copy that can be read using the Rights Management Add-on for Internet Explorer.”
When a user opens a restricted document, some options will be grayed out, depending on the permissions assigned. If the user has only Read permissions, for example, the Save options on the File menu (including Save as and Save as Web Page) will not be available, nor will the Print options.
Using IRM/RMS allows you to more precisely control the content in your documents and make it difficult to make unauthorized copies. Of course, a really determined person can still sit and retype the document, take a screenshot of the open document, or even take a photograph of the screen with the document open. As with all security, RMS cannot stop a determined thief; the goal is to slow him down or make things so difficult that he’ll decide it’s not worth it.