Information Rights Management

Outlook 2003 includes one very large new feature: information rights management (IRM). Rights management is a hot topic these days. Ever since the launch of Web sites such as Napster, the recording industry has been very vocal in its support of rights management. The gist of the rights management debate is that if someone wants to restrict access to their own content, they should be able to do so. So, a recording artist can put out a CD and have a reasonable expectation that everyone who wants to play that CD will purchase a copy.

Information rights management is slightly different. It deals with the transfer of confidential or sensitive information between individuals. If you send a private email to your boss informing him of theft of company materials by another employee, you do not want him to forward your email to that employee. You probably don't even want him to print a copy of that email. IRM gives the author control over the content she creates. The author can use IRM to prevent an email from being forwarded, printed, copied, or otherwise distributed.

IRM is present in all Office 2003 applications. For documents and spreadsheets, you can control the access permissions even further. You can allow or disallow users from reading, editing, and printing a document, or even set a document to expire on a certain day and time. When the expiration time passes, the document can no longer be opened by anyone.

IRM works by authenticating the sender as someone who can restrict access to a message or a document. The message is restricted, and then the recipient must authenticate to be able to view the message. For example, if Sally sends a restricted email to joe@e-mail.com, Sally must authenticate to a rights management (RM) server to secure the message, and Joe must authenticate to an RM server in order to view the email. That means Joe must be connected to the Internet (or to the Intranet if authenticating to an internal RM server). Joe must then present valid credentials (usually a Passport username and password) to the RM server before he can open the email. If Joe cannot authenticate, or tries to authenticate with invalid credentials, he cannot view the email.

Authentication against a RM server can take two forms. You can use a corporate rights management server or you can use Passport. When Office 2003 is released, Microsoft will also release a server application that enables you to configure a server as a rights management server. You can then authenticate against this server to use IRM. This is probably the most secure way to use IRM. If you leave your current company, you'll no longer be able to authenticate against your corporate RM server and read secured messages.

If your company does not want to invest in a RM server, you can use Microsoft Passport and authenticate against public RM servers Microsoft has set up for this application. The major drawback to using a public RM server is that you must setup a Passport account with the email address you use to read your email. Many people use generic Passport accounts, such as Hotmail accounts, to cut down on spam. To use public RM servers, you must create a new Passport account with the email address you use to read your email. You can, however, choose to opt out of all mailings and not share any of your information with Passport other than your name and email address.

Configure IRM

The first time you use IRM, you must configure it. To configure and use IRM for the first time, use the following steps:

Open a new email message.
Compose the email as you normally would. Enter a recipient, subject, and message body.
Click the Permissions button on the toolbar. The Permissions button is an envelope icon with a red button with a white horizontal line through it.
Outlook will inform you that you must download and install the Windows Rights Management client before you can use this feature. Click OK to start the installation process.
You can click Open to run the client installation directly from the Web site, or click Save to save the installation file to your hard drive and run it from there.
When setup launches, you'll see the Windows Rights Management Client Setup Wizard. Click Next to begin the wizard.
Click Next after you've read the privacy statement to display the License Agreement screen. If you want to continue, click I Agree and then click Next.
Click Next one last time to begin the installation.
When you see the installation confirmation screen, click Close to exit.
This returns you to your email message. To continue setup, click the Permissions button on the email message again.
You'll now see the Service Signup Screen displayed in Figure 25.23.

Figure 25.23. After you install the Windows Rights Management Client software, you must register with the service.
If you want to use the public RM servers, choose Yes, I want to Sign-Up for This Free Trial Service from Microsoft and click Next.
If you already have a .NET Passport for this account, you can click Next through this screen. Otherwise, click No, I Don't Have a .NET Passport and I Want To Get One, and then click Next.
If you elected to obtain a .NET Passport, follow the onscreen steps to sign up. Otherwise, continue to step 15.
Enter your email address and password when prompted, and click Sign In to display Figure 25.24.

Figure 25.24. Choose the certificate type you want to install.

TIP

Although it might be a bit inconvenient, it usually isn't a good idea to choose to have a Passport site sign you in automatically. This can occasionally cause an endless authentication loop.
If you want to use the certificate repeatedly on this computer, select a standard certificate. If you are using a public computer, you can choose a temporary certificate, which will be valid for only 15 minutes. Click Next.
Your certificate will be downloaded and configured on your computer. This process might take several minutes. When it has completed, you'll see the confirmation screen displayed in Figure 25.25. Click Finish to return to your email.

Figure 25.25. The confirmation screen indicates that you've successfully completed setup.

After you complete the initial setup, permissions will be automatically set on your message.

IRM Permissions

In Outlook 2003, IRM is either on or off. You cannot exert the same sort of fine control over an email that you can over a Word document. By restricting access to an email, you're preventing users from forwarding or printing the email. You're also preventing them from editing the email or cutting or copying text. To secure a message using IRM, use the following steps:

Compose an email as usual.
Click the Permission button on the toolbar.
The InfoBar at the top of the message changes as shown in Figure 25.26.

Figure 25.26. The InfoBar indicates that your message will be sent with restricted permissions.
Send your email as normal.

Reading Messages Using IRM

When you receive a message sent with restrictions, it won't be viewable in the Reading Pane. You must open the item to be able to view its contents. The item might take a few minutes to open because it must authenticate to the RM server to verify your identity. If you've received an RM message but haven't yet downloaded and installed the RM client, you'll need to follow the steps previously listed to install the RM client software. When the message opens, it will look similar to Figure 25.27. The Forward button is dimmed, as are the Print button and the Copy button. You cannot forward the message to another user or edit the message for any reason. The Permissions button on the toolbar is selected, but it's also dimmed, so you cannot turn permissions off. If you select the Edit menu, you'll find that the Edit Message option is also dimmed and unavailable. If you try to use Alt+Prt Scrn to make a copy of the message, you won't be able to do so.

Figure 25.27. A message with IRM properties cannot be forwarded, printed, or copied.

graphics/25fig27.gif

IRM Limitations

As with any security feature, there are limitations to IRM. For example, you cannot stop someone from using a screen capture program to copy the image of the email. You also can't stop someone from taking a digital picture of the screen and distributing the content that way. You definitely can't stop a recipient from picking up the phone and telling someone else what that content is. IRM only makes it significantly more difficult to distribute private or restricted content.

Even though IRM uses Passport authentication to verify your identity, you can actually use it offline. You must have previously installed the client software and obtained an end user license (EUL). As long as you meet those conditions, you can access content offline or online. Outlook will synchronize the licensing information automatically so that the license is available offline.

If you're running against a corporate RM server, you can configure additional levels of restrictions. You can prevent reply to a message, prevent reply to all, and enable any of the blocked features such as copying and pasting. If you use Passport authentication against a public RM server, you're limited to one level of restriction on email messages.

IRM isn't designed to completely prevent the spread of unauthorized information. It is, however, designed to make the dissemination of that information extremely difficult.

Configure IRM

Figure 25.23. After you install the Windows Rights Management Client software, you must register with the service.

Figure 25.24. Choose the certificate type you want to install.

Figure 25.25. The confirmation screen indicates that you've successfully completed setup.

IRM Permissions

Figure 25.26. The InfoBar indicates that your message will be sent with restricted permissions.

Reading Messages Using IRM

Figure 25.27. A message with IRM properties cannot be forwarded, printed, or copied.

IRM Limitations