Protecting Data with Information Rights Management

In response to market demands for a system with which companies can protect proprietary and sensitive information, Microsoft has developed an umbrella of technologies called Information Rights Management (IRM). Outlook 2007 incorporates IRM, enabling you to send messages that prevent the recipient from forwarding, copying from, or printing the message. The recipient can view the message, but the features for accomplishing these other tasks are unavailable.

There are two paths to implementing IRM with the Microsoft Office system. Microsoft offers an IRM service that, as of this writing, is free. This path requires that you have a Microsoft Passport to send or view IRM-protected messages. You must log in to the service with your Passport credentials to download a certificate, which Outlook 2007 uses to verify your identity and enable the IRM features. The second path is to install Microsoft Windows Server 2003 running the Rights Management Service (RMS) on Windows Server 2003. With this path, users authenticate on the server with NTLM or Passport authentication and download their IRM certificates.

The first path provides simplicity because it does not require that organizations deploy an RMS server. The second path provides more flexibility because the RMS administrator can configure company-specific IRM policies, which are then available to users. For example, you might create a policy template requiring that only users within the company domain can open all e-mail messages protected by the policy. You can create any number of templates to suit the company’s data rights needs for the range of Microsoft Office system applications and document types.

Not everyone who receives an IRM-protected message will be running Outlook 2003 or Outlook 2007, so Microsoft has developed the Rights Management Add-On for Internet Explorer, which enables these users to view the messages in Internet Explorer. Without this add-on, recipients cannot view IRM-protected messages. With the add-on, recipients can view the messages, but the capability to forward, copy, or print the message is disabled, just as it is in Outlook 2007.

This chapter explains how to configure and use IRM in Outlook 2007 with the Microsoft IRM service. As of this writing, Windows Rights Management Services is available for Windows Server 2003 by download (currently as a Service Pack 2 release). Check www.boyce.us and www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx periodically for additional information on RMS as it becomes available.

Using Microsoft’s IRM Service

To configure Outlook 2007 to use the IRM service and send IRM-protected messages, follow these steps:

1. Open Outlook 2007 and start a new message. With the message form open, choose Microsoft Office Button, Permission, Do Not Forward.

2. If you do not have the IRM add-on installed, Outlook 2007 displays the dialog box shown in Figure 24–29. Choose Yes, I Want To Sign Up For This Free Trial Service From Microsoft and click Next.

   
   Figure 24–29: Choose Yes and click Next to start the enrollment process.

3. The wizard asks if you already have a Microsoft Passport. If so, choose Yes and click Next to open a sign-in dialog box and enter your Passport credentials. If not, choose No and click Next; then follow the prompts to obtain a Microsoft Passport.

4. After you obtain a Passport and click Next, Outlook 2007 displays the page shown in Figure 24–30. Choose Standard to obtain a certificate that you can use on your own computer. Choose Temporary if you need a certificate only for a limited time, such as when you are working from a public computer. Then click Next, Finish to complete the process.

   
   Figure 24–30: You can choose between a standard certificate and a temporary one.

   Note

   You can download a certificate for a given Passport 25 times or to 25 computers.

5. After the IRM certificate is installed on your computer, Outlook 2007 returns you to the message form. The InfoBar in the form displays a Do Not Forward message, as shown in Figure 24–31, indicating that the message is protected by IRM.

   
   Figure 24–31: The InfoBar indicates when a message is protected by IRM.

6. Address the message and add the message body and attachments, if any, as you would for any other message. Then send the message.

Viewing IRM-Protected Messages

If you attempt to view an IRM-protected message without first obtaining a certificate, Outlook 2007 gives you the option of connecting to Microsoft’s service to obtain one. After the certificate is installed, you can view the message, but Outlook 2007 indicates in the InfoBar (both Reading Pane and message form) that the message is restricted (see Figure 24–32). The commands for forwarding, copying, and printing the message are disabled.

Figure 24–32: The InfoBar in the Reading Pane indicates that a message is restricted.

Working with Multiple Accounts

It’s possible that you use more than one Microsoft Passport. If you have more than one Passport and need to choose between them when you send or view an IRM-protected message, open the message form for sending or viewing and choose Microsoft Office Button, Permission, Manage Credentials to open the Select User dialog box, as shown in Figure 24–33. Choose an account and click OK to use that account for the current message.

Figure 24–33: You can select from multiple accounts to restrict messages or view restricted messages.

If you have only one account configured on the computer and want to add another account, click Add to start the Service Sign-Up Wizard and download a certificate for another e-mail address and corresponding Microsoft Passport.