Using Information Rights Management | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

The IRM features of Outlook give senders more control over their e-mail by allowing them to specify that a message cannot be copied , forwarded, printed, or used past a certain date. It s important to point out that this protection is not absolute: a clever recipient can always use a digital camera to snap a quick picture of the message on screen; failing that, a pencil and paper allow even technophobes to accurately capture message content. The point of IRM, though, is to make accidental misuse of content less likely and to provide some degree of protection against purposeful misuse, and for those purposes it s successful.

To use IRM, your users will need a server running Windows Server 2003 and Windows RMS set up inside your corporate firewall. Microsoft has taken the wise step of making an RMS server available to anyone with a Microsoft Passport account. This service allows use of RMS with some caveats, the biggest being that it s a free, trial, unsupported service. It s a good way to experiment with RMS features, though; it s likely that Microsoft will extend this into some kind of paid service for people who want RMS functionality without the overhead of maintaining their own RMS locally. In this chapter, I describe using RMS with both corporate and Passport-based credentials; for more information on setting up RMS on corporate networks, see Chapter 12. However, I limit my discussion to the process of setting up and using RMS in Outlook. The steps required to use it in Microsoft Excel, Word, and Microsoft PowerPoint are similar.

Setting Up for IRM

When you install Office, you get a version of the IRM client. The first time you try to use the IRM feature of Office, you might be prompted to download an updated version of the Windows RMS client. There are actually two separate applications that use the Windows RMS client in an IRM deployment: the Office System, and the Rights Management add-on for Internet Explorer to enable users without the Office System to view RMS-protected content. Either way, the client installation is very straightforward, so I don t cover it here: Office prompts you to download a single Windows installer (.msi) file, and it doesn t ask you to do anything except accept the end- user license agreement.

Once you ve installed the client, the first time you try to use an IRM feature, you ll be prompted to establish a set of credentials. This process is fairly simple; the Service Sign-Up Wizard leads you through each step. The process begins with a page that explains that the trial service requires a Microsoft Passport account, that Microsoft won t access your data unless a court forces them to, and that the service might be discontinued but that you ll get a warning first. Next , you ll be asked whether you have a Passport (in which case you ll need to sign in) or not (in which case you ll have to create one).

After signing in, the next question you ll be asked is whether you want a standard or temporary certificate. The Rights Management Account Certificate (RAC) is basically a PKI-based certificate issued by the Microsoft CAs that can only be used for RMS functions. If you just want to test IRM, the temporary certificate will do fine; when these certificates expire, just go through this same wizard again to get a new one. If you want a longer lived certificate, choose the Standard option instead.

After you ve completed the wizard, your RAC will be downloaded and installed locally, although you won t see it in the Certificate snap-in. At that point, you re ready to start using the IRM mechanism of Outlook.

Using IRM to Protect Messages

Outlook s interface for message protection is very simple. By default, you can protect individual messages so that they cannot be forwarded, copied, or printed. Note that you either get protection against all three of these or none at all; there s no built-in mechanism to disallow, say, just printing. (As befits their document-centric nature, Word, Excel, and PowerPoint provide more granular permissions for document editing.) When you open a protected message, a recipient can see the list of his or her rights listed in the gray InfoBar above the header.

When you create a message (either by composing a new one or replying to or forwarding an existing message), you can use the File Permissions command or the toolbar icon (which is the standard little yellow message envelope with the universal do not enter icon superimposed on it) to apply the Do Not Forward restriction. When you do so, the message InfoBar changes to show what restrictions are in place, as shown in Figure 13-12. Once the message is sent, recipients who open it in Outlook or Outlook Web Access will see that it s protected, and recipients using other clients won t be able to read the message contents. Instead, they ll see a text blurb telling them to use an RMS-aware client, along with a message attachment that uses the .rpmsg extension (see Figure 13-13).

Figure 13-12: Protected messages are flagged when you create them.

Figure 13-13: Recipients who aren t using Outlook 2003 or Outlook Web Access 2003 with Internet Explorer 6.0 and the Rights Management add-in won t be able to read the message.

You can also use the File Restrict Permission As command to change which set of credentials you use. This is handy if you have associated a Passport account with an RAC and simultaneously want to use one, or more, sets of corporate credentials. The credentials are associated with the user account, not with the Outlook profile.

Customizing IRM

One of the most tantalizing prospects for the combination of the Office System and the Windows RMS server is the ability to customize which rights are specified. There are a broad list of rights that apply to various pieces of the Office System, including controls that allow selective viewing, editing, saving, extracting (using copy and paste), exporting, printing, running macros, forwarding, replying, and seeing the rights associated with an object. These rights can be combined in interesting and useful ways. For example, Microsoft uses several templates internally to allow messages to be tagged with classifications like Microsoft confidential or Full-time employees , read-only access. Adding more granularity to the RMS server is fairly straightforward; you have to create new templates that define the rights you want to provide and who can have them. This is easy, provided you follow the guidelines described in the online help for the RMS servers: you have to choose from the set of rights that RMS and Office both support, and the easiest way to specify who gets them is to use a universal security group defined in a domain that the RMS server has access to.

Setting up RMS client components on an individual workstation is interesting but not all that useful; the value of RMS really comes about when you can deploy it throughout an organization. There are several pieces involved in accomplishing this deployment, most of which are outside the scope of this book:

Installing the RMS client software The Office System supports IRM, but there s still a separate client that has to be pushed to each participating desktop. The best way to accomplish this is to package the client with your Office deployment so that it s available on all desktops.
Creating rights policy templates using the Windows RMS Administration Web pages These pages allow you to create custom sets of rights for various sets of users, then make those templates available from the RMS server.
Making the rights policy templates available to clients By using the Office11.adm Group Policy template, you can specify the name of a central server from which policies should be copied and made available to all the Office System applications (not just Outlook).
Configuring what users can do with the RMS client The Office policy template includes a section called Manage Restricted Permissions; by tweaking the policy settings here, you can disable the RMS user interface altogether (as you might need to if you re piloting RMS but don t want people to start randomly creating protected documents), disable the use of Passport credentials, enable or disable the use of Internet Explorer to open protected content, and control whether users must have their credentials verified every time they try to open a protected document.

The bigger issue, of course, is user training and education. It s critical that if you deploy RMS, you teach your users what can and cannot be protected. You should emphasize that RMS is primarily a technical means of more firmly enforcing the policies (like marking confidential data as such) that your company probably already has, not a way for the company to snoop on their work product.