Introducing Rights Management | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

RMS for Windows Server 2003 is an RM technology that works with applications to encrypt and protect information despite where it is stored or where it is forwarded. Windows RMS provides an extensible and policy-based secure e-mail solution with Microsoft Office System as well as Exchange Server 2003. The Windows RM technology as applied to secure e-mail provides for persistent control of usage policies (also known as usage rights and conditions). The application of RM technology to protect sensitive content, messages, or documents is called information rights management (IRM). Information authors can establish persistent usage policies at the message or attachment level, which means that after the author or owner applies those policies to a file, they remain with that message or file attachment even when the message travels outside the boundaries of the corporate network or message system.

Windows RM enables a secure messaging system and policy enforcement through the following three components :

Authorized users An organization can specify the individuals, groups of users, computers, or applications that are the trusted participants in an RM system. Only authorized entities and applications can participate in the RM system.
Encryption The RM client encrypts the protected data with digital certificates known as XrML licenses. The system allows decryption only when the user is properly authenticated and using an authorized application that will enforce the usage policies defined for the content.
Enforcement policy RM-protected content can contain specific permissions and rights on how the content can ”or more important ”cannot be used. Various rights that can be applied to content or messages are the permission to view, copy, print, save, store, forward, and modify. Authorized users can also apply other policies such as expiration date and application usage.

How Windows RM Works

To use IRM, a user must obtain a certificate (XrML license) from the Windows Server 2003 RMS server. The RMS server issues two types of licenses: publishing and use. A publishing license is a single license per document that is created when a document (or e-mail message) is encrypted with RM. A use license is generated by the RMS server when an RM-encrypted message is opened, forwarded, and so on. Outlook or the Microsoft Office System application must contact the RMS server for the user who accesses the content or message. Fortunately, Microsoft Office Outlook 2003 automatically obtains a use license for IRM-protected e-mail messages during its synchronization process.

Users are identified and authenticated using Microsoft Active Directory, which the RM server uses to assign and validate permissions when a user attempts to access protected content or messages. The RMS server issues a use license when a user account has been authenticated and the authorization to access content is validated . The use license can then be used by the RM client component to decrypt the content and provide the decrypted content to the trusted application (such as Outlook 2003). The trusted application in turn enforces the permissions and policies associated with content (such as do not forward, do not print, and so on).

One important feature of the Microsoft Office System is the ability to apply permissions in a top-down or hierarchical fashion. For example, a Microsoft Office Word 2003 document file attached to an Outlook 2003 e-mail message will inherit the IRM protection policies applied at the message level. If permissions were not applied to the attached document separately, the e-mail message policies are automatically applied to the attachment. If the document attachment contains its own IRM policies, then the document permissions are not changed.