Windows Rights Management Services
Encyclopedia
Windows Rights Management Services (also called Rights Management Services, Active Directory Rights Management Services or RMS) is a form of Information Rights Management
used on Microsoft Windows
that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail
, Word
documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.
The Rights Management Server debuted in Windows Server 2003
, with client API libraries made available for Windows XP
and Windows 2000
as well. Windows Vista
, Windows 7 and Windows Server 2008 also support Rights Management Services. In Windows Server 2008, Windows Rights Management Services has been renamed to Active Directory Rights Management Services, reflecting a higher level of integration with Active Directory
. The Rights Management Client is included in Windows Vista
and later versions and downloadable for Windows XP, Windows 2000 or Windows Server 2003 .
or Windows Server 2008 to host the Active Directory Rights Management Server that issues RMS licenses. The RMS client is required for creating rights-protected content as well as accessing it. Applications that either create or provide access to protected content must be RMS-aware and have to implement the RMS client APIs explicitly. However, add-ons can be used to make an application RMS-enabled even if it does not natively implement RMS functionality.
RMS-protected documents can be created by RMS-enabled applications. RMS-protected content is encrypted and contains an embedded Usage Policy, which defines the restrictions each user or group has when using the content. The RMS system works by only assigning rights to trusted entities, which are either single users or groups of users. Rights are assigned on a per-entity basis. RMS defines and recognizes several rights by default - such as permission to read, copy, print, save, forward, and edit - and can be extended to recognize additional rights (which each application would have to explicitly implement). In Windows Server 2008, RMS rights can also be assigned to users who have federated trust via Active Directory Federation Services
. Thus, a user's rights are treated by the system as if they were merely privileges.
When restricting rights to a document, a trusted entity encrypts a random AES key with an RSA public key that can be validated with the public key certificate
in the XrML
identity license that is issued to an RMS server. The AES key is used to encrypt the document. When accessing a protected document using an RMS-enabled application, the RMS client runtime authenticates the recipient to the Rights Management server, using the recipient's XrML identity license. The Rights Management server then issues a use license that can be used by the client application together with the RMS client to decrypt the document, which then enforces the document restrictions for that user.
One feature of the RMS system is that documents in certain formats can optionally include an HTML
rendering of the document so that the document can be viewed when the intended application is not available. This is enabled using a compound document format. Both versions of the document are subject to the same usage policies, and an RMS-enabled HTML viewer is required to view this alternative form of the document content. For example, Microsoft Office
2003 Professional or greater is able to optionally include an HTML
version of the document content. The Rights Management Add-on for Internet Explorer allows users who do not have Microsoft Office
2003 or later installed to view these RM-protected files.
Information Rights Management
Information Rights Management is a term that applies to a technology which protects sensitive information from unauthorised access. It is sometimes referred to as or Enterprise Digital Rights Management...
used on Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail
E-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, Word
Microsoft Word
Microsoft Word is a word processor designed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platforms including IBM PCs running DOS , the Apple Macintosh , the AT&T Unix PC , Atari ST , SCO UNIX,...
documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.
The Rights Management Server debuted in Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
, with client API libraries made available for Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
as well. Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Windows 7 and Windows Server 2008 also support Rights Management Services. In Windows Server 2008, Windows Rights Management Services has been renamed to Active Directory Rights Management Services, reflecting a higher level of integration with Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
. The Rights Management Client is included in Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and later versions and downloadable for Windows XP, Windows 2000 or Windows Server 2003 .
Overview
Rights Management Services is used for restricting access to rights-protected content to authorized users only. It uses a client–server architecture, using Windows Server 2003Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
or Windows Server 2008 to host the Active Directory Rights Management Server that issues RMS licenses. The RMS client is required for creating rights-protected content as well as accessing it. Applications that either create or provide access to protected content must be RMS-aware and have to implement the RMS client APIs explicitly. However, add-ons can be used to make an application RMS-enabled even if it does not natively implement RMS functionality.
RMS-protected documents can be created by RMS-enabled applications. RMS-protected content is encrypted and contains an embedded Usage Policy, which defines the restrictions each user or group has when using the content. The RMS system works by only assigning rights to trusted entities, which are either single users or groups of users. Rights are assigned on a per-entity basis. RMS defines and recognizes several rights by default - such as permission to read, copy, print, save, forward, and edit - and can be extended to recognize additional rights (which each application would have to explicitly implement). In Windows Server 2008, RMS rights can also be assigned to users who have federated trust via Active Directory Federation Services
Active Directory Federation Services
Active Directory Federation Services is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries...
. Thus, a user's rights are treated by the system as if they were merely privileges.
When restricting rights to a document, a trusted entity encrypts a random AES key with an RSA public key that can be validated with the public key certificate
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
in the XrML
XrML
XrML is the eXtensible Rights Markup Language which has also been standardized as the Rights Expression Language for MPEG-21. XrML is owned by ContentGuard....
identity license that is issued to an RMS server. The AES key is used to encrypt the document. When accessing a protected document using an RMS-enabled application, the RMS client runtime authenticates the recipient to the Rights Management server, using the recipient's XrML identity license. The Rights Management server then issues a use license that can be used by the client application together with the RMS client to decrypt the document, which then enforces the document restrictions for that user.
One feature of the RMS system is that documents in certain formats can optionally include an HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
rendering of the document so that the document can be viewed when the intended application is not available. This is enabled using a compound document format. Both versions of the document are subject to the same usage policies, and an RMS-enabled HTML viewer is required to view this alternative form of the document content. For example, Microsoft Office
Microsoft Office
Microsoft Office is a non-free commercial office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems, introduced by Microsoft in August 1, 1989. Initially a marketing term for a bundled set of applications, the first version of...
2003 Professional or greater is able to optionally include an HTML
HTML
HyperText Markup Language is the predominant markup language for web pages. HTML elements are the basic building-blocks of webpages....
version of the document content. The Rights Management Add-on for Internet Explorer allows users who do not have Microsoft Office
Microsoft Office
Microsoft Office is a non-free commercial office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems, introduced by Microsoft in August 1, 1989. Initially a marketing term for a bundled set of applications, the first version of...
2003 or later installed to view these RM-protected files.
RMS-enabled Microsoft applications
RMS is supported (implemented) by the following Microsoft products:- Microsoft Office System 2003 - Word, Excel, PowerPoint, Outlook
- Microsoft Office 2007 - Word, Excel, PowerPoint, Outlook, InfoPath
- Microsoft Office 2010 - Word, Excel, PowerPoint, Outlook, InfoPath
- Microsoft Office for Mac 2011 - Word, Excel, PowerPoint, Outlook
- Microsoft Office SharePoint Server 2003 (through the use of third party solutions such as those from GigaTrusthttp://www.gigatrust.com/news/rms_protect_pdf_files.shtml and Liquid Machines)
- Microsoft Visio 2007 and Project 2007 (through the use of third party solutions such as those from GigaTrust and Liquid Machines)
- Adobe Acrobat Reader (through the use of third party solutions such as those from GigaTrust, FoxIt Software and Liquid Machines)
- Microsoft Office SharePoint Server 2007
- Microsoft Office SharePoint Server 2010
- Exchange Server 2007
- Exchange Server 2010
- XPS (XML Paper SpecificationXML Paper SpecificationOpen XML Paper Specification , is an open specification for a page description language and a fixed-document format originally developed by Microsoft as XML Paper Specification that was later standardized by Ecma International as international standard ECMA-388...
) v1.0 - Internet Explorer (through use of the RM Add-on for IE)
- IIS 6.0 (through the use of GigaTrust WebServer Add-on)