Office Space
Information Rights Management In Office 2003
Alok Mehta
Today's knowledge workers deal with sensitive information all the time. This information comes in a variety of formats such as Microsoft Word, Excel, PowerPoint®, and e-mail documents, and it must all be protected from unauthorized access and distribution. For a long time, there has been a need for a technology that can encrypt this kind of information, allowing access to authorized persons only, and enforcing those rights restrictions everywhere that a document goes. In addition, authors should be able to define the duration for which recipients can read a document, as well as whether they can print, forward, edit, extract its contents, or save an unprotected version.
It should also be possible to extend these restrictions to other documents as well. In other words, restrictions should be policy-based, which in turn should be template-based, so that organizations can easily define custom policies. Finally, this access control should integrate into applications already in use by these organizations.
IRM to the Rescue
Information Rights Management (IRM) is a new feature of Microsoft® Office 2003 designed to enhance collaboration methods by allowing the restrictions previously discussed to be placed in Word 2003, Excel 2003, PowerPoint 2003, and Outlook® 2003 documents. To this end, IRM uses encryption, permissions, and ownership to restrict unauthorized access.
IRM relies on Active Directory
® and Microsoft Windows
® Rights Management Services (RMS)—a new service offered in Windows Server
™ 2003—and extends RMS to Microsoft Office 2003. RMS handles the licensing, machine certification/activation, user enrollment, and administrative functions. RMS is the engine on which IRM runs. RMS in turn relies on Windows Server Active Directory and uses Microsoft SQL Server
™ to store configuration data. For more about RMS, see the sidebar "
The Foundation of IRM."
On the desktop, creating or viewing protected documents requires an RMS-enabled application. See the sidebar "
Requirements to Set Up IRM and RMS" for more detailed information.
IRM is an information protection technology that offers persistent file-level protection. Once permission for a document or e-mail message has been restricted with IRM, these restrictions will always travel with the document or the e-mail message as part of the contents of the file in order to prevent sensitive information from being printed, forwarded, or copied by any unauthorized individuals.
.gif)
Figure 1 RMS and IRM Interaction
In this column, I will explore the IRM feature and and how RMS works in the background. I'll also briefly look at how to use IRM in Word 2003, Excel 2003, PowerPoint 2003, and Outlook 2003 from the IT professional's point of view. Refer to Figure 1 for an overview of how RMS and IRM interact. It's important to note that RMS and IRM are not information security per se, but rather information protection and policy enforcement. This can of course be a component of one's information security strategy.
Rights for E-mail Messages in Outlook 2003
E-mail is now one of the primary methods of communication within and between institutions. E-mails that contain confidential information can be easily forwarded, even accidentally, to a competitor or a vendor. Rights-protected e-mail helps protect against leaks, especially the accidental type. IRM can be used in Microsoft Office Outlook 2003 to help prevent e-mail forwarding, cutting, pasting, copying, editing, or printing. Protected messages are always encrypted, and when the sender assigns rights to the message, Outlook 2003 enforces the prescribed rights by disabling the restricted commands so that the receiver can not forward, edit, copy, or print its contents. In addition, Office 2003 documents attached to protected messages inherit the same restrictions and are protected too.
How IRM Protects
Here's an example of how IRM works with Outlook 2003 to implement privacy.
John is an executive who needs to send his team a private e-mail with a Word 2003 document attached. Using RMS, his company has created an Organization Private template that automatically applies all of the appropriate rights as predefined by John's IT group. John selects the template for his e-mail message, which also imparts the same set of restrictions to the attached Word 2003 document. The Organization Private template says that only employees within the organization can read the information. As employees open the e-mail and the attachment, RMS-enabled Outlook 2003 and Word 2003 enforce the rights and restrictions on the document. Also specified by the Organization Private template, employees cannot cut, copy, save, or edit either the e-mail message or the attached Word document to an unsecured format. If they try to digitally share this information outside of the organization, the unauthorized recipient will not be able to open the e-mail or the Word document.
Now imagine that a team member sends a request to John asking permission to share the e-mail and attachment to an outside team that is working on the same project. The outside team uses a hosting provider for its RMS solution and is a trusted partner of John's company's RMS solution. John applies the appropriate rights for the outside team and then sends the e-mail to members of that team, who can then view the e-mail and the document.
How IRM Works in Excel, PowerPoint, and Word
Office 2003 documents can be protected on a per-user or group basis based on Active Directory. Each user or group can be given a set of permissions according to the rights defined by document owner. These rights allow the user to read, change, or have full control over the document.
IRM disables commands that the particular recipient does not have the right to execute. In addition to the aforementioned restrictions, owners can also set document expiration dates (which can be extended). After expiration, the document still exists, but it cannot be opened by anyone other than the owner.
If an unauthorized recipient attempts to open a protected document, a message is displayed to inform the user that it is rights-protected. The document owner has the option of providing their e-mail address in that message so the unauthorized recipient can request rights to access the document.
The following scenario illustrates how IRM works to implement privacy.
In RMS-enabled Word 2003, Steve uses the permissions option to set the rights for a document that he needs to share with another user, Nancy, in their branch office. Steve posts his document to an internal file server. Nancy then receives an e-mail from Steve pointing her to the document's location. According to the rights that Steve set for the document, Nancy can view and edit it for one week only. She downloads the document to her laptop and opens it up for review. Because the rights are persistent, they remain with the information, even if the laptop is not connected to the LAN.
After a week, Nancy determines that she needs additional time to review the document. As she can no longer open the doc, she requests that Steve grant her more time to continue reviewing it. Steve grants the permission by extending the expiration date and reposts the document. Nancy downloads this updated version and is able to continue reviewing the document as defined by the usage rights.
Enforcement of rights is performed at the application level. Office 2003 is currently the only application from Microsoft that can create rights-protected docs. Microsoft provides a free Rights Management Add-on for Internet Explorer that will enable users without Office 2003 to view a rights-protected document. This add-on is available for download from
Rights Management Add-on for Internet Explorer.
Authoring an IRM Document
If you take a look at Figure 2, you'll see how a document or e-mail is protected with RMS. The steps illustrated in the figure are explained here:
1 The author receives a client licensor certificate from the RMS server the first time they apply rights protection to a document. This step enables offline publishing of rights protected documents in the future.
.gif)
Figure 2 RMS Protection
2 Using an RMS-enabled application, the author creates a file and defines a set of usage rights and conditions for that file. A publishing license is then generated that contains the usage policies. The application then encrypts the file with a symmetric key, which is then encrypted with the public key of the author's RMS server. The key is then inserted into the publishing license and the publishing license is bound to the file. Only the author's RMS server can issue use licenses to decrypt this file. The author then distributes the file.
3 A recipient receives a rights-protected file through any distribution mechanism and opens it using an RMS-enabled application or browser. If the recipient does not have an account certificate on the current computer, the user will now be issued one.
4 The application sends a request for a use license to the RMS server that issued the publishing license for the protected information. The request includes the recipient's account certificate, which contains the recipient's public key, and the publishing license, which contains the symmetric key that encrypted the file. A publishing license issued by a client licensor certificate includes the URL of the server that issued the certificate. In this case, the request for a use license goes to the RMS server that issued the client licensor certificate and not to the actual computer that issued the publishing license.
5 The RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license.
6 During this process, the server decrypts the symmetric key using the private key of the server, re-encrypts the symmetric key using the public key of the recipient, and adds the encrypted session key to the use license. This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration of an application or operating system exclusion. When the validation is complete, the licensing server returns the use license to the recipient's client computer.
7 After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a revocation list. If so, the application checks for a local copy of the revocation list that has not expired. If necessary, it retrieves a current copy of the revocation list. The application then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the file, the application renders the data, and the user may exercise the rights they have been granted.
This process is essentially the same whether the recipient is within the publishing organization or outside of it. The recipient is not required to be inside the author's network or domain to request a use license. All that is required is a valid account certificate for the recipient and access to the licensing server that issued the publishing license.
RMS can be set up to enable external sharing of rights-protected documents. Users can share information with other trusted users over the Internet. This deployment offers the same level of protection as an intra-company RMS deployment because an RMS server must license the rights that are attached to a rights-protected file.
Deploying RMS
The process of deploying RMS consists of the following steps:
RMS Server Setup Install, enroll, and register the RMS server software. During the enrollment process, the administrator installs RMS server software on the root server. The version of RMS installed on the server and the organization's URL is collected, and a public/private key pair is created. The server sends the public key along with the RMS version and URL information to the RMS Server Enrollment Service in a request for a RMS Licensor Certificate. The RMS Server Enrollment Service returns the RMS Licensor Certificate. Enrollment using the RMS Server Enrollment Service is required for at least one server within every RMS system. Servers added subsequently to the RMS root cluster use the same RMS Licensor Certificate. When you add a new server to an existing root installation or licensing-only server cluster, the new server is not explicitly enrolled because it takes on the entire existing configuration of the cluster.
RMS server(s) can be configured along with Windows Load Balancing Services (WLBS), and there are several possible topologies of RMS server configurations. Figure 3 shows a typical RMS topology.
.gif)
Figure 3 RMS Topology
RMS Client Setup Every client computer that will participate in the RMS system must be set up so that it is established as a trusted entity within the system. Client computer setup consists of verifying the presence of the RMS Client component and activating the client computer. After a client computer is set up, the infrastructure is in place to permit users with RMS-enabled applications to publish and consume rights-protected data. Each client computer must have the RMS Client component installed. This component is available from the Windows Update Catalog or from the
Microsoft Download Web site. In the next version of Windows, the client component will be built into the operating system. Software deployment tools such as Microsoft Systems Management Server (SMS) can ensure that clients have the component installed or can rely on the installation of an RMS-enabled app to initiate the request to the Windows Update Catalog for the component. This component is required by RMS-enabled apps and is used for the client activation process.
Register RMS Users When a user attempts to use RMS (for example, by using IRM in Microsoft Office 2003 programs), the following occurs. First, the machine obtains a certificate that activates it as a computer capable of creating protected content. The user then obtains a certificate that associates him or her with that computer, and enables the creation of protected content.
IRM deployment depends upon RMS deployment. As RMS is deployed, IRM deployment is as simple as installing the RMS Client at the desktop and deploying Office 2003. The client machine and each user then receive a certificate allowing IRM usage as I described in the previous subsection "Register RMS Users."
Conclusion
To protect sensitive information such as customer data, financial reports, product specifications, and confidential e-mail messages, you need a strategy. Information Rights Managements and Windows Rights Management Services help protect information through persistent usage policies, which remain with the information no matter where it goes. If you intend to use Windows Server 2003, you should consider an RMS/IRM solution. RMS is simple to set up and IRM very easy to use, so I highly recommend these two technologies as part of your overall data security solution.
Alok Mehta, PhD, is the CTO and Senior VP of AFS Technologies Inc. in Weston, MA where he is in charge of technology research and development. Alok has published several research papers on component-based software engineering and Web development. Reach him at amehta@afs-link.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.