Technical Resources

Windows Rights Management Services: Frequently Asked Questions

Published: April 18, 2005
**
Related Links
RMS Knowledge Base Articles
RMS Overview
Download RMS 1.0 with SP1
**

This FAQ answers commonly asked questions about Windows Rights Management Services (RMS). Click a question to view its answer. To view all the answers at one time, select the View all answers check box.

On This Page
Windows RMSWindows RMS
Windows RMS with Service Pack 1Windows RMS with Service Pack 1

Windows RMS

Q.What is Windows Rights Management Services (RMS) and what does it do?
A.

Microsoft Windows Rights Management Services (RMS) is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use—both online and offline, inside and outside the firewall. Combining Windows Server 2003 features, developer tools and proven security technologies—including encryption, certificates and authentication—RMS helps organizations create reliable information protection solutions. RMS augments an organization's security strategy by providing protection of information through persistent usage policies, which remain with the information, no matter where it goes.

Q.What is IRM?
A.

Information Rights Management, or IRM, is the functionality in Microsoft Office 2003 Professional (Office Word 2003, Office Excel 2003, Office PowerPoint 2003 and Office Outlook 2003) that uses RMS to help information workers protect sensitive word documents, spreadsheets, presentations, and e-mail.

Q.What is Enterprise Rights Management?
A.

Enterprise rights management, or ERM, is rights management focused on protecting business applications, including documents and e-mail. It is distinct from Digital Rights Management, or DRM. DRM is a specific kind of rights management, focused on protecting commercial media content such as songs and movies. Rights management, as a broader category, also encompasses enterprise rights management (which is the focus of RMS). In the future, we see other applications of rights management, too—personal rights management, privacy rights management—and many more. Anything that is digital can ultimately be protected—and that's rights management.

Q.What are the components of Windows Rights Management Services?
A.

Windows Rights Management Services (RMS) technology includes the following components:

Server Technology. At the core of Windows RMS is the server component that handles the certification of trusted entities, licensing of rights-protected information, and administration functions. It facilitates the setup steps that enable trusted entities to use rights-protected information.

Client component. Each client computer in an RMS system must have the rights management client software installed. This client software encompasses a group of APIs that can be distributed in whatever way an enterprise distributes software updates. It enables RMS-enabled applications to protect and consume information and to communicate with the RMS server.

RMS-enabled applications. RMS works with information from any RMS-enabled application, giving organizations the flexibility to customize a solution for their specific confidential and nondisclosure policies.

Office 2003 Professional with Information Rights Management. Organizations can leverage the out-of-the-box RMS-enabled application support in Office 2003 Professional (Word, Excel, PowerPoint, and Outlook) as easy-to-implement options to help safeguard their sensitive information.

Rights Management Add-on for Internet Explorer. This add-on enables documents and HTML to be viewed without using the authoring application. An author can grant usage-rights to a document or Web-based information and distribute it to recipients via e-mail, a shared folder, or Web page. The recipients can install the Rights Management Add-on for Internet Explorer and use it to consume the contents based on the permissions that the author has given them. This is helpful in sharing rights-protected information with consumers that have not deployed RMS but need to consume content.

Windows RMS Software Development Kit. The RMS software development kit (SDK) is a set of tools, documentation, and sample code that enables independent software vendors (ISVs) to create RMS-enabled applications and corporate developers to extend Windows RMS in their organizations. It includes Simple Object Access Protocol (SOAP) interfaces and rights management APIs that allow developers to create components to extend and enhance Windows RMS, including functionality for integration of existing storage and content management systems, implementation of custom policies, and real-time protection of information stored in back-end database systems.

Using the SDK and the accompanying APIs, Microsoft partners can build trusted applications that are able to enroll PCs and users into the RMS trust model and publish and consume RMS-protected content.

Q.
A.

Windows RMS with Service Pack 1

Q.What's new in RMS with Service Pack 1?
A.

Since the release of RMS, Microsoft has listened to customers evaluating and deploying RMS, as well as to application vendors developing enterprise rights management (ERM) solutions on the RMS platform.

Here are some examples of what we've heard and how we've responded:

Customers require ERM to integrate into their environment, with critical business applications such as records management, e-mail archival systems, e-mail gateways, content inspection gateways, and automated workflows.

That's why we've extended RMS to enable better integration with third-party server-based applications for consistent and comprehensive information protection.

Customers require ERM to operate in sensitive, higher security, or isolated environments, such as air-gap networks (networks that don't connect to the Internet).

That's why we've enabled RMS SP1 to be deployed in air-gap networks as well as providing a FIPS (Federal Information Processing Standard)-compliant solution, which is necessary for many of our U.S. government and banking customers. Additionally, we've enabled the ability to require second factor authentication in order to consume protected content, for customers who want an additional layer of protection beyond a user name and password.

Customers require a solution that is easy to deploy and use.

That's why we've made RMS even easier to deploy using standard tools like software deployment and desktop imaging tools. In addition, RMS can be deployed without requiring desktop users to have administrative privileges.

Q.Can you explain more about how RMS has been extended to better integrate with server-based applications?
A.

Today, RMS implementations in Microsoft Office 2003 Professional give the end user the ability to assign rights policies to documents or e-mail messages. Many organizations have asked Microsoft to allow them to apply rights protection policies to information in a more centralized way, for example at the server or network level.

Some scenarios that organizations have requested include:

Protected document storage repositories, from which end users can "check out" documents and be assured that the correct rights management policies have been applied behind the scenes

Dynamic rights protection on messages as they enter and leave an organization"s network, such that senders and recipients do not have to remember to apply rights, and the correct policies are consistently enforced based on the organization's needs

To enable these types of scenarios more easily, RMS introduces something called the server lockbox. The RMS component that performs all encryption, decryption, signing, and validation necessary to publish and consume rights-protected information is called the "lockbox." In the first version of RMS, the lockbox was designed for client applications such as Microsoft Office. As a result, it lacked the performance characteristics required for a server application. With RMS Service Pack 1 (SP1), a new type of lockbox is introduced, in addition to the enhanced SP1 client lockbox. The new server lockbox extends the range of possible RMS solutions to include server applications.

The server lockbox enables server applications records management, messaging gateways, and e-mail archiving solutions to work with protected documents and e-mail more easily. Performance and functionality improvements have been implemented on this "server-friendly" lockbox so that server applications can, for example, automatically protect documents based on rights management policies, with the level of performance a server application needs.

Q.Can you explain more about how you eliminated the need for the Internet connection?
A.

The earlier version of Windows Rights Management Services (RMS) required customers to have a live Internet connection from their RMS server. This was required because two steps in the RMS setup process, called "server enrollment" and "client machine activation," required a connection from the customer's RMS server to services hosted on the Internet. With RMS Service Pack 1 (SP1), RMS can now be operated in networks with no Internet connection, sometimes known as "air-gap" networks. This has been accomplished by means of two changes.

First, the server enrollment step, in which the RMS server obtains the server licensor certificate (SLC) required for operation, has been updated such that it can be executed either offline or online. Customers choosing the offline option will be able to obtain the SLC and import it into the RMS server in two separate steps, transporting the SLC on physical media between an Internet-connected machine and a non-Internet-connected network.

Second, the client machine activation step has been updated to a self-activation model. The RMS component that performs all encryption, decryption, signing, and validation steps necessary to publish and consume rights-protected information is called the "lockbox." Machine activation is the process in which the lockbox is installed and activated. Instead of obtaining a lockbox from an activation service hosted by Microsoft, the RMS SP1 client will ship with the lockbox already included, and it will generate the necessary credentials itself, upon activation. The RMS SP1 client will self-activate upon first use by any user, including non administrators.

Q.Tell me about FIPS compliance. Exactly what has been certified and to what level of FIPS certification?
A.

The Federal Information Processing Standard (FIPS) 140-1 and 140-2 apply to cryptographic products and modules. Windows Rights Management Services with Service Pack 1 (SP1) has been updated to utilize FIPS-140-validated cryptographic modules available in Windows, accessible through the standard Windows CryptoAPI (CAPI) interface. The cryptographic algorithms contained in these modules include AES (FIPS 197) for symmetric encryption of content and RSA for asymmetric encryption of content keys and other credentials. Microsoft Data Protection API (DPAPI) is used for securing secret key material.

The FIPS certification levels are detailed below:

PlatformFIPS Validation Level

Windows XP, Windows XP SP1

FIPS 140-1,* validated for Level 1

Windows XP SP2

FIPS 140-1,* validated for Level 1

Windows Server 2003

FIPS 140-2, Level 1

* FIPS-140-2 became official in May 2002. By then, Windows 2000 and Windows XP had already achieved their official FIPS-140-1 status. FIPS 140-1 is still a valid and recognized certification level and is expected to remain so through the Longhorn shipment timeframe.

Q.Tell me more about the two-factor authentication that has been enabled with RMS SP1.
A.

With the first version of RMS, users were required to log in and authenticate to Microsoft Active Directory (AD) in order to obtain their RMS user credentials. Once they had obtained these RMS credentials, users could then publish and consume content without AD authentication.

Customers have asked for an enhanced level of authentication, including two-factor authentication methods.

With RMS SP1, it is possible to require end users to present an x.509 certificate from a smart card in order to obtain an RMS user credential. This will be done by (1) mapping users' Active Directory accounts to x.509 certificates, and then (2) placing an access control list on the RMS service that grants user credentials. Windows will then prompt users for their smart card-based PIN in order to authenticate them, and therefore to grant them RMS credentials. This provides an additional layer of security over the simpler user name and password AD authentication.

Organizations interested in a very high level of security can additionally place access control lists on the licensing service of RMS. With this safeguard in place, end users must present network credentials every time they consume or "license" new RMS-protected content. Just as in the above certification scenario, with RMS SP1 the administrator will be able to enforce smart card-based authentication for the licensing scenario as well.

Q.What are some of the other improvements in RMS SP1?
A.

Easier deployment with fewer end-user privileges required
With RMS SP1, client packages are much easier to roll out to desktop machines. For example, customers can deploy RMS clients across the network without "touching" desktops, nor requiring their end users to have administrative privileges, using deployment and installation technologies from Microsoft.

RMS SP1 uses installation technology that supports program "advertising." By having advertised programs, an organization can allow an installation program, invoked by a non-administrator, to temporarily "elevate privileges" to accomplish the installation. This can be done using group policy objects (GPO), or automated further with Microsoft Systems Management Server (SMS).

Also, the RMS SP1 client software will be distributed via Microsoft Windows Update channels, enabling customers to deploy the client using Software Update Services (SUS) or Windows Server Update Services (WSUS).

Easier Role-based Security
Many organizations have the requirement to restrict information to a group whose members are constantly changing, and they do not want to keep updating group definitions each time a person enters or leaves the group.

In RMS SP1, support for query-based groups enables rights management policies to be applied based on dynamic groups, defined by queries of Active Directory for certain attributes. For example, when a recipient attempts to "consume" or open rights-protected content, RMS checks their group membership against the rights assigned to the content. If the recipient is not a member of the correct group at the time they try to consume, they will fail to obtain the license required to access the content. This is true for statically-defined groups as well as query-based groups.

The use of query-based groups requires Microsoft Exchange 2000 Service Pack 3 (SP3) or higher, with Active Directory based on Windows 2000 SP3 or higher.

Improved Tools and Guidance
The RMS toolkit has been updated with the release of RMS SP1. The RMS SP1 toolkit includes new and updated tools, such as a web user interface that works with the existing RMS log analyzer tools, to provide customers with an easier way to view RMS actions such as certification, publishing, and licensing—per user, across an organization.

Q.What are the technical requirements for RMS SP1?
A.

The most important update to the technical requirements for RMS SP1 is that an Internet connection is no longer required in order to install, deploy, or operate RMS. RMS can now operate in completely disconnected or "air-gap" networks. Beyond that, the technical requirements for RMS SP1 are similar to that of the first version of RMS:

Server Software Requirements

There must be at least one server running Windows Server 2003 (Standard, Enterprise, Web or Datacenter) to serve as the RMS server.

The environment must contain a Windows Server Active Directory service (based on Windows 2000 Server SP3 or later) which provides a well-known unique ID for each user.

There is no requirement for a Microsoft Exchange Server in order for RMS to work.

The RMS server requires a database for logging and configuration, such as Microsoft SQL Server 2000 SP3 or higher, for enterprise deployments, or MSDE for test or proof-of-concept environments.

MSDE can be used for small scale testing or proof-of-concept.

The SQL Server database stores all service configuration data, information about principals in the system, all logging data, and is used to cache lookups in AD/DL expansion.

The best practice and recommended implementation is to install RMS on a dedicated server (or a cluster of servers in a load balancing / high-availability scenario).

The SQL Server component can be installed remotely and may be shared with other databases.

Server Hardware Requirements

Minimum: PIII 800 MHz / 256MB RAM / 20GB disk*

Recommended: Dual P4 2.4 GHz / 1GB RAM / 40GB disk*

* Note: Sizing and deployment plans are unique to the customer.

Client Software Requirements

Client machines

Microsoft Windows 2000 Server or higher operating system

RMS-enabled applications such as

Office Professional Edition 2003

Internet Explorer with Rights Management extension allows consumption, but not creation, of rights-protected content for clients without Office Professional Edition 2003.

Q.Is there an SP1 release of IRM to go with RMS SP1?
A.

RMS is a platform technology and hence on an independent release schedule from applications such as Microsoft Office. The RMS SP1 platform will be supported with the existing Microsoft Office information rights management (IRM) functionality that uses RMS today. The Microsoft Office team plans to leverage enhanced RMS technology in future versions of their product, as do other application teams within Microsoft.

Q.How has the RMS key flow changed for RMS SP1?
A.

The key flow for RMS SP1 is largely the same as it was in the first version of RMS. For example, offline and online publishing, as well as consumption of content, work in exactly the same way. The two major differences are the two steps in the RMS setup process: offline server enrollment and client machine self-activation.

Q.
A.
Top of pageTop of page