Tactical Advice

Protect Company Data with Windows Rights Management Services

This service allows encryption of sensitive business information and provides control over how data is used inside and outside an organization.
Protect Company Data with Windows Rights Management Services

Because e-mail is a technology not designed with security in mind, protecting sensitive information in e-mail has always been a challenge. Most encryption solutions require users to work with their e-mail client in a slightly different way if mail needs to be encrypted or signed, especially if the intended recipient isn’t a company employee. Files can also be secured in transit, using technologies such as IPsec or SSL; or at rest on the disk, using NTFS, EFS and BitLocker. But once moved and stored in a different location, all the effort to secure the document is lost.

Active Directory Rights Management Services (AD RMS) encrypts e-mail messages and documents, additionally storing usage information with each file, determining who can view, copy, forward or print the document. Only the original owner can change or revoke these permissions.

When using Exchange 2010 and AD RMS together, Transport Protection Rules can be configured to automatically protect e-mail messages. Exchange is able to work with encrypted messages so that standard functionality — such as the ability to scan for malware and index message content — isn’t impaired.

Usage Scenarios

Almost everyone knows someone (or is someone) who has forwarded e-mail to the wrong person by mistake, so when sensitive documents are distributed by e-mail, it’s important to ensure that only specific employees are able to work with the contents.

Most security breaches involve insiders accidentally or maliciously leaking information. Depending on the results of a risk assessment, sensitive communications — including financial reports, HR documents and anything that contains valuable intellectual property — should be secured for in-house consumption only.

Infrastructure Choices

To extend RMS functionality beyond the corporate firewall, you can create a dedicated AD RMS cluster in a separate AD forest with a container that holds accounts for your external partners. The RMS service must also be published on the Internet or in an extranet. A trust can then be established between the two internal RMS clusters, allowing users outside the company to work with encrypted documents. The disadvantage of this method is that credentials must be managed for external users, increasing administrative overhead and the likelihood of a security breach.

Alternatively, Windows Live IDs can be used for authenticating external users, but this is best suited to one-off scenarios where an external partner needs to view an RMS-protected document. Windows Live IDs cannot be added to Active Directory (AD) groups and have only basic assurance by means of a password, so they are not deemed suitable for use in situations where a high level of trust is required.

Business partners, with whom RMS-protected content is exchanged on a regular basis, can set up their own AD RMS servers and establish a trust between the two clusters. Another option is to use Active Directory Federation Services (ADFS) or Microsoft’s hosted Federation Gateway (Windows Server 2008 R2 SP1 or later with Exchange 2010 SP1), so that users in a partner’s AD forest can access internal AD RMS servers without needing a second set of credentials. Not all Microsoft applications, including Windows Mobile and SharePoint, will support RMS when ADFS, Federation Gateway or Windows Live IDs are used.

Client and Server Requirements

AD RMS requires Windows Server 2008 (or later), Active Directory, SQL Server (2005 or later), IIS with ASP.NET enabled and the Microsoft Message Queuing Service. The AD RMS role and SQL Server should be installed separately on dedicated servers. For more detailed information, see Pre-installation Information for Active Directory Rights Management Services. The RMS client component is built in with Vista and Windows 7. XP and Windows 2000 are supported, but the client must be downloaded and installed manually.

Users also need applications that are capable of creating and reading RMS-protected content. RMS is supported in Microsoft Office and Windows XPS viewer. Rights management is available in Office 2003 and later, but feature support varies between the different SKUs. For more detailed information, see AD RMS and Microsoft Office Deployment Considerations.

Rights Management Basics

In a test environment, AD RMS is fairly easy to set up. If you just want to get a feel for the technology without installing the server components yourself, Office 2010 supports rights management using Windows Live IDs and Microsoft’s online licensing servers.

To protect a document in Word 2010, click Info on the File menu and select Protect Document > Restrict Permission by People > Restricted Access. If you’ve never used rights management before, you’ll be prompted to enroll a Windows Live ID or create a new one if you don’t already have an ID to use. Once set up for RMS, you will be asked to confirm the use of the ID for creating and opening rights-protected content in Word. Click OK to set restrictions on the document (Figure 1).

Basic rights-management restrictions on a Word document

Figure 1 – Basic rights-management restrictions on a Word document

Click More Options in the Permission dialog to access more advanced rights management settings.

Advanced rights management restrictions

Figure 2 – Advanced rights management restrictions

When the document is saved and opened by a user who has been granted permissions, Word will need to contact an online licensing server. Users who haven’t explicitly been granted rights to the document will not be able to open it or otherwise view the content.

Automating AD RMS Protection

Microsoft has developed the Active Directory Rights Management Services Bulk Protection Tool, which allows security administrators to encrypt or decrypt files en masse, including Outlook PST files, if required. Using the tool in conjunction with the File Classification Infrastructure (FCI), administrators can automate encryption and setting usage policy on files, taking the weakest link in the security chain (the user) out of the loop. FCI classifies files and then calls the Bulk Protection Tool from a PowerShell script to apply an RMS template to the files. The tool can be downloaded for free. For more information on FCI, see Control Data Sprawl with File Classification in Windows Server 2008 R2.

Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.