Information Rights Management fills a security void left by access control lists

Microsoft's Information Rights Management technology augments access control lists, adding another layer of security to sensitive documents on the network. This article provides value-added resellers (VARs) and systems integrators with the know-how to use the technology in their customer's IT environment.

The entire concept of network security rests on one basic principle: preventing sensitive information from being disclosed to unauthorized people, while allowing those with a legitimate need to access the information. As a reseller, your customers look to you to provide them with new ideas for achieving this seemingly simple goal. One new security technology that is starting to come of age is Microsoft's Information Rights Management. Information Rights Management was first introduced in Microsoft Office 2003, but has been greatly improved with the recent releases of Office 2007 and Windows Vista.

Information Rights Management is designed to augment the access control lists (ACLs) that are traditionally used as the primary mechanism for securing files within the Windows operating system. The problem with traditional ACL security is that the lists define how a document may be used on a very high level. ACLs typically specify who can read, modify or delete a document, and that's about it. These security permissions work well for keeping unauthorized users from opening sensitive documents, but they do nothing to prevent authorized users from disclosing the information contained in the documents (either accidentally or on purpose) to unauthorized users.

Imagine, for example, that one of your corporate customers has completed their quarterly earnings reports, which is scheduled to be released to the public in a couple of weeks. When conventional ACL security is in use, there's nothing stopping a manager who has right to the reports from giving a printed copy to a friend who also happens to be a stockholder.

This is where Information Rights Management comes into play. Information Rights Management has two main purposes. First, it's designed to provide more control over how a document can be used than what is available using only ACLs. For example, you can configure security settings that prevent users from printing a document, or copying and pasting data out of the document. You can even secure an email message so that it cannot be forwarded by the recipient.

Information Rights Management's second purpose is to integrate security into the document itself, making security no longer dependant on the presence of access control list entries. If a user emails a document to a friend, the document is still protected.

As you can see, your customers can definitely benefit from using Information Rights Management. So how does it work? There are several requirements for implementing Information Rights Management-based security. For starters, your customers will need a Windows network that is running the Windows Server 2003 version of Active Directory (the Active Directory is involved in the authentication process). They will also need to deploy a Windows 2003 Server to act as a Rights Management Server -- essentially an IIS server running Rights Management Service. A SQL Server is also required. Finally, your customer must have Rights Management Service-enabled applications. Microsoft Office 2003 and Office 2007 are Rights Management Service-enabled. Microsoft also offers a software development kit that developers can use to RMS-enable any application.

Implementing Information Rights Management involves installing the Rights Management Service onto a Windows 2003 server, and then deploying the client component to each computer that will use or create protected documents.

Once the necessary infrastructure is in place, users can restrict a document directly through the application that was used to create it. For example, in Microsoft Word 2007, there is a Protect Document icon found on the Review menu, as shown in Figure A. Upon entering this information, the application creates a publishing license, which basically states who can do what with the document. A copy of the publishing license is then encrypted and sent to the RMS server.

Figure A

Office 2007 is RMS enabled by default.

When a user attempts to open a protected document, the application that is opening the document sends a request to the RMS server. The server validates the user's credentials, and then issues the user a license based on the rights that have been assigned to the user. The application then enforces the rights specified by the license.

As you can see, there are some considerable infrastructure requirements that come into play when deploying the Rights Management Service. Normally, this could put Information Rights Management out of the reach of many of your smaller customers. However, Microsoft offers a Rights Management Server, which is available for a fee after a two-week free trial. Simply clicking the Protect Document icon causes Windows to display the free trial offer, as shown in Figure B. This same dialog box also allows you to begin configuring Office to use your own Rights Management Server as an alternative.

Figure B

You have the option of using Microsoft's Rights Management Server.

There's a definite need for document level security that goes beyond the basic read, modify and delete permissions offered by ACLs. Information Rights Management fills this void nicely, but may do so at the cost of compatibility since non RMS-enabled applications are not generally able to open RMS-protected documents. Even so, convincing your customers to deploy information rights management is generally a win-win situation. Your customer will benefit from better security, and you will benefit from the hardware and software sales.

Brien Posey

About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.

Dig Deeper on Identity and access management (IAM) security services