• Illustration: Protecting Content with RMS

An update to Rights Management Services (RMS) in Windows Server 2008 will simplify sharing of protected files, e-mail, and other content between organizations. The Windows RMS feature uses encryption to prevent unauthorized users from accessing content and to enforce access policies on content, even if the content is moved to unsecured file or e-mail systems. RMS helps organizations secure sensitive data, comply with privacy and disclosure regulations, and could prove a useful adjunct to Microsoft's SharePoint Server document management product. However, RMS still requires a complex infrastructure and secure business processes.

Aid to Compliance, Nondisclosure

RMS, now formally known as Active Directory (AD) Rights Management Services, is a Windows service that encrypts e-mails, files, and other types of business content to prevent access by unauthorized users. Unlike protection mechanisms such as access control lists (ACLs), which typically control who can read and change files stored in a file system, RMS protection travels with content and thus can work even if the content is moved to a computer outside an organization's control. RMS also enables users to place restrictions on protected content (e.g., "do not print or forward") that can be enforced by applications accessing the content. These restrictions can be defeated (by taking screen shots while content is being viewed in a Terminal Services window, for example), but they can help prevent casual or inadvertent disclosure of protected content.

(For a high-level explanation of how RMS protects content, see the illustration "Protecting Content with RMS".)

RMS was introduced with Windows Server 2003 and has approximately 2,000 customers, Microsoft says. Typical customers are government agencies (including one U.S. federal agency with 500,000 licensed users) and enterprises trying to comply with industry-specific regulations, such as the U.S. Health Insurance Portability and Accountability Act. Organizations have also adopted RMS to protect intellectual property (e.g., clinical trial data in pharmaceutical firms) and to protect sensitive data that must be kept archived and searchable (rather than being destroyed) to comply with regulations such as Sarbanes-Oxley. To date, most customers use RMS with Office documents and e-mails, but extensions from Microsoft partner Liquid Machines provide RMS for other applications, such as BlackBerry document viewers and Adobe's Acrobat Reader. A few ISVs have adopted RMS for their products, notably Dassault SystÈmes, which sells software for product life-cycle management.

Microsoft hopes that RMS deployments will rise with the arrival of SharePoint Server 2007, the latest version of Microsoft's portal, search, and document management product. SharePoint Server sites can automatically apply RMS protection to downloaded copies of Office documents, ensuring that security restrictions will be enforced even after a document has left SharePoint Server. This in turn helps enforce an organization's policies—individual users do not have to decide what protection to apply to a document when distributing it outside of the SharePoint site. (This feature is not supported by the free Windows SharePoint Services 3.0, but developers can create custom "protector" components for Windows SharePoint Services and SharePoint Server that provide similar automatic RMS protection.)

Windows Server 2008 Improvements

RMS will receive several improvements in Windows Server 2008, which is slated to ship in early 2008, including simpler sharing of protected documents between organizations and easier management and administration.

Simpler Cross-Organization Sharing

In Windows Server 2008, an organization using RMS can share protected content with other organizations that don't have RMS servers. This feature could simplify sharing of documents with outside business partners such as legal firms, public relations firms, contract manufacturers, and business process outsourcing firms.

Specifically, an organization running RMS on Windows Server 2008 can share protected content with partners through AD Federation Services, a feature introduced in Windows Server 2003 R2. The organization running RMS sets up a cross-organization trust relationship with the partner in AD Federation Services. This then enables the partner's users to authenticate themselves to the organization's RMS servers and to obtain the RMS certificates needed to open RMS-protected documents for which they are authorized.

RMS already supports cross-organization sharing without AD Federation Services; however, the alternative sharing methods present security problems, management problems, or both. Specifically, an RMS organization without AD Federation Services would have to do one of the following to share protected content with business partners:

• Get partners to deploy RMS and set up RMS-specific trust relationships with those partners, which is not feasible in many cases
• Host RMS servers for partners outside the firewall, which imposes an administrative burden and potentially exposes partner RMS accounts to the Internet
• Host AD accounts for all users at partner organizations that need to access protected content; this requires synchronization of AD accounts between the host organization and its partners, a difficult task
• Allow partner users to authenticate themselves via Microsoft's public Windows Live ID service (formerly called Passport), which poses security risks because Windows Live ID does not check the identities of account holders (it requires only a valid e-mail address).

Using AD Federation Services for RMS still places some burdens on the organization hosting RMS and on its partners. Among other things, the organization hosting RMS must be running Windows Server 2008 and must license RMS servers for external access at a cost of roughly US$18,000 per server (less in higher volumes). The business partners must run Windows Server 2003 R2 or later, enable AD Federation Services, and install the RMS client for their users. Nevertheless, the AD Federation Services solution for RMS is simpler than any of the other alternatives.

Simplified Installation, Management

Windows Server 2008 also delivers improvements to RMS installation and management, including the following:

Integrated installation. In Windows Server 2008, organizations can install RMS server components using the standard role-based installation mechanism; in effect, "RMS server" is a Windows Server role like "file server," "Web server," or "domain controller." This simplifies setup compared to the separate installation that was required in earlier versions.

Delegation. In Windows Server 2008, administrators can delegate some RMS management tasks to specific Windows user groups. For example, an organization could delegate review of RMS logs (which show usage of protected documents) to a compliance department. This could improve security and simplify management of the RMS system.

Scripting API. Windows Server 2008's RMS includes a scripting API, enabling automation of administrative operations such as provisioning of new RMS servers and generating reports to aid debugging and compliance review. Note that the API supports the Windows Scripting Host (WSH) technology, not the new PowerShell scripting environment introduced in Windows Server 2008, so RMS administrators cannot take advantage of Microsoft's newest scripting tools.

Improved console. For Windows 2008, RMS can be administered through a Microsoft Management Console snap-in rather than its own Web console, improving the user interface for administrative operations.

Future Directions, Considerations, Resources

Starting with Windows Vista, Microsoft is shipping RMS preinstalled in the Windows OS (client or server) rather than shipping it separately, as it has in the past. Shipping with the OS will simplify installation and could make the technology more accessible, but it also means that RMS will ship less frequently and may get only minor changes between OS releases. The next major RMS release after Windows Server 2008 is likely to be a client update with "Windows 7" (not officially named) in 2010 or later.

Consequently, customers should not expect radical changes to the RMS technology. For example, Microsoft has no plans to unite the public key infrastructure (PKI) used by RMS with the Windows PKI; organizations that use Windows PKI (for smart card login, for example) and RMS will have to continue to issue and revoke credentials for those systems separately.

Microsoft also has no plans to change pricing or requirements to promote RMS usage. The company continues to require a separate US$37 Client Access License for every user or device (or the US$18,000 External Connector for servers used by business partners). RMS users also require the higher-priced Professional Editions of Outlook, PowerPoint, and Word to protect or change protection of Office documents.

However, pricing isn't the only brake on RMS growth. The product still requires other, considerable investments. Apart from deploying and maintaining the RMS technology, for example, any organization using RMS must define and maintain its document distribution policies and ensure that they are reflected in the RMS system. The organization also requires key escrow procedures so that protected documents can be opened after document owners leave the organization and after RMS servers are decommissioned, a tricky task that can lead to loss of data or leaks if done poorly. Finally, for all the investment that RMS demands, it cannot stop deliberate leaks by users who are trusted to open a document—it can only slow them down. Consequently, RMS will appeal mainly to very tightly regulated organizations willing to pay the technology's considerable cost to prevent accidental leaks.

A more detailed description of RMS appeared in the Oct. 2005 Research Report, "Microsoft's Rights Management Strategy."

AD Federation Services is outlined in the Mar. 2006 Research Report, "Evaluating Windows Server 2003 R2."

Other AD improvements in Windows Server 2008 are summarized in "AD Changes in Windows Server 2008" on page 3 of the Oct. 2007 Update.

The Microsoft RMS site is www.microsoft.com/windowsserver2003/technologies/rightsmgmt.