How Windows Rights Management Works

Windows Rights Management (RM) uses encryption and a centralized “trust broker” to restrict how data items can be used.

Assume the author of a Word document (top left) wants to permit other users to open and read the document, but not modify it, copy text from it, or print it. A typical transaction would involve the following steps:

1. The RM-enabled Word user interface presents the author with a list of organization-defined policy templates with different rights levels. In this illustration the author selects a level called “Confidential,” which allows other users in the system to open and read the document, but not to modify it, copy text from it, or print it. Word then generates a one-time symmetric key, which it uses to encrypt the document.

2. Word creates a unique publishing license for this document which states that the policy template “Confidential” was selected. Then it seals the symmetric key inside the publishing license in such a way that only RMS can extract that key. (Public-private key pairs are used throughout the process to ensure that licenses cannot be forged or intercepted; a software-based lockbox on each PC contains the private key for that PC and performs the cryptographic functions necessary to use the system.) The publishing license is appended to the document so that all copies of the document will also have a copy of the publishing license.