Windows Server Protects Content

Active Directory Rights Management Services (RMS) uses encryption to enforce access policies on content, even if the content is moved to unsecured file or e-mail systems, so that organizations can secure sensitive data and to comply with privacy and disclosure regulations. An updated RMS feature in Windows Server 2012 will use PowerShell scripting to simplify deployment, and a recently released SDK could enable ISVs to more easily extend RMS to protect additional content types or document formats. However, RMS still requires a complex infrastructure and secure business policies and processes.

Aid to Compliance, Nondisclosure

RMS is a Windows service that encrypts e-mails, files, and other types of business content to prevent access by unauthorized users. Unlike other protection mechanisms such as access control lists (ACLs), which typically control who can read and change files stored in a file system, RMS protection travels with content to most devices, and thus can continue to control access to the content even if the content is moved to a computer that is outside an organization’s control. RMS also enables users to place restrictions on protected content (such as “user cannot print or forward”) that are enforced by RMS-compliant applications that are used to view the content. These restrictions can be defeated (for example, by taking screen shots while content is being viewed in a Remote Desktop client window, or using a camera or smartphone to take a picture of the screen), but they can help prevent casual or inadvertent disclosure of protected content.