Rights Management Services

Windows Rights Management Services (also called Rights Management Services, Active Directory Rights Management Services or RMS) is a form of Information Rights Management used on Microsoft Windows that uses encryption and a form of selective functionality denial for limiting access to documents such as corporate e-mail, Word documents, and web pages, and the operations authorized users can perform on them. Companies can use this technology to encrypt information stored in such document formats, and through policies embedded in the documents, prevent the protected content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time. Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed by content authors for individual pieces of content, and RMS administrators can deploy RMS templates that group these rights together into predefined rights that can be applied en masse.

The Rights Management Server debuted in Windows Server 2003, with client API libraries made available for Windows XP and Windows 2000 as well. Windows Vista, Windows 7 and Windows Server 2008 also support Rights Management Services. In Windows Server 2008, Windows Rights Management Services has been renamed to Active Directory Rights Management Services, reflecting a higher level of integration with Active Directory. The Rights Management Client is included in Windows Vista and later versions and downloadable for Windows XP, Windows 2000 or Windows Server 2003 ^[1].

Contents 1 Overview 2 RMS-enabled Microsoft applications 3 See also 4 References 5 External links

Overview

Rights Management Services is used for restricting access to rights-protected content to authorized users only. It uses a client–server architecture, using Windows Server 2003 or Windows Server 2008 to host the Active Directory Rights Management Server that issues RMS licenses. The RMS client is required for creating rights-protected content as well as accessing it. Applications that either create or provide access to protected content must be RMS-aware and have to implement the RMS client APIs explicitly. However, add-ons can be used to make an application RMS-enabled even if it does not natively implement RMS functionality.

RMS-protected documents can be created by RMS-enabled applications. RMS-protected content is encrypted and contains an embedded Usage Policy, which defines the restrictions each user or group has when using the content. The RMS system works by only assigning rights to trusted entities, which are either single users or groups of users. Rights are assigned on a per-entity basis. RMS defines and recognizes several rights by default - such as permission to read, copy, print, save, forward, and edit - and can be extended to recognize additional rights (which each application would have to explicitly implement). In Windows Server 2008, RMS rights can also be assigned to users who have federated trust via Active Directory Federation Services. Thus, a user's rights are treated by the system as if they were merely privileges.

When restricting rights to a document, a trusted entity encrypts a random AES key with an RSA public key that can be validated with the public key certificate in the XrML identity license that is issued to an RMS server. The AES key is used to encrypt the document. When accessing a protected document using an RMS-enabled application, the RMS client runtime authenticates the recipient to the Rights Management server, using the recipient's XrML identity license. The Rights Management server then issues a use license that can be used by the client application together with the RMS client to decrypt the document, which then enforces the document restrictions for that user.

One feature of the RMS system is that documents in certain formats can optionally include an HTML rendering of the document so that the document can be viewed when the intended application is not available. This is enabled using a compound document format. Both versions of the document are subject to the same usage policies, and an RMS-enabled HTML viewer is required to view this alternative form of the document content. For example, Microsoft Office 2003 Professional or greater is able to optionally include an HTML version of the document content. The Rights Management Add-on for Internet Explorer allows users who do not have Microsoft Office 2003 or later installed to view these RM-protected files.

RMS-enabled Microsoft applications

RMS is supported (implemented) by the following Microsoft products:

• Microsoft Office System 2003 - Word, Excel, PowerPoint, Outlook
• Microsoft Office 2007 - Word, Excel, PowerPoint, Outlook, InfoPath
• Microsoft Office 2010 - Word, Excel, PowerPoint, Outlook, InfoPath
• Microsoft Office for Mac 2011 - Word, Excel, PowerPoint, Outlook
• Microsoft Office SharePoint Server 2003 (through the use of third party solutions such as those from GigaTrust^[2] and Liquid Machines)
• Microsoft Visio 2007 and Project 2007 (through the use of third party solutions such as those from GigaTrust^[3] and Liquid Machines)
• Adobe Acrobat Reader (through the use of third party solutions such as those from GigaTrust^[4], FoxIt Software and Liquid Machines)
• Microsoft Office SharePoint Server 2007
• Microsoft Office SharePoint Server 2010
• Exchange Server 2007
• Exchange Server 2010
• XPS (XML Paper Specification) v1.0
• Internet Explorer (through use of the RM Add-on for IE)
• IIS 6.0 (through the use of GigaTrust WebServer Add-on)

See also

• Windows Server System

References

External links

• Windows Rights Management Services
• RMS Client downloads
• RMS SDK for RMS-enabling applications
• Secure Islands Comprehensive solution leveraging AD RMS
• Troubleshooting Windows Rights Management Services (RMS) - One Root Certification Server Warning

Microsoft Windows components   Core Active Scripting (WSH · VBScript · JScript) · Aero · AutoPlay · AutoRun · ClearType · COM (ActiveX · ActiveX Document · COM Structured storage · DCOM · OLE · OLE Automation · Transaction Server) · Desktop Window Manager · DirectX · Explorer · Graphics Device Interface · Imaging Format · .NET Framework · Search (IFilter · Saved search) · Server Message Block · Shell (Extensions · Namespace · Special Folders) · Start menu · Previous Versions · Taskbar · Windows USER · Win32 console · XML Paper Specification   Management tools Backup and Restore Center · CHKDSK · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Driver Verifier · Event Viewer · IEAK · IExpress · Management Console · Netsh · Problem Reports and Solutions · Resource Monitor · ‎Sysprep · System Policy Editor · System Configuration · ScanDisk · System File Checker · System Restore · Task Manager · WMI · Windows Installer · Windows PowerShell · Windows Update · WAIK · WinSAT · Windows Easy Transfer   Applications Calculator · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Magnifier · Media Center · Media Player · Mobile Device Center · Mobility Center · Narrator · Notepad · Paint · Windows Photo Viewer · Private Character Editor · Remote Assistance · Windows Desktop Gadgets · Snipping Tool · Sound Recorder · Store · Speech Recognition · Tablet PC Input Panel · WordPad · Portable Workspace Creator   Games 3D Pinball for Windows - Space Cadet · Chess Titans · FreeCell · Hearts · Hover! · Hold 'Em – Inkball · Mahjong Titans · Minesweeper · Purble Place · Reversi · Solitaire · Spider Solitaire · Microsoft Tinker   Kernel Ntoskrnl.exe · hal.dll · System Idle Process · Registry · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection   Services SCM · BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Error Reporting · Multimedia Class Scheduler · CLFS   File systems NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · WinFS · FAT (FAT12 · FAT16 · FAT32) · exFAT · CDFS · UDF · DFS · IFS   Server Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Windows SharePoint Services · Network Access Protection · PWS · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · System Resource Manager · Hyper-V   Architecture NT series architecture · Object Manager · Startup process (Vista/7) · I/O request packet · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows File Protection / Windows Resource Protection · Windows library files · LSASS · CSRSS · SMSS · MinWin   Security Action Center · BitLocker · Defender · Data Execution Prevention · Mandatory Integrity Control · Protected Media Path · User Account Control · User Interface Privilege Isolation · Windows Firewall   Compatibility command.com · Interix · Unix subsystem (Microsoft POSIX) · Virtual DOS machine · Windows on Windows · Windows XP Mode · WoW64