Manage Learn to apply best practices and optimize your operations.

Information protection: Using Windows Rights Management Services to secure data

Keeping confidential information under wraps is paramount in any business, but finding the right mix of tools or techniques is a common challenge. In this tip, contributor Tony Bradley explains how Windows Rights Management Services (WRMS) can help enterprises implement document access restrictions and keep sensitive data locked down.

It's interesting to look back on how information security has matured. A few years ago, organizations merely placed...

a firewall on the network perimeter to keep unauthorized traffic out, and their security jobs were done.

Later, as viruses and worms became a daily threat, enterprises scrambled to deploy antivirus software and keep it updated. Then there were struggles to fight spam, spyware and phishing. Not to suggest that those threats no longer exist, but the protections against them have been somewhat commoditized, resulting in a virtual stalemate.

Today organizations focus less on technology and more on risk management issues like information protection. Organizations have plenty of confidential and sensitive data on their networks -- like trade secrets, intellectual property, business strategy, financial data and more -- and they need to ensure unauthorized users are not able to access or read this data. One way businesses can keep this information locked down with technology they likely already have is by using Microsoft's Windows Rights Management Services (WRMS).

Overview of WRMS
You may be familiar with the digital rights management (DRM) technologies employed by the music and movie industries to attempt to control how and where copyrighted media are used. WRMS provides similar data protection capabilities and restrictions for administrators or data owners. Using a client-server architecture, WRMS-based client software is used to protect data and define access rights, while the server is used for authentication. Content protected by WRMS is encrypted and a usage policy is embedded within the data that describes the access permissions.

This server-side functionality, which hosts the RMS licenses and manages authentication and authorization, is available for Windows Server 2003, and will be available in Windows Server 2008 (it is being renamed to Active Directory Rights Management Services, or AD RMS). Windows Vista also has built-in content protection functionality, but without the Active Directory authentication piece.

For more information

Digital rights management experts told last year's RSA attendees that enterprises aren't doing enough to crack down on critical data leakage.

Learn why many in the security industry have criticized Sony's digital rights management (DRM) technology.

Russell Jones explains how to protect your organization's trade secrets and intellectual property.
How to protect data with WRMS

Using WRMS, you can control not only who has access to a given file, but also what they can do with it once they access it. When access to a document is restricted, users can be given either Read or Change authority. With Read access, users can only view the file; they can not change, print or copy the content. With Change access, a user can view, edit and save changes to the file, but can not print the content.

WRMS allows customized document access with the following additional options:

  • Expiration: It's possible to assign a date for the access authorization to end.
  • Print: This permission allows a user to print the file.
  • Copy: This setting grants a user with Read access the ability to copy the data.
  • Access data programmatically: A user may need to access information, such as spreadsheet data, from an external program.
  • Require verification: With this setting, a connection to the rights management server is required in order to validate permission each time the data is accessed.

WRMS can also be used to restrict email recipients from forwarding, printing, or copying email messages. For both data files and email restrictions, there is an option to supply an email address for users to request additional permissions should they find they have a legitimate need for increased access.

A potential drawback is that in order to protect data or access data protected with WRMS, client-side applications must also be enabled for rights management. Microsoft has built WRMS functionality into the Office 2003 and Office 2007 suites, as well as Sharepoint 2007 and Exchange Server 2007. Internet Explorer can also be made compatible through the addition of a rights management add-on. Microsoft also supplies APIs (application program interfaces) that developers can use to build WRMS-compatible applications or add WRMS functionality to existing applications.

Microsoft has set up an Information Rights Management (IRM) server on an indefinite trial basis which users can leverage to authenticate and gain access to WRMS protected data. Using the IRM server requires a valid Windows Live ID.

Intellectual property and sensitive company information are invaluable data. Organizations need to ensure that confidential information is not compromised or leaked either by unwitting employees or through corporate espionage. The standard file and folder permissions in Windows are inadequate to truly protect the data. With WRMS, data owners and network administrators can control not only who can access their data, but also how long, and what they are able to do with it while they have access.

About the author
Tony Bradley is a security consultant with BT INS in Houston. He is also a prolific writer with a focus on network security, antivirus and incident response. He is recognized by Microsoft as an MVP in Windows security. Tony is author of Essential Computer Security, and has co-authored or contributed to a number of other books. He also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit his site,

Using standard Windows file and folder permissions, it's possible to restrict which users can open, view or modify files. To protect data beyond the authorized user, allow any control of what the authorized user does with the data, or allow an administrator or data owner to remove permission once the file is in the user's possession requires a tool like WRMS.
This was last published in January 2008

Dig Deeper on Privileged access management