Overview of Active Directory Rights Management Services with Windows Server 2008 R2 Student Manual Module 3: Active Directory Rights Management Clients and Information Rights Management on Desktop Applications
Information in this document, including URL and other Internet website references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2010 Microsoft Corporation. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents Overview of Active Directory Rights Management Services with Windows Server 2008 R2 Module 3: Active Directory Rights Management Client and Information Rights Management on Desktop Applications... 1 Module Overview... 1 Lesson 1: OS Versions and AD RMS Clients... 2 What s on the User s PC?... 3 AD RMS Client Versions... 4 Additional Prerequisites... 5 Lesson 2: Microsoft Office IRM... 6 Microsoft Office Suites and AD RMS Integration... 7 Office 2007 IRM Functionality... 10 Office 2007 IRM Functionality (Cont.)... 11 AD RMS in Outlook 2007... 12 Lab 3A: Protecting and Consuming AD RMS Protected Documents... 13 Lab 3B: Creating and Consuming AD RMS Content Using Microsoft Outlook 2007... 14 Lesson 3: XPS IRM... 15 XPS Overview... 16 Print to XPS... 18 Save As XPS... 19 XPS Viewer... 20 Microsoft XPS Essentials Pack... 21 XPS Viewers... 22 Lab 3C: Protecting and Consuming Content Using XPS... 23 Lesson 4: Rights Management Add-on for Internet Explorer and Rights-managed HTML... 24 Rights Management Add-on Overview... 25 Rights-managed HTML Overview... 27 Lesson 5: Office Viewers and AD RMS... 28 AD RMS Support in Office Viewers... 29 Module Review... 30 i
Module 3: Active Directory Rights Management Clients and Information Rights Management on Desktop Applications Module Overview This module begins by describing the AD RMS client software, its requirements, and how to deploy it. Next, the module identifies the rights-management components on client machines and the bootstrapping process that the AD RMS client performs for each user. The module then discusses how IRM is provided in Microsoft Office products, the XPS format, Windows Mobile 6.0, and read-only access in Windows Internet Explorer. The module ends with a discussion of registry keys related to AD RMS. Module Objectives After completing this module, you will be able to: Describe AD RMS client software and its requirements. Deploy the Windows RMS client software in legacy clients. Identify the AD RMS components that are installed on client machines. Explain the AD RMS client bootstrapping process. Explain how IRM works in Microsoft Office products. Describe how the XPS format uses IRM, and how XPS can be used in conjunction with Microsoft Office applications. Explain how the Rights Management add-on for Internet Explorer enables users to view restricted files. Describe how to set registry keys that are related to AD RMS. Understand how the new Bulk Protection Tool and FCI work together around AD RMS. 1
Lesson 1: OS Versions and AD RMS Clients 2
What s on the User s PC? Before using AD RMS, the client computer needs to install the Active Directory Rights Management Services client, which allows any AD RMS-enabled application to understand rights management and work with the server. A user s PC will include the following rights-management components when it contacts the AD RMS server for the first time: AD RMS-enabled applications, which protect and consume documents (user interface). A machine lockbox, which is software that protects the process space by limiting access to required and optional modules that are identified in the application manifest. A machine certificate, which identifies a computer or device that is trusted by the AD RMS system. A rights account certificate, which identifies a user in the context of a specific computer or device. A client licensor certificate, which grants a user the right to publish AD RMS-protected content without being connected to the corporate network. All these certificates and licenses are stored under the user profile in the DRM folder. 3
AD RMS Client Versions The AD RMS server must be installed and provisioned before users can take advantage of AD RMS. Without an AD RMS server, a user cannot obtain a user certificate, which is required for publishing or accessing any rights-protected information. As a result, enterprises typically install and provision an AD RMS server before they set up clients for AD RMS. If an enterprise does not have its own AD RMS server, users can take advantage of the Windows Live ID AD RMS service, which is basically an AD RMS server that is publicly available on the Internet. After you install the server, the next step is to deploy and configure the AD RMS client. There are different rights management clients depending on the operating system: On a legacy operating system (Windows 2000 SP4, Windows Server 2003 SP1, or Windows XP SP2 or higher), Microsoft Windows Rights Management Services client must be installed separately with SP2. On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, the AD RMS client is integrated with the operating system. Windows Rights Management client software is a group of Windows application programming interfaces (APIs) that facilitate the machine activation process and allow AD RMS-enabled applications to work with the AD RMS server to provide licenses for publishing and consuming rights-protected information. To get more technical information about RMS and the new AD RMS client, see the Windows Server 2008 R2 website (http://www.microsoft.com/windowsserver2008/en/us/technologies.aspx). 4
Additional Prerequisites Depending of your business needs, you may need to install additional applications and add-ons on top of the client computer to use AD RMS in your network. 5
Lesson 2: Microsoft Office IRM Information Rights Management (IRM) is the term used by many Microsoft applications to describe how they take advantage of Rights Management capabilities: Information Rights Management (IRM) enables content creators to control and protect their documents. The contents of rights-managed documents are encrypted and supplied with an issuance license that imposes restrictions on users. These restrictions vary depending on the level of users permissions. Typical restrictions include making a document read-only, disabling copying of text, not allowing users to save a copy of the document, or preventing users from printing the document. Client applications that read IRM-supported file types use the issuance license inside an IRM-managed document to enforce the restrictions on users who access the document. 6
Microsoft Office Suites and AD RMS Integration Any version of the 2007 Microsoft Office system or Microsoft Office 2003 is compatible with AD RMS, but depending on the version, it will not create protected content. Read and create content Office suites: Microsoft Office 2003 Professional, Microsoft Office Ultimate 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2003, Microsoft Pocket Office (Windows Mobile 6 only; users can read and create protected email messages but can only read protected documents). Read-only Office suites: Microsoft Office 2003 Standard, other Microsoft Office 2007 Versions, Microsoft Pocket Office (Windows Mobile 6 Pocket Word, PowerPoint, and Excel ). The following link outlines which versions of Microsoft Office provide full IRM capabilities (create and consume protected content) and which versions provide read-only capabilities (users can consume but create content). See the Microsoft TechNet article Support for IRM in Office (http://technet.microsoft.com/en-us/library/dd772650(ws.10).aspx). 7
Microsoft Office Suites and AD RMS Integration (Cont.) The following applications natively support Office IRM: Microsoft Office Word 2003/2007 Microsoft Office Excel 2003/2007 Microsoft Office PowerPoint 2003/2007 Microsoft Office Outlook 2003/2007 Microsoft Office InfoPath 2007 Microsoft Office SharePoint 2007 Standard Microsoft Office SharePoint 2007 Enterprise 8
Microsoft Office Suites and AD RMS Integration (Cont.) This table provides details on the file extensions that support IRM. Please note that IRM support in InfoPath is only provided in Office 2007 or higher. 9
Office 2007 IRM Functionality The process for protecting and consuming documents with AD RMS is as follows: 1. To enable permissions, an author creates content in an Office 2007 application, clicks the Permission toolbar button, and types the names of the individuals or groups who will have access to that content. The author can also specify whether the individuals can edit, print, or only view the document. Behind the scenes, the application works with the AD RMS server to apply rights to the file. The protection steps change based on each Office application. 2. To distribute a document or file, the author attaches it to an email message, posts it to a shared folder, or distributes it on a disk. IRM protection is at the file level, so information workers do not have to change the manner in which they share information in order to safeguard it. 3. To consume a document, recipients open the document or file as they traditionally would. Behind the scenes, the application communicates with the AD RMS server to determine if the recipient has permission to access the file. AD RMS validates the user and issues an end-use license. The application renders the file and enforces the rights. 10
Office 2007 IRM Functionality (Cont.) Microsoft Office 2007 and Microsoft Office 2003 documents can be protected on a per-user and/or pergroup basis. Group-based permissions require Active Directory for group expansion. Each user or group can be given a set of permissions (read, change, or full control) according to the rights specified by the document owner. Depending on the recipient s rights, IRM disables certain commands to enforce the rights that were assigned. Owners can also prevent printing and set document expiration dates. After expiration, the document still exists, but cannot be opened by anyone other than the document owner. If a protected document is forwarded to an unauthorized recipient, that recipient will not be able to view the content of the document. If the recipient attempts to open the document, a message appears stating that this document is rights-protected. The document owner has the option of providing his or her email address to request permission to access the document. 11
AD RMS in Outlook 2007 AD RMS can be used in Office Outlook 2007 to prevent the forwarding, copying, editing, or printing of email messages. Protected messages are automatically encrypted during transit and while they are stored. When rights are assigned to the message by the sender, Office Outlook 2007 disables the restricted commands. Office 2007 documents that are attached to protected messages are automatically protected as well. 12
Lab 3A: Protecting and Consuming AD RMS Protected Documents 13
Lab 3B: Creating and Consuming AD RMS Content Using Microsoft Office Outlook 2007 14
Lesson 3: XPS IRM 15
XPS Overview An XPS document is a new Microsoft document format that you can use to archive content in a standardized format or publish content in an easily viewable form. You can also use this format to ensure that no one is able to edit your original work. The XML Paper Specification (XPS) format provides users and developers with a robust, open and trustworthy format for electronic paper. XML Paper Specification describes electronic paper in a way that can be read by hardware, software, and people. XPS documents print better, can be shared more easily, are more secure and can be archived with confidence. The XML Paper Specification itself is platform independent, openly published, and available royalty-free. Furthermore, Microsoft has integrated XPS-based technologies into the Windows Vista and Windows 7 operating systems, and into the 2007 Microsoft Office system. Microsoft brings additional document value to its customers, partners, and the computing industry through the XPS-based technologies. With built-in AD RMS support, you can set specific access permissions to any XPS document, allowing you to protect sensitive information even after the document is published and shared. You can use the XPS rights management capabilities to designate who can read your document, copy text from it, or print it. With XPS Rights Management Services, you can even set an expiration date after which access to the document is no longer enabled. 16
XPS Overview (Cont.) Rights Management Services allows you to manage access permissions for both Microsoft Office file formats and XPS documents. This common platform for rights management across Microsoft products enables seamless integration when you are using XPS with other Microsoft applications and services. For example, attaching an XPS document to an email message with restricted permissions will automatically apply those restrictions to the attached XPS file. Similarly, saving an XPS document to a Microsoft Office SharePoint document library that has restricted permissions will also automatically apply those restrictions to that XPS document. This platform integration of Rights Management Services with XPS and other Microsoft products is more cost effective than having to purchase separate rights management offerings to protect each document and publishing format within an organization. You can print to XPS or use the Save As function from any application that can create a protected XPS document, and you can open the document using the XPS Viewer. Also, an existing XPS document can be protected using the XPS Viewer. 17
Print to XPS Whether you are working with documents in Office Word or with photos in Microsoft Office Paint, or viewing a web order form in Internet Explorer, if the application has the ability to print, then the Microsoft XPS Document Writer will be available through the application s Print dialog box. You can use XPS as a printer to create a document from any software. The XPS print driver is a print-tofile converter that is available for creating XPS documents from any Windows-based application. The XPS documents can then be protected. After you have created your XPS document, you can use Windows 7 to add tags custom keywords to your document to make it easier to find. Windows 7 also has all the necessary components to index XPS documents, so you can instantly find your XPS documents by file name, author, or even by text contained in the document itself. 18
Save As XPS Please note that when creating an XPS document from an existing Microsoft Office document, the original document can be protected with AD RMS. 19
XPS Viewer It is easy to view and generate XPS documents with XPS Viewer. XPS Viewer is a Windows Presentation Foundation (WPF) utility hosted in Internet Explorer (version 6.0 or higher). XPS Viewer enables you to view, protect, and print XPS documents. This viewer supports rights management and digital signatures, and includes XPS Document Writer for XPS creation. XPS Viewer is installed by default on Windows 7, Windows Vista, Windows XP, and Windows Server 2003 as part of Microsoft.NET Framework 3.0. A standalone viewer is also available (unmanaged code), but it does not allow an XPS document to be protected. It does, however, allow you to view a protected document. 20
Microsoft XPS Essentials Pack Microsoft XPS Essentials Pack includes the following: A stand-alone viewer application that allows users to open rights-managed documents, but only with view-only rights. XPS Viewer to read XPS documents. XPS Document Writer to generate files in the XPS document format. Tools that enable users to access the ipreview and ifilter capabilities that are found in many Windows applications. Windows shell handlers, which enable thumbnail views and file properties for XPS documents. 21
XPS Viewers Depending on the operating system, you may need to install the XPS Viewer. 22
Lab 3C: Protecting and Consuming Content Using XPS 23
Lesson 4: Rights Management Add-on for Internet Explorer and Rights-managed HTML 24
Rights Management Add-on Overview The Rights Management add-on (RMA) for Internet Explorer enables Windows users to view files with restricted permissions in a web browser. These restricted permissions (or rights) define what the recipient can do with the information. The permissions are specified by the author and enforced by the software that is used to view the information. When you install RMA, Internet Explorer enforces the rights that have been assigned to any rights-managed HTML (RMH) file. 25
Rights Management Add-on Overview (Cont.) The Rights Management add-on for Internet Explorer makes it possible for users who do not have Microsoft Office to consume AD RMS-protected documents in a web browser. It is a read-only tool. It increases the size of the files because they include the HTML format. 26
Rights-managed HTML Overview Rights-managed HTML (RMH) is a file format that provides information protection for any information that a Windows application can export to HTML. The recipient can then view the rights-protected information by installing Internet Explorer with the RMA and the Windows Rights Windows Mobile 6.0 Bootstrapping management client software. These components are available as a free download. With the RMH Software Development Kit (SDK), developers can rights-protect any document as long as it can be converted to HTML. If an organization has a custom application that generates and distributes reports as HTML, it can use the RMH SDK to extend the custom application and add protection to those reports. 27
Lesson 5: Office Viewers and AD RMS In addition to the RMA Viewer, there are other Office viewers that can be used to access IRM-protected content, without installing the entire Office application. 28
AD RMS Support in Office Viewers This table provides details on the capabilities of the different viewers available to read protected documents. Please note that Word Viewer and Excel Viewer can be used for both Office 2003 and Office 2007 files, but the only way to read PowerPoint files is to use the RMA client (Office 2003 only). 29
Module Review 30