Overview of Information Rights Management

Information Rights Management (IRM) technology in Microsoft® Office 2003 helps to give organizations greater control of their sensitive information. IRM is a persistent file-level technology from Microsoft that allows the user to specify permission for who can access and use documents or e-mail messages, and it helps to prevent sensitive information from being printed, forwarded, or copied by unauthorized individuals. If permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file.


IRM extends a Windows® platform technology called Windows Rights Management. Rights Management is a policy enforcement technology that is utilized by applications to help safeguard confidential and sensitive enterprise information — no matter where it goes. Responding to customer demand for improved content protection, Microsoft designed Rights Management as an extensible platform, capable of integration into third-party applications in addition to Office 2003 applications.

IRM is information protection technology, not network security technology, that allows documents to be shared and sent in e-mail messages while helping maintain control over who can view or edit the documents. If a document or e-mail message is protected with this technology, the access and usage restrictions are enforced no matter where the information goes, even if the file is sent outside the firewall. Because IRM protection goes with the file, usage restrictions are enforced persistently.

IRM support in Office 2003 helps organizations address two fundamental needs:

  • Restricted permission for sensitive information - Most corporations today rely on firewalls, logon security-related measures, and other network technologies in an effort to help protect their sensitive intellectual property. The fundamental limitation of these technologies is that, once legitimate users have access to the information, they can share it with unauthorized people, potentially breaching security policies. IRM helps prevent the sensitive information itself from unauthorized access and reuse.
  • Information privacy, control, and integrity - Information workers often deal with confidential or sensitive information, relying on the discretion of others to keep sensitive materials in-house. IRM eliminates any temptation to forward, copy, or print confidential information by helping to disable those functions in documents and messages with restricted permission.

For information technology (IT) managers, IRM helps enable the enforcement of existing corporate policies regarding document confidentiality, workflow, and e-mail retention. For CEOs and security officers, it significantly reduces the risk of having company information in the hands of the wrong people, whether by accident, thoughtlessness, or through malicious intent.

By using IRM technology, companies can create permission policies that appear in Office 2003 applications. For example, a company might define a policy called "Company Confidential," which specifies that documents or e-mail messages using that policy can be opened only by users inside the company domain. There is no limit to the number of policies that can be created.

User workflow

IRM protection is designed to be easy to use and transparent to users. To help protect Office 2003 documents, users follow the same logical workflow they already use with digital information. The process for using IRM consists of three basic steps:

  1. Creation - An author creates content in an Office 2003 application, clicks the Permission toolbar button, and enters the names of the individuals or groups who can have access, and whether they can edit, print, or only view the content. Behind the scenes, the application works with the RMS server to apply rights to the file.
  2. Distribution - The author distributes the file, either by attaching it to an e-mail message, posting it to a shared folder, or distributing it on a disk. Users do not have to change the manner in which they share information to safeguard their information because IRM protection is at the file level.
  3. Consumption - A recipient opens the document or file as usual. Behind the scenes, the application communicates with the RMS server to determine if the recipient has been given rights to access the file. RMS validates the user and issues a use license. The application renders the file and enforces the rights.

Rights Management Add-on for Microsoft Internet Explorer

Because permissions are granted at the application level, Office documents with restricted permission can be opened only by applications included in Office 2003 or the 2007 Microsoft Office system. However, the Rights Management Add-on for Internet Explorer allows users without Office 2003 to read content with restricted permission. The add-on plays an important role in communication with business partners, as companies choose to migrate to Office 2003 on their own time frames. With the add-on, companies that want to take advantage of IRM to create protected content can move to Office 2003 knowing that documents are still accessible to users without Office 2003. Note that the add-on can only open RM-protected documents that include an HTML representation of their contents.


There are two ways to enable IRM functionality in Office 2003:

  • Microsoft Windows Rights Management Services for Windows Server® 2003
  • Microsoft IRM service

When enabled by an organization that uses Windows Rights Management Services (RMS) for Windows Server 2003, users of Office 2003 can easily take advantage of IRM functionality. A simple user interface based on customizable permission policies (available from the File menu) makes IRM convenient and approachable. Integration with the Active Directory® directory service provides a level of convenience not possible with document-specific passwords. In addition, the Rights Management Add-on for Internet Explorer allows users of Windows — if they have the proper permission — to read e-mail messages and some documents with restricted permission whether or not they have Office 2003. For more information about Windows RMS, including licensing and pricing information, see the Windows Rights Management documentation on the Windows Server 2003 Web site.

For home users and for organizations that do not host their own Windows RMS on Windows Server 2003, users can share protected documents and e-mail messages by using Windows Live ID as the authentication mechanism instead of Active Directory. Windows Live ID accounts can be used when assigning permissions to the various users who need access to the contents of the file. However, use of Windows Live ID accounts for RMS authentication does not allow for groups of users to gain access to a file. Each user must specifically be granted permission to the file. In addition, each client workstation must have access to the Internet to access Windows Live ID servers. Note that users of the Windows Live ID service cannot create custom rights templates, such as the "Company Confidential" template described earlier. For more information about the Microsoft IRM service, see the Windows Rights Management documentation on the Windows Server 2003 Web site.

For the sake of discussing the full potential of IRM, this article assumes use of RMS within an organization.

Usage and enforcement of permissions in Office 2003

IRM uses various levels of permissions to restrict access to the content of a file.

In Microsoft Office Outlook® 2003, IRM can be used to prevent forwarding, copying, editing, or printing e-mail messages. Protected messages are automatically encrypted during transit, and when rights are assigned to the message by the sender, Office Outlook 2003 disables the restricted commands. Office 2003 documents attached to protected messages are also protected automatically.

In Microsoft Office Excel® 2003, Microsoft Office Word 2003, and Microsoft Office PowerPoint® 2003, documents can be protected on a per-user or per-group basis (group-based permissions require Active Directory for group expansion). Each user or group can be given a set of permissions according to the rights defined by the document owner: Read, Change, or Full Control. Depending on the recipient’s rights, IRM disables certain commands to enforce the rights assigned. Owners can also prevent printing and set document expiration dates. After expiration, the document still exists, but it cannot be opened by anyone other than the document owner.

If a protected document is forwarded to unauthorized recipients, those recipients cannot view the contents of the document; if they attempt to open the document, they receive a message explaining that the document is rights-protected. The document owner has the option of providing an e-mail address for unauthorized recipients to request rights to access the document.

 Note    The ability to create content or e-mail messages with restricted permission by using IRM is available only with the Microsoft Office Professional Edition 2003 version of the following applications — Office Word 2003, Office Excel 2003, Office PowerPoint 2003, and Office Outlook 2003. IRM is also available in the stand-alone versions of those applications.

Permission levels

Office 2003 bases all of its permission enforcement on the rights defined in the Windows RMS for Windows Server 2003 and a set of custom settings in the Office 2003 applications. The levels of permission are:

  • Full Control - Gives the user every right subsequently listed, and the right to make changes to the permissions associated with the content. Expiration does not apply to users with Full Control.
  • View - Allows the user to open and view IRM content. This maps to read access in the Office user interface.
  • Edit - Allows the user to open, view, and edit the IRM content.
  • Save - Allows the user to save the file.
  • Extract - Allows the user to make a copy of any portion of the file and paste it into the work area of another application.
  • Export - Allows the user to save the content in another location or format that might or might not support IRM.
  • Print - Allows the user to print the contents of the file.
  • Allow Macros - Allows the user to run macros against the contents of the file.
  • Forward - Allows e-mail recipients to forward an IRM e-mail message.
  • Reply - Allows e-mail recipients to reply to an IRM e-mail message.
  • Reply All - Allows e-mail recipients to reply to all users in the To: and Cc: lines of an IRM e-mail message.
  • View Rights - Allows users to view the rights associated with the file. Office ignores this right.

A user can specify one of several predefined groups of rights when creating IRM content:

  • Read - Users with Read permission have only the View right.
  • Do Not Forward - In Outlook, the author of an IRM e-mail message can apply the Do Not Forward permission to the users in the To:, Cc:, and Bcc: lines. This permission includes the View, Reply, and Reply All rights.
  • Change - Users with Change permission have View, Edit, Extract, Export, and Save rights.

Additional permissions in Office documents

In addition to the permission levels described earlier, specific rights can be specified in the advanced user interface of Word, Excel, and PowerPoint. Outlook always enables messages to be viewed by a browser that supports Rights Management. The following options are available in the Permission dialog box for Word, Excel, and PowerPoint:

  • This document expires on - This option allows the author to specify a date after which the IRM content becomes unreadable for everyone but users with Full Control.
  • View content in trusted browsers - This option allows the author to specify whether or not users without Office 2003 can view the content by using the Rights Management Add-on for Internet Explorer.
  • Require a connection to verify a user's permission - This option gives the author the ability to force users to connect to the Windows Rights Management server every time content is opened. This is useful if permissions to a shared document change over time and the author wants to make sure every user is verified prior to opening the document.

Technical overview of RMS and IRM

On the server, Windows RMS handles the core licensing, computer activation, enrollment, and administrative functions. RMS relies on Active Directory and uses an SQL database, such as a Microsoft SQL Server® database, to store configuration data.

On the desktop, creating or viewing rights-protected content requires an RMS-enabled application, such as Office Outlook 2003. To create rights-protected Microsoft Office documents, workbooks, presentations, and e-mail messages, Office Professional Edition 2003 is required. Other Office 2003 Editions allow designated recipients to work with rights-protected documents (but not create content) if they have been given those rights by the author. The Rights Management Add-on for Internet Explorer allows designated users to view rights-protected information if they do not have an Office 2003 application.


RMS is a managed Web service that leverages ASP.NET implementation, HTTP simple object access protocol (SOAP) request/response protocol, and Extensible Rights Markup Language (XrML) to enable organizations to create and deploy customized information protection solutions. With high scalability, flexible topologies, straightforward administration, and ease of use, RMS was developed to meet the needs of any organization interested in information protection.

The key to Windows RMS technology is persistent usage policies, also known as usage rights and conditions. Authors can establish persistent usage policies at the file level. After the author applies those policies to a file, they remain with that file, even when the file travels outside the corporate network.

An RMS system achieves persistent policy enforcement by establishing the following elements:

  • Trusted entities - Organizations can specify the entities that are trusted participants in an RMS system. This includes individuals, groups of users, computers, and applications. By establishing trusted entities, an RMS system helps protect information by enabling access only to properly authenticated participants.
  • Usage rights and conditions - Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use protected information. Examples of named rights are permission to view, copy, print, save, store, forward, and modify. Usage rights can also specify when those permissions expire, and what applications and entities are excluded from accessing the protected information.
  • Encryption - Encryption is the process by which data is locked with electronic keys. The RMS system encrypts information, making its access and use conditional on the successful authentication of the trusted entities and the enforcement of the specified usage policies. After the information is locked, only trusted entities that were granted usage rights under the specified conditions can unlock or decrypt the information and exercise the assigned usage rights.

RMS basics

Windows RMS technology, which includes both server and client components, provides the following capabilities:

  • Creating rights-protected files and containers - Users designated as trusted entities in an RMS system can create and manage protected files by using familiar authoring programs and tools that incorporate Windows RMS technology features. For example, by using familiar application toolbars, users can assign usage rights and conditions to information such as e-mail messages and documents. In addition, RMS-enabled applications can use centrally defined and officially authorized rights policy templates to help users efficiently apply a predefined set of organizational usage policies.
  • Licensing and distributing rights-protected information - XrML-based certificates issued by an RMS system identify trusted entities that can publish rights-protected information. Users designated as trusted entities in an RMS system can assign usage rights and conditions to information they want to protect. These usage policies specify who can access and use the information.

In a process that is transparent to users, the RMS system validates the trusted entities and issues the publishing licenses that contain the specified usage rights and conditions defined by the author of the information. The information is encrypted by using the electronic keys from the applications and from the XrML-based certificates of the trusted entities. After the information is locked by this mechanism, only the trusted entities specified in the publishing licenses can unlock and use that information. Users can then distribute the rights-protected information to others in their organization or to a trusted external user via e-mail, a file share on a server, or a disk.

  • Acquiring licenses to decrypt rights-protected information and enforcing usage policies - Users who are trusted entities can open rights-protected information by using trusted clients. These clients are RMS-enabled computers and applications that allow users to view and interact with rights-protected information, enforcing usage policies. In a process that is transparent to the recipient, the RMS server, which has the public key that was used to encrypt the information, validates the recipient's credentials and then issues a use license that contains the usage rights and conditions that were specified in the publishing license. The information is decrypted by using the electronic keys from the use license and the XrML-based certificates of the trusted entities. The usage rights and conditions are then enforced by the RMS-enabled application. The usage rights and conditions are persistent and enforceable wherever the information goes.

RMS components

RMS technology includes the following client and server software, and software development kits (SDKs):

  • Windows RMS server software - A Web service for Windows Server 2003 that handles the XrML-based certification of trusted entities, licensing of rights-protected information, enrollment of servers and users, and administration functions.
  • Windows Rights Management client software - A group of Windows APIs that facilitates the computer activation process and allows RMS-enabled applications to work with the RMS server to provide licenses for publishing and consuming rights-protected information.
  • Software development kits - Documentation and sample code, for both the server and client components, that enable software developers to customize their Windows RMS server environment and to create RMS-enabled applications.
RMS server software

At the core of Windows RMS is the server component that handles certification of trusted entities, licensing of rights-protected information, enrollment of servers and users, and administration functions. The server software facilitates the setup steps that enable trusted entities to use rights-protected information. Windows RMS provides the tools to establish and configure the servers, client computers, and user accounts for trusted entities in an RMS system. This setup process includes the following:

  • Server enrollment - Server enrollment is part of the provisioning process. During server enrollment, a public key from an organization's root RMS server is sent to the RMS Server Enrollment Service hosted by Microsoft. The enrollment service creates and returns an XrML licensor certificate for that organization's public key. The RMS Server Enrollment Service does not issue the public/private key pair to an organization's root server; it merely signs the public key. The RMS Server Enrollment Service cannot be used to unlock an organization's content. There is no attestation of identity during this process.
  • Sub-server enrollment - After an organization configures the root installation server for its RMS system, it can sub-enroll and configure additional servers that will be part of the system. The server sub-enrollment process establishes the XrML-based certificates that enable the additional servers to issue licenses that are trusted by the RMS system.
  • Client-computer activation - An organization must activate all client computers that will be used to create or access rights-protected information. During this one-time process, the client computer is issued a unique RMS lockbox. The RMS lockbox is the client-side security enforcer. It is unique for the computer and cannot be run on another computer.
  • User certification - Organizations must identify the users who are trusted entities within their RMS system. To do so, Windows RMS issues rights management account XrML-based certificates that associate user accounts with specific computers. These certificates enable users to access and use protected files and information. Each unique certificate contains a public key used to license information intended for that user's consumption.
  • Client enrollment - Client computers might sometimes be used to publish rights-protected information when they are not connected to the corporate network. In that case, a local enrollment process is required. Client computers enroll with the root installation server or a Windows RMS licensing server and receive rights management client licensor certificates. This enables certified users to publish rights-protected information from those computers without being connected to the corporate network.
  • Publishing licenses that define usage rights and conditions - Trusted entities can use simple tools in RMS-enabled applications to assign specific usage rights and conditions to their information, consistent with their organization's business policies. These usage rights and conditions are defined within publishing licenses specifying the authorized users who can view the information, and how that information might be used and shared. RMS uses XrML to express usage rights and conditions.
  • Use licenses that enforce usage rights and conditions - Each trusted entity that is a recipient of rights-protected information transparently requests and receives a use license from the RMS server by attempting to open the information. A use license is granted to authorized recipients, specifying the usage rights and conditions for that individual. An RMS-enabled application uses Windows RMS technology features to read, interpret, and enforce the usage rights and conditions defined in the use license.
  • Encryption and keys - Protected information is always encrypted. An RMS-enabled application uses a symmetric key to encrypt the information. All RMS servers, client computers, and user accounts have a public/private pair of 1024-bit RSA keys. Windows RMS uses these public/private keys to encrypt the symmetric key in publishing and use licenses, and to sign rights management XrML-based certificates and licenses, which helps ensure access to only properly trusted entities.
  • Rights policy templates - Administrators can create and distribute official rights policy templates defining usage rights and conditions for a predefined set of users. These templates provide a manageable way for organizations to establish document classification hierarchies for their information. For example, an organization might create rights policy templates for their employees that assign separate usage rights and conditions for company confidential, classified, and private data. RMS-enabled applications can use these templates, providing a simple, consistent way for users to apply predefined policies to information.
  • Revocation lists - Administrators can create and distribute revocation lists identifying the compromised trusted entities that are invalidated and removed from the RMS system. An organization's revocation list can invalidate the certificates for specific computers or user accounts. For example, when an employee is terminated, the trusted entities involved can be added to the revocation list and can no longer be used for any RMS-related operations.
  • Exclusion policies - Administrators can implement server-side exclusion policies to deny license requests based on the requestor's user ID (Windows logon credential or Windows Live ID), rights management account certificates, or rights management lockbox versions. Exclusion policies deny new license requests made by compromised trusted entities, but unlike revocation, exclusion policies do not invalidate the trusted entities. Administrators can also exclude potentially harmful or compromised applications so they cannot decrypt rights-protected content.
  • Logging - Administrators can track and audit the use of rights-protected information within an organization. RMS installs support for logging so that organizations have a record of RMS-related activities, including issued or denied publishing and use licenses.
RMS client software

Each client computer in an RMS system must have the Windows Rights Management client software installed and one or more RMS-enabled applications. The Windows Rights Management client software is a group of Windows Rights Management APIs that can be preinstalled or downloaded from the Windows Update Web site. The Rights Management client is also used during the computer activation process. After the Rights Management client is installed, users simply use RMS-enabled applications to author and specify permission for content. As RMS-enabled applications, Office 2003 Editions extend the capabilities of RMS in this way.

RMS software development kits

The Windows RMS technology includes the Windows RMS software development kits (SDKs), which are sets of tools, documentation, and sample code that enable organizations to customize Windows RMS. The server SDK includes SOAP interfaces that allow developers to create components for various purposes, such as applying Windows RMS usage policies in real time to any data, and issuing licenses to recipients before the actual distribution of the rights-protected information.

A post-processing queue that uses Message Queuing (also known as MSMQ) enables logging, auditing, surveillance, and other administrative services. These interfaces and services provide the means to control, integrate, and extend Windows RMS.

The RMS client SDK enables software developers to create RMS-enabled applications. By using the client SDK and the accompanying client APIs, developers can build trusted client applications that can license, publish, and consume rights-protected information. The RMS client SDK consists of the following components:

  • A redistributable module that implements client interfaces.
  • Associated header files for development.
  • A linking library.
  • Tools for building the signed manifests required for RMS-enabled applications to load modules that implement client interfaces.

IRM basics

To protect data with Windows RMS, users follow the same logical workflow that they already use for their information. The publishing and consuming process includes the following steps:

  1. Before a user can rights-protect a document, the user must be enrolled in the RMS system, receiving a lockbox, an XrML-based certificate, and a client publishing certificate for the user's computer.
  2. Using an RMS-enabled application, such as in Office Professional Edition 2003, the user creates a file and defines a set of usage rights and conditions for that file.
  3. The application encrypts the file with a symmetric key, which is then encrypted by using the public key of the user's Windows RMS server. The key is then inserted into the publishing license and the publishing license is bound to the file. Only the user's Windows RMS server can issue use licenses to decrypt this file.
  4. The user distributes the file.
  5. A recipient receives a protected file through a regular distribution channel and opens it by using an RMS-enabled application or browser.
  6. If the recipient does not have an account certificate on the current computer or device, one is issued, presuming that the recipient has access to the root RMS server and has an enterprise account.
  7. The application sends a request for a use license to the server that issued the publishing license for the protected data. The request includes the recipient's account certificate, which contains the recipient's public key, and the publishing license, which contains the symmetric key that encrypted the file.

A publishing license issued by a client licensor certificate includes the URL of the server that issued the certificate. In this case, the request for a use license goes to the Windows RMS server that issued the client licensor certificate, and not to the actual computer that issued the publishing license.

  1. The Windows RMS licensing server validates that the recipient is authorized, checks that the recipient is a named user, and creates a use license.

During this process, the server decrypts the symmetric key by using the private key of the server, reencrypts it by using the public key of the recipient, and adds it to the use license. The server also adds any relevant conditions to the use license, such as the expiration or an application or operating system exclusion. By doing this step, only the intended recipient can decrypt the symmetric key and thus decrypt the protected file.

  1. When the validation is complete, the licensing server returns the use license to the recipient's client computer.
  2. After receiving the use license, the application examines both the license and the recipient's account certificate to determine whether any certificate in either chain of trust requires a revocation list.

If so, the application checks for a local copy of the revocation list that has not expired. If necessary, it retrieves a current copy of the revocation list. The application then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the file, the application renders the data, and the recipient can exercise the rights granted.


Because IRM functionality is an extension of RMS, IRM deployment is contingent on RMS deployment. Once RMS is deployed, IRM deployment is simply a matter of installing the Windows Rights Management client on client computers. Each client computer and user then receive a certificate allowing IRM usage.

Deployment requirements

RMS is designed to make the most of existing infrastructure investments, by using Active Directory for service discovery and NTLM authentication. With the flexibility of Windows authentication, RMS can utilize smart card and biometric devices in addition to other alternate authentication methods supported by Windows. The following is needed to run RMS.

On the server:

  • Windows Server 2003 with Windows RMS server software. (Windows RMS is a new premium service for Windows Server 2003 Standard, Enterprise, Web, and Datacenter editions.)
  • Internet Information Services (IIS) 7.0.
  • Active Directory (Windows Server 2000 or Windows Server 2003). Active Directory accounts are used to acquire and use licenses.
  • A database, such as a SQL Server database, to store configuration data.

For information about the hardware requirements for deploying and operating RMS, see the Windows Rights Management documentation on the Windows Server 2003 Web site.

On the client:

  • Windows RMS client software.
  • An RMS-enabled application is required for creating or viewing rights-protected content. The Office 2003 Editions include the first RMS-enabled applications available from Microsoft. Office Professional Edition 2003 is required for creating or viewing rights-protected Microsoft Office System documents such as spreadsheets, presentations, and e-mail messages. Other Office 2003 Editions allow designated users to view and edit rights-protected documents if they have been given those rights by the author. They cannot create rights-protected content.

Deployment tasks

The process of deploying both RMS and IRM consists of the following basic steps:

  1. Meet the hardware, software, and infrastructure requirements.
  2. Obtain and install the RMS server software.
  3. Enroll the server by obtaining a Windows RMS Licensor Certificate from Microsoft. This certificate is unique to each organization.
  4. Register the server's URL in Active Directory.
  5. Deploy Rights Management client software on each user's computer. Microsoft Systems Management Server (SMS) 2003 or Group Policy scripts can be used to automate the delivery to each computer.
  6. Activate each client computer and user by installing the RMS client software on each client computer. During this process, a unique RMS lockbox and computer certification is issued to each computer.
  7. Certify RMS users. When a user attempts to use RMS — for example, by using IRM in Office 2003 Editions programs — the following occurs:
    • The computer obtains a certificate that activates it as a computer capable of creating protected content.
    • The user obtains a certificate that associates him or her with that computer, and enables the creation of protected content.

For information about the RMS topology and installing RMS, see the Windows Rights Management documentation on the Windows Server 2003 Web site.

Setting up client computers

Every client computer participating in the RMS system must be configured as a trusted entity within the RMS system. Client computer setup consists of verifying the presence of the Windows Rights Management client component and activating the client computers. After a client computer is set up, the infrastructure is in place to permit RMS-enabled applications to publish and consume rights-protected information.

Organizations can use standard software deployment tools, such as SMS, to ensure their client computers have the client component, or can rely on the installation of an RMS-enabled application to initiate the request to the Windows Update Web site for the component.

Certifying RMS users

The certification process creates a rights management account certificate that associates a user account with a specific computer and enables the user to access and use rights-protected information from that computer. The first time a user publishes rights-protected information or attempts to access such information on a client computer, the RMS-enabled application sends a request for an account certificate to the Windows RMS root installation.

The Windows RMS root installation validates the person's identity by using Windows authentication and creates an account certificate, including a public/private key pair, based on the user's validated credentials. It encrypts the user's private key with the public key of the client computer's certificate and includes the encrypted key in the user's account certificate. It then issues the account certificate to the requesting application. The application stores the account certificate on the computer or device so that it is available for subsequent publishing or use license requests.

Because the certificate of the client computer is required to request the account certificate, user certification follows the client computer activation process. Users must acquire an account certificate for each computer that they use. If a user uses more than one computer, each computer is issued a unique account certificate, but they all contain the same public/private key pair unique for that individual.

When an application requests a use license, it includes the account certificate in the request. The Windows RMS licensing server uses the public key of the account certificate to encrypt the symmetric key in the publishing license, which was initially encrypted with the public key of the Windows RMS server. This process ensures that only the trusted entity can access and use the use license.

Enrolling client computers for offline publishing

Client computers can enroll with the root installation or a licensing server to receive a rights management client licensor certificate. This certificate enables users to publish protected information when their computer is not connected to the corporate network. In this case, the client computer, rather than the licensing server, signs and issues the publishing licenses containing the usage rights and conditions for rights-protected information published from that computer.

Local enrollment includes the following steps:

  1. The client computer sends the user's account certificate and an enrollment request to the RMS server.
  2. The server validates that sub-enrollment is allowed, based on the network administrator settings, and that the account certificate is not in an exclusion list in the configuration database.
  3. The server creates a public/private key pair specifically to grant offline publishing rights for the user making the request. It creates a client licensor certificate and places the public key in that certificate. It then encrypts the private key with the account certificate public key, and places the result in the certificate.
  4. The root installation issues a client licensor certificate to the client computer.


As with any infrastructure component, there are multiple ways to use RMS and IRM, and there are a number of capabilities and settings that are relevant to different usage scenarios. For example, some scenarios require the use of trust or exclusion policies, while others do not. As a quick overview, the primary management tasks available from the RMS Administration site on a Windows RMS server are:

  • Establish trust policies.
  • Configure rights policy templates.
  • Configure logging.
  • Specify the extranet cluster URL.
  • Track the number of RMS account certificates distributed.
  • Manage security settings.
  • View and configure account certificate settings.
  • Enable exclusion policies.
  • Register the service connection point.

Administrators can perform other tasks, including monitoring events and managing Active Directory, IIS, and SQL Server, by using the Microsoft Management Console (MMC). For detailed information about any of these tasks, see RMS Help, which is installed with the RMS server software.

Applies to:
Deployment Center 2003