Kurt Shintaku's Blog

So here’s yet even more of my notes around Active Directory Rights Management Services in Windows Server 2008.

—————————

MANAGEMENT

1. ADRMS Group Policy Templates
   (Note:  Policy Templates are the IT managed categories by which you may protect a document or mail.  For example:  “Do not forward” is a policy template that can be applied to email in Outlook.  “Company Confidential” might be another policy template that might apply to Office documents to prevent anyone without domain credentials from opening the document.  This policies are magically selectable when applying RMS protection on an email & document.)
1. RMS Clients GP Template propagation uses Task Scheduler built into the operating system;  distribution of the templates is basically ALL or nothing if you use GP driven distribution.  This means that every person configured with RMS will get these templates.
   (Some people want executives to have special templates, and if this is necessary, another method of policy template distribution needs to be considered.  They are just files in a protected directory that need to be copied to each person’s machine so there are numerous ways that this can be done.)
2. Group Policy Templates can provide all the functionality of RMS.  Office and Sharepoint inherently do NOT expose all the RMS protection options available to the user.  For example:  Some of these options include, “do not copy & paste”, “do not print”, “do not forward”, “validate every time the document is opened”, “self destruct document after x days”, “validate user ever 3rd day”.
3. The most restrictive policy is “Check for validation on each access”:  This will require contact with the authentication server every time the document is opened.  Chatty but secure.
4. When applying rights, do not give “ANYONE” rights to a document.  This will include contractors and others.  Always apply rights to a group of people.
5. Internet Explorer 6 & 7 both work with the Rights Management Client and the IE plug in for viewing RMS content within the browser without having an Office product installed.
6. “Enable users to view protected content in browser” is neat because it enables people to view RMS protected content within Internet Explorer with full fidelity and protection…
   …HOWEVER it will grow the size of the document because it provides and HTML rendering of the document in the container of the document itself.

   A 200k document can grow to 2MB in size with this option turned on.

7. “Print” rights is a HOLE.  A user can always print to PDF and then reverse engineer the PDF into a document.
8. Watermarking or “stamping the background” of an RMS document with the end users name/title/email when they print is possible through third parties.
9. The recommended method of distributing templates is to establish a Network Share that everyone has access to, enable Offline folders for that share, and place the appropriate templates on the share that people need.
   This enables specific templates to be distributed “per user/group” by redirecting the users to different folders depending on their group membership.
10. IMPORTANT:  You can NEVER remove or retire a template from the organization without killing all the documentation that was protected by it previously.  Disaster Recovery plans must export all templates to preserve integrity of all protected documents.
11. IMPORTANT:  Office 2003/2007 have a 20 template limitation in their UIs.  You may publish more than 20 but only 20 will be accessible by the users.