Secure Sharing: Collaboration without Compromise (Part 3)

If you would like to read the other parts in this article series please go to:


In Part 1 of this series, we talked about the importance of secure sharing in today’s collaborative work environment. In Part 2, we started to dig further down into the nitty-gritty of different file sharing methods and the security (and persuasive) mechanisms that you can put into place to ensure that your users use the safest ones and that your data is as secure as it can be when in the process of being shared.

In this, Part 3, we’ll talk about how those with whom you share such data can deliberately or inadvertently compromise the information after it leaves your hands, and some solutions for helping to prevent that.

The sharer’s dilemma

Sharing sensitive data with others is often necessary in order to get the job done, but as soon as the information leaves your hands (or in this case, your computer), you lose control over it, at least to some degree.

For example, if you discuss sensitive information in email, that mail can go astray or the intended recipient can, either intentionally or inadvertently, forward it to someone else or copy and paste it into a document that’s then stored in a non-secure location. If you send someone a Word document that contains confidential info, the recipient might print it out for easier reading and then leave the hard copy lying around or toss it in the trash where it could be seen by unauthorized persons.

Recipients could even make modifications to your messages and documents, changing important facts and meanings.

Rights management to the rescue

Luckily, the technology exists (and has for quite some time) to maintain some measure of control over the documents and messages you create, in the form of rights management.

Digital Rights Management has gotten a bad reputation over the years. That’s primarily because of the association of DRM with music copyright holders who have been heavy-handed regarding enforcement of their copyrights. The problem is that the technology itself (like all technologies) is “dumb” and often doesn’t differentiate between legitimate and illegitimate access attempts, and locks out those who have properly paid for licenses. At the least, it often makes it inconvenient for legit users to use the content. If a content provider changes the DRM method or goes out of business, the user who paid may lose access to the content permanently.

In the context of sensitive business information, however, rights management is a very useful tool for protecting the integrity and limiting the distribution of business information.

With rights management, you can prevent the recipients of your information from copying all or part of the data, printing the document or message, making changes to the content, or forwarding messages to others. You can designate who can open the file and you can even specify a “self-destruct” date so that it cannot be opened even by the original recipient(s) after that time. You can even prevent them from using the “Print Screen” key on the keyboard to copy the information or using the Snipping Tool screen capture application that’s built into Windows Vista and Windows 7 and 8.

Microsoft’s rights management services

Microsoft first introduced their rights management services (RMS) in Windows Server 2003. With Windows Server 2008, they renamed it to Active Directory Rights Management Services (AD RMS) and integrated it more tightly with the Windows Active Directory. To confuse matters, Microsoft calls the technology used by RMS “information rights management” (IRM) and refers to the RMS-enabled client applications as IRM clients.

AD RMS uses licenses that are issued by RMS servers and client applications (including mobile apps) that request licenses and enforce the rights restrictions that have been specified for the files or messages. When you create a document or message and protect it with RMS, the client application requests a Client Licensor Certificate (publishing license) that is used to encrypt the file. When a recipient wants to open the protected file, his/her client application requests an end-user license and the application then enforces the policies that are set in the publishing license.

AD RMS server components run on Internet Information Services (IIS) and store information on SQL Server. One AD RMS server in the forest acts as a root certification server and the rest operate as licensing servers. AD RMS can be used within an AD forest or across forests with Trusted User Domains, Trusted Publishing Domains or through Active Directory Federated Services.

Deployment of AD RMS with Server Manager and PowerShell

In Windows Server 2012/2012 R2, AD RMS is deployed as a server role. AD RMS data is stored in a SnQL Server database. It can now be installed either locally or remotely using Server Manager’s Add Roles and Features wizard. In previous versions, you could only run the Setup at the same server machine on which you were installing AD RMS (no remote deployment). This was a welcome change for IT pros who often configure and manage servers from remote computers. You can also use Windows PowerShell to deploy AD RMS in Server 2012/2012 R2.

Deploying AD RMS is a two-part process, regardless of which method you use. The first part consists of copying and installing the files that are required for AD RMS. The second part involves selecting from available deployment options and configuring your AD RMS servers/cluster.

For those who would like to evaluate the service before deploying it in a production network, Microsoft also provides a test lab guide that walks you through the steps of deploying an AD RMS cluster.

AD RMS Mobile Device Extension

Another welcome addition to the latest versions of AD RMS is new support for mobile devices. With the huge surge in popularity of using smart phones and tablets to access work data and the acceptance of a BYOD culture in most companies today, this was a necessity. To get this functionality, you need to install and configure the Active Directory Rights Management Services Mobile Device Extension.

The extension runs on AD RMS on Windows Server 2012 or 2012 R2 only. It supports mobile devices running Windows Phone 8.1, Windows RT, Android and iOS. It also adds support for the use of AD RMS by users of Mac desktop and laptop computers running OS X. Previously, there was limited support for rights management on mobile devices but only for email apps that support Exchange ActiveSync IRM.

The extension allows you to use the RMS sharing app and other apps that are RMS-enabled to read RMS-protected files in the following formats:

  • .TXT
  • .CSV
  • .XML
  • .JPG
  • .GIF
  • .TIF
  • .PDF
  • .PFILE

You can also use the RMS sharing app to protect image files on the mobile device. Developers can create RMS-aware apps using the RMS SDK that’s available from Microsoft. The extension itself can be downloaded from the Microsoft Download Center.

There are prerequisites that must be installed and configured before you install the MDE on your RMS server(s), so be sure to read the instructions before you proceed. You can find that information in the TechNet library.

Note that in order to install the AD RMS MDE, your AD RMS deployment must be using a full SQL Server database that’s running on a separate server from the AD RMS server. You also must have Active Directory Federated Services (AD FS) deployed on the server and it has to be configured for the AD RMS MDE. This can be done using a PowerShell Script that’s provided by Microsoft, or you can enter the configuration information manually. You can separately enable support for the different device types (Windows Phone, RT, Mac, iOS, and Android) that you want to be able to use RMS.

You will also need to specify DNS SRV records for the email domains used by your RMS users. If you have a proxy server that’s between the AD RMS server(s) and the AD FS servers, you’ll need to update the web.config file from the AD RMS MDE web site so that the AD RMS servers can contact the AD FS servers, in order for it to work. You will also find the instructions for how to do that at the link above.

Limitations of rights management

It’s important to be aware of the limitations of any rights management technology. It should be considered more of a way to prevent accidental or casual exposure of sensitive information than a cure-all security solution. There are many ways that someone who is intent on doing so can circumvent rights management.

Keystroke loggers and other types of malware can still capture information that’s typed in, including information that you protect with RMS/IRM. Malware and viruses can still delete RMS-protected files. Many third party screen capture programs are not RMS-enabled and so can still be used to take screen shots of protected information. With smart phones’ digital cameras becoming ubiquitous and the photo quality increasing, a determined person could take a photo of the information on the screen. And of course nothing can prevent the recipient from copying the information by hand or retyping it in another non-protected document.


Sharing information with others always introduces an element of risk, but there are many mechanisms that can be used to ameliorate the risk. In this three-part article, we’ve discussed how sharing can be done more securely in the business environment.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

Scroll to Top