Microsoft amends Rights Management Server

Service Pack 1 brings polish and improved features to RMS, but third-party support is lacking

Newsflash: CNN reports that Ian Pearson, of British Telecom's "futurology" unit, predicts that we'll be able to download our brains into computers within 50 years. He bases this on -- drum roll, please -- the power of the new Sony PlayStation 3. Of course, now all I want to do is become a futurologist. How do you get that gig?

Thankfully, Microsoft isn't experimenting with ways to download our brains (though it would be interesting to hear the EU's response to such news). Instead, Redmond is quietly releasing a series of new revs and service packs, including ISA (Internet Security and Acceleration) Server Enterprise Edition (look for a review in InfoWorld soon), SBS (Small Business Server) SP1, and RMS (Rights Management Server) SP1.

Because our brains haven't been downloaded to a vast array of gaming consoles just yet, we're taking on the aforementioned releases one at a time. We've just gotten to setting up SBS SP1, but we did manage to have a heart-to-heart with Microsoft's RMS team about the changes the new service pack brings to that product.

For those who don't remember, RMS is a cousin of Digital Rights Management Server, but it's intended to protect documents that circulate within a single organization and perhaps within some partner organizations; it's not aimed at securing documents, such as an e-book, that have a broader, Internet-wide audience. Within an organization, RMS has the power to enforce security policies down to the document level, and it allows the document to carry its security along with it wherever it goes in the enterprise.

RMS's security features are significant, including encryption, specific user or group access, denial of save, print, or change capabilities, and more. So BT's Pearson could create a hypothetical document alerting senior staff to buy millions of PlayStations for the Pearson Brain-Drain Game project, and he could make the document viewable only by a select group of BT executives. Let's call them the Guinness Drinkers. If Pearson e-mails the document to the entire BT Executive Group, only those in the Guinness Drinkers subgroup will be able to open it.

Pearson could further make sure that no one in Human Resources, Legal, or Psychological Evaluations can even see the document, let alone print or save it. And should Sony issue an announcement that it will evaluate his proposal by a specific date, Pearson can set his original document to expire on that date in favor of his new document, "I Don't Know What I Was Thinking."

RMS has been around for about a year now, and SP1 offers several new enhancements and product-polishing features. For one, it allows administrators to deploy the RMS client software using SMS and Active Directory groups, something that probably should have been there from day one, but I'm not complaining. It even has support for Active Directory Dynamic Groups, so if a BT executive casually meanders into the Crazy Futurologist Pub, and thus dynamically becomes part of the Guinness Drinkers group, he or she will have rights to see Pearson's newest document, "The Dangers of Reading Science Fiction Whilst Shooting Cuervo."

On a more innovative note, SP1 also includes an updated lockbox, the component that manages encryption, validation, and similar operations. In the first version of RMS, the lockbox concentrated mainly on client applications such as Office. SP1 updates the lockbox to a server lockbox, which allows administrators to configure RMS to apply document protection at the server level, the client level, or even both.

SP1 also updates the RMS SDK so that third-party developers can integrate RMS features into their products. Adobe Acrobat already has a third-party RMS plug-in from Liquid Machines, for instance. These features are also intended to allow RMS to integrate with content inspection gateways, so these products will scan RMS-protected e-mail.

See, that's a bit of a problem for every large client on my list. Everyone in that space tends to scan incoming and outgoing e-mail for keywords such as porn, embezzle, Pearson, and the like. An RMS-protected e-mail is, however, immune to such a scan. That means all kinds of e-mail content -- and attachments -- can be run through your network and be completely invulnerable to content scans. That's how RMS will work unless these third-party solutions come out and play.

Given today's political and security considerations, that's not happening at most general enterprises, and definitely not at places such as financial institutions. RMS is a system with a solid features set, but without the more complete third-party support that Microsoft is promising for only later this year, you'll need to deploy it carefully.