AD RMS and Microsoft Office Deployment Considerations
Applies To: Windows Server 2008, Windows Server 2008 R2
The following document provides guidance about the various Microsoft® Office suites and the supported AD RMS features.
Microsoft Office Suites, Information Rights Management, and Active Directory Rights Management Services
Information Rights Management (IRM) allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.
IRM helps to do the following:
Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use
Prevent restricted content from being copied by using the print screen feature of a Microsoft Windows operating system.
Restrict content wherever it is sent.
Support file expiration so that content in documents can no longer be viewed after a specified period of time.
Enforce corporate policies that govern the use and dissemination of content within the company.
AD RMS-aware applications implement IRM to help prevent sensitive information from being printed, forwarded, or copied by unauthorized individuals. Once permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file. The Microsoft Office System is comprised of several AD RMS-enabled applications such as Microsoft Office Word 2007, Microsoft Office Excel 2007, and Microsoft Office PowerPoint 2007.
This document attempts to start at a broad level and explain the supported Microsoft Office versions and editions that are available. It continues to examine the supported applications that exist within these editions and continues even further to detail the supported file types of these applications. This document will also provide guidance about using AD RMS with XPS, the XML paper specification.
Microsoft Office Suites and AD RMS Features
The following table describes the various Microsoft Office suites that support rights management and summarizes the available features in each.
Microsoft Office and AD RMS features summary
| Office Suite | Office Edition – Create and Consume Protected Content | Office Edition – Consume Protected Content |
|---|---|---|
Microsoft Office 2003 |
Enterprise |
Standard* |
Professional |
Basic* |
|
Small Business* |
||
Student and Teacher* |
||
Word Viewer 2003 |
||
Excel Viewer 2003 |
||
PowerPoint Viewer 2003 |
||
Microsoft Office 2007 |
Ultimate |
Professional* |
Enterprise |
Small Business* |
|
Professional Plus |
Home and Student* |
|
Standard* |
||
Word Viewer 2007 |
||
Excel Viewer 2007 |
||
PowerPoint Viewer 2007 |
||
Microsoft Office 2010 |
Professional Plus |
Professional* |
Professional Academic* |
||
Home and Business* |
||
Home and Student* |
||
Word Viewer |
||
Excel Viewer |
||
*Can also be used to edit existing protected content, for example, by replying to a protected message or by revising a protected document |
||
Microsoft Office Mobile (requires version 6.0 minimum) |
Outlook |
Word Excel PowerPoint |
Supported AD RMS-enabled Office Applications
Microsoft Office is comprised of several different applications. Not every application in the Microsoft Office suites supports rights management. The following section will provide guidance as to the applications of various Office versions that support rights management.
The following table describes the various AD RMS-enabled applications that are supported in various versions and editions of Microsoft Office
Microsoft Office Versions and AD RMS Features summary
| AD RMS-enabled Applications | Microsoft Office 2003 | Microsoft Office 2007, Microsoft Office 2010 |
Microsoft Office Mobile |
|---|---|---|---|
Microsoft Word |
● |
● |
● |
Microsoft Excel |
● |
● |
● |
Microsoft PowerPoint |
● |
● |
● |
Microsoft Outlook |
● |
● |
● |
Microsoft InfoPath |
Not provided |
● |
Not provided |
Supported Microsoft Office File Types
There are several different file types that exist within Word, Excel, and PowerPoint. There are also several new file types that were introduced with Microsoft Office 2007. This section details the supported rights managed file types within these applications.
Microsoft Office Word
The following is a list of supported rights managed Microsoft Office Word file types.
Supported Rights Managed Microsoft Office Word File Types
| File Type | Extension | Microsoft Office 2003 Support | Microsoft Office 2007 and Microsoft Office 2010 Support |
|---|---|---|---|
Document |
.doc |
● |
● |
Document |
.docx |
● |
|
Macro-enabled document |
.docm |
● |
|
Template |
.dot |
● |
● |
Template |
.dotx |
● |
|
Macro-enabled template |
.dotm |
● |
|
XML Paper Specification |
.xps |
● |
Microsoft Office Excel
The following is a list of supported rights managed Microsoft Office Excel file types.
Supported Rights Managed Microsoft Office Excel File Types
| File Type | Extension | Microsoft Office 2003 Support | Microsoft Office 2007 and Microsoft Office 2010 Support |
|---|---|---|---|
Workbook |
.xls |
● |
● |
Workbook |
.xlsx |
● |
|
Macro-enabled workbook |
.xlsm |
● |
|
Template |
.xlt |
● |
● |
Template |
.xltx |
● |
|
Macro-enabled template |
.xltm |
● |
|
Non-XML binary workbook |
.xlsb |
||
Macro-enabled add-in |
.xla |
● |
|
Macro-enabled add-in |
.xlam |
● |
|
XML Paper Specification |
.xps |
● |
Microsoft Office PowerPoint
The following is a list of supported rights managed Microsoft Office PowerPoint file types.
Supported Rights Managed Microsoft Office PowerPoint File Types
| File Type | Extension | Microsoft Office 2003 Support | Microsoft Office 2007 and Microsoft Office 2010 Support |
|---|---|---|---|
Presentation |
.ppt |
● |
● |
Presentation |
.pptx |
● |
|
Macro-enabled presentation |
.pptm |
● |
|
Template |
.pot |
● |
● |
Template |
.potx |
● |
|
Macro-enabled template |
.potm |
● |
|
Show |
.pps |
● |
● |
Show |
.ppsx |
● |
|
Macro-enabled show |
.ppsm |
● |
|
Office theme |
.thm |
● |
|
Office theme |
.thmx |
● |
|
XML Paper Specification |
.xps |
● |
Microsoft Office InfoPath
Microsoft Office InfoPath 2007 – Microsoft Office InfoPath is an information-gathering program introduced in the 2007 release of the Microsoft Office system. With Office InfoPath 2007 and Infopath 2010, you can create and deploy electronic forms solutions to gather information efficiently and reliably. You can also use the InfoPath Forms Services capabilities in Microsoft Office SharePoint Server 2007 and SharePoint Server 2010 to extend your business processes beyond your corporate firewall, delivering forms as Microsoft Office Outlook e-mail messages, Web browser forms, or forms for mobile devices.
Office InfoPath 2007 includes support for information rights management to help protect forms from inappropriate usage and distribution. When you design a form template in InfoPath, or send a form by using Microsoft Office Outlook 2007 or Outlook 2010, you can apply Information Rights Management (IRM) to it.
The following is a list of supported rights managed Microsoft Office InfoPath file types.
Supported Rights Managed Microsoft Office InfoPath File Types
| File Type | Extension | Microsoft Office 2003 Support | Microsoft Office 2007 and Microsoft Office 2010 Support |
|---|---|---|---|
Dynamic Form/Template |
.xsn |
Not Available |
● |
XML Paper Specification |
.xps |
● |
Microsoft Office Outlook
Microsoft Office Outlook 2003 - Microsoft Office Outlook 2003 will automatically rights manage any of the supported Microsoft Office 2003 file types when these file types are attached to a rights managed e-mail message. This includes the same file types created using Microsoft Office 2007. For instance, if a document with a file name extension type of .doc is created using Microsoft Word 2007 and is attached to an e-mail message created with Outlook 2003, and .doc file types are being rights managed, then this file will automatically become rights managed.
Microsoft Office Outlook 2007 and Microsoft Office Outlook 2010 - When any of the Microsoft Office 2007 and Office 2010–supported file types are attached to a rights-managed e-mail message within Microsoft Outlook 2007 or Microsoft Outlook 2010, it will automatically be rights managed as well if it was not already rights protected. This includes the same file types created using Microsoft Office 2003, as well as XPS (.xps) file types. For instance, if a document with a file name extension type of .doc is created using Microsoft Word 2007 and is attached to an e-mail message created with Outlook 2003, and .doc file types are being rights managed, then this file will automatically become rights managed.
Important
When you attach a message (.msg) file to a rights managed e-mail message using Outlook 2003, Outlook 2007, or Outlook 2010, the attached message is not rights managed. IRM does not rights manage .msg file types.
XPS – XML Paper Specification
XPS is a Microsoft specification describing the architecture of the XPS Document file format, a representation of electronic paper based on XML. The XPS Document format is an open, cross-platform document format that allows customers to effortlessly create, share, print, and archive paginated documents.
XPS documents can be created by applications running on Windows XP, Windows Vista or Windows Server 2003. XPS documents can be viewed by users of those Operating Systems that have installed the .Net Framework 3.0 SP1 or one of the standalone XPS viewers available for download. Windows Vista has an XPS viewer installed by default.
XPS documents have a file name extension of .xps. XPS documents can be created by any application that can print documents to the “Microsoft XPS Document Writer” virtual printer. They can also be created by simply using ‘Save As’ and choosing XPS Document in Microsoft Office 2007. This allows you to extend rights management to the other applications within Microsoft Office 2007 or Office 2010. For example, you can choose to save a Microsoft Visio 2007 design as an XPS document. At this point, this document can be rights managed. This applies to Office 2007 and Office 2010 versions of Access, Publisher, and OneNote.
If you do not have Microsoft Office 2007 or Office 2010, or are using an older version, you can also create rights managed XPS documents by using the free Microsoft XPS Viewer. See the next section for additional information on the Microsoft XPS Viewer.
Office Viewers, XPS Viewers, and Rights Management Add-on
Since enforcement of rights is done at the application level, an AD RMS-enabled application, such as Microsoft Office 2003, Office 2007, or , Office 2010 is required to create and view/consume rights protected information. For users who are not running Office 2003, Office 2007, or Office 2010, Microsoft has made available the Microsoft Office Viewers, the XPS Viewers, and a free Rights Management Add-on for Internet Explorer that enables users to view protected information, while still enforcing the rights. These may be downloaded for free from the Microsoft Web site.
Microsoft Office Viewers
The following lists the Microsoft Office Viewers. A circle (●) indicates that the viewer can be used to view rights-protected content saved by the Office application named in the first column.
Office Viewers
| Documents | Microsoft Office 2003 Viewer (Word, Excel, PowerPoint) |
Microsoft Office 2007 Viewer (Word, Excel, PowerPoint) |
Microsoft Office Viewer (Word, Excel, PowerPoint) |
|---|---|---|---|
Microsoft Word 2003 |
● |
● |
● |
Microsoft Excel 2003 |
● |
● |
● |
Microsoft PowerPoint 2003 |
|||
Microsoft Word 2007 |
● |
● |
|
Microsoft Excel 2007 |
● |
● |
|
Microsoft PowerPoint 2007 |
|||
Microsoft Word 2010 |
● |
||
Microsoft Excel 2010 |
● |
||
Microsoft PowerPoint 2010 |
The following list contains links for downloading Microsoft Office Viewers. You can only view protected content with the Microsoft Office Viewers; you will not be able to edit it.
Rights Management Add-on
The Windows Rights Management Add-on for Internet Explorer provides a way for users of supported Windows operating systems to view, but not alter, files with restricted permission. These restrictions, as with all RMS protected content, enable authors to prevent sensitive documents, Web-based information, and e-mail messages from being forwarded, edited, or copied by unauthorized individuals. These restrictions provide protection, not only while the information is in transit, but also after the recipient of the information has received it.
Rights Management Add-on
| Documents | Rights Management Add-on for Internet Explorer |
|---|---|
Microsoft Word 2003 |
● |
Microsoft Excel 2003 |
● |
Microsoft PowerPoint 2003 |
● |
Microsoft Word 2007 |
Not Available |
Microsoft Excel 2007 |
Not Available |
Microsoft PowerPoint 2007 |
Not Available |
Microsoft XPS Viewers
In order to view restricted XPS content, you can use one of the following two free XPS viewers provided by Microsoft.
Microsoft XPS Viewer – create/view rights managed XPS documents.
Microsoft XPS Essentials Pack – view rights managed XPS documents.
The table below summarizes the key features for each viewer.
XPS Viewers rights management feature summary
| Microsoft XPS Viewer Features | Microsoft XPS Essentials Pack Features |
|---|---|
Use Network or Windows Live ID account to open RM protected XPS document |
Use Network or Windows Live ID account to open RM protected XPS document |
Selection of an account to be used when opening restricted document |
Selection of an account to be used when opening restricted document |
Visual feedback in XPS viewer when an XPS document is protected |
Visual feedback in XPS viewer when an XPS document is protected(RM Button enabled or disabled on the toolbar) |
Management of RM accounts |
|
Grant access to one or more users for the following:
|
|
Select users from Windows Address Book |
|
Provide e-mail address to request additional permissions |
|
Set an expiration date for applied permissions on XPS document |
Each of these viewers can be downloaded from: View and Generate XPS
The following is a list of important information regarding the XPS viewers.
On Windows XP you need to install the .NET Framework 3.0 SP1.
On Windows Vista, you also need to install the latest version of the .NET Framework. There is a known issue with using the XPS viewer that is included with the .NET Framework 3.0 when trying to access rights protected content. For additional information on this, see Error message when you try to open or to create a protected XPS document
If you are outside of the domain and you need to locate your AD RMS installation you can do this by adding the following registry keys. Change the URL to match the URL for your server. These keys can be used with the XPS viewer, the Office Viewers, and the RMA add-on.
HKEY_LOCAL_MACHINE/Software/Microsoft/MSDRM/ServiceLocation/Activation
STRING: https://url.to.rms.server/\_wmcs/certification
HKEY_LOCAL_MACHINE /Software/Microsoft/MSDRM/ServiceLocation/EnterprisePublishing
STRING: https://url.to.rms.server/\_wmcs/licensing
For more information on these registry keys, see AD RMS Client Deployment and Usage Considerations (https://go.microsoft.com/fwlink/?LinkID=153481)
When using either the 32-bit or 64-bit versions of Windows Vista and attempting to access an XPS document that has been rights protected, and you may receive an error similar to:
System.Security.RightsManagement.RightsManagementException: Rights management operation failed INVALID USE OF SYMBOLS System.Runtime.InteropServices.COMException (0x8004CF79): Exception from HRESULT: 0x8004CF79.
To resolve this, add the following registry key for the version of Windows Vista you are using.
Windows Vista 32-bit: HKEY_LOCAL_MACHINE/Software/Microsoft/.NetFramework/Windows Presentation Foundation/Hosting
Windows Vista 64-bit: HKEY_LOCAL_MACHINE/Software/WOW6432Node/Microsoft/.NetFramework/Windows Presentation Foundation/Hosting
DWORD: RunUnrestricted
Value: 1
2007 Microsoft Office Add-in: Microsoft Save as XPS
The XPS viewer requires setting IRM permissions within the viewer itself so that they cannot use IRM functions directly from the 2007 Microsoft Office applications. This functionality is not included in Office 2007 RTM. The 2007 Microsoft Office add-in allows you to export and save to the XPS format directly in eight Microsoft Office 2007 programs.
This functionality was included in Office 2007 Service Pack 2. If you are not on SP2 and need to download the add-in see 2007 Microsoft Office Add-in Microsoft Save as XPS