AD RMS and Microsoft Office Deployment Considerations

Applies To: Windows Server 2008, Windows Server 2008 R2

The following document provides guidance about the various Microsoft® Office suites and the supported AD RMS features.

Microsoft Office Suites, Information Rights Management, and Active Directory Rights Management Services

Information Rights Management (IRM) allows individuals and administrators to specify access permissions to documents, workbooks, and presentations. This helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. After permission for a file has been restricted by using IRM, the access and usage restrictions are enforced no matter where the information is, because the permission to a file is stored in the document file itself.

IRM helps to do the following:

  • Prevent an authorized recipient of restricted content from forwarding, copying, modifying, printing, faxing, or pasting the content for unauthorized use

  • Prevent restricted content from being copied by using the print screen feature of a Microsoft Windows operating system.

  • Restrict content wherever it is sent.

  • Support file expiration so that content in documents can no longer be viewed after a specified period of time.

  • Enforce corporate policies that govern the use and dissemination of content within the company.

AD RMS-aware applications implement IRM to help prevent sensitive information from being printed, forwarded, or copied by unauthorized individuals. Once permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file. The Microsoft Office System is comprised of several AD RMS-enabled applications such as Microsoft Office Word 2007, Microsoft Office Excel 2007, and Microsoft Office PowerPoint 2007.

This document attempts to start at a broad level and explain the supported Microsoft Office versions and editions that are available. It continues to examine the supported applications that exist within these editions and continues even further to detail the supported file types of these applications. This document will also provide guidance about using AD RMS with XPS, the XML paper specification.

Microsoft Office Suites and AD RMS Features

The following table describes the various Microsoft Office suites that support rights management and summarizes the available features in each.

Microsoft Office and AD RMS features summary

Office Suite Office Edition – Create and Consume Protected Content Office Edition – Consume Protected Content

Microsoft Office 2003

Enterprise

Standard*

Professional

Basic*

Small Business*

Student and Teacher*

Word Viewer 2003

Excel Viewer 2003

PowerPoint Viewer 2003

Microsoft Office 2007

Ultimate

Professional*

Enterprise

Small Business*

Professional Plus

Home and Student*

Standard*

Word Viewer 2007

Excel Viewer 2007

PowerPoint Viewer 2007

Microsoft Office 2010

Professional Plus

Professional*

Professional Academic*

Home and Business*

Home and Student*

Word Viewer

Excel Viewer

*Can also be used to edit existing protected content, for example, by replying to a protected message or by revising a protected document

Microsoft Office Mobile (requires version 6.0 minimum)

Outlook

Word

Excel

PowerPoint

Supported AD RMS-enabled Office Applications

Microsoft Office is comprised of several different applications. Not every application in the Microsoft Office suites supports rights management. The following section will provide guidance as to the applications of various Office versions that support rights management.

The following table describes the various AD RMS-enabled applications that are supported in various versions and editions of Microsoft Office

Microsoft Office Versions and AD RMS Features summary

AD RMS-enabled Applications Microsoft Office 2003 Microsoft Office 2007,
Microsoft Office 2010
Microsoft Office Mobile

Microsoft Word

Microsoft Excel

Microsoft PowerPoint

Microsoft Outlook

Microsoft InfoPath

Not provided

Not provided

Supported Microsoft Office File Types

There are several different file types that exist within Word, Excel, and PowerPoint. There are also several new file types that were introduced with Microsoft Office 2007. This section details the supported rights managed file types within these applications.

Microsoft Office Word

The following is a list of supported rights managed Microsoft Office Word file types.

Supported Rights Managed Microsoft Office Word File Types

File Type Extension Microsoft Office 2003 Support Microsoft Office 2007 and
Microsoft Office 2010 Support

Document

.doc

Document

.docx

Macro-enabled document

.docm

Template

.dot

Template

.dotx

Macro-enabled template

.dotm

XML Paper Specification

.xps

Microsoft Office Excel

The following is a list of supported rights managed Microsoft Office Excel file types.

Supported Rights Managed Microsoft Office Excel File Types

File Type Extension Microsoft Office 2003 Support Microsoft Office 2007 and
Microsoft Office 2010 Support

Workbook

.xls

Workbook

.xlsx

Macro-enabled workbook

.xlsm

Template

.xlt

Template

.xltx

Macro-enabled template

.xltm

Non-XML binary workbook

.xlsb

Macro-enabled add-in

.xla

Macro-enabled add-in

.xlam

XML Paper Specification

.xps

Microsoft Office PowerPoint

The following is a list of supported rights managed Microsoft Office PowerPoint file types.

Supported Rights Managed Microsoft Office PowerPoint File Types

File Type Extension Microsoft Office 2003 Support Microsoft Office 2007 and
Microsoft Office 2010 Support

Presentation

.ppt

Presentation

.pptx

Macro-enabled presentation

.pptm

Template

.pot

Template

.potx

Macro-enabled template

.potm

Show

.pps

Show

.ppsx

Macro-enabled show

.ppsm

Office theme

.thm

Office theme

.thmx

XML Paper Specification

.xps

Microsoft Office InfoPath

Microsoft Office InfoPath 2007 – Microsoft Office InfoPath is an information-gathering program introduced in the 2007 release of the Microsoft Office system. With Office InfoPath 2007 and Infopath 2010, you can create and deploy electronic forms solutions to gather information efficiently and reliably. You can also use the InfoPath Forms Services capabilities in Microsoft Office SharePoint Server 2007 and SharePoint Server 2010 to extend your business processes beyond your corporate firewall, delivering forms as Microsoft Office Outlook e-mail messages, Web browser forms, or forms for mobile devices.

Office InfoPath 2007 includes support for information rights management to help protect forms from inappropriate usage and distribution. When you design a form template in InfoPath, or send a form by using Microsoft Office Outlook 2007 or Outlook 2010, you can apply Information Rights Management (IRM) to it.

The following is a list of supported rights managed Microsoft Office InfoPath file types.

Supported Rights Managed Microsoft Office InfoPath File Types

File Type Extension Microsoft Office 2003 Support Microsoft Office 2007 and
Microsoft Office 2010 Support

Dynamic Form/Template

.xsn

Not Available

XML Paper Specification

.xps

Microsoft Office Outlook

Microsoft Office Outlook 2003 - Microsoft Office Outlook 2003 will automatically rights manage any of the supported Microsoft Office 2003 file types when these file types are attached to a rights managed e-mail message. This includes the same file types created using Microsoft Office 2007. For instance, if a document with a file name extension type of .doc is created using Microsoft Word 2007 and is attached to an e-mail message created with Outlook 2003, and .doc file types are being rights managed, then this file will automatically become rights managed.

Microsoft Office Outlook 2007 and Microsoft Office Outlook 2010 - When any of the Microsoft Office 2007 and Office 2010–supported file types are attached to a rights-managed e-mail message within Microsoft Outlook 2007 or Microsoft Outlook 2010, it will automatically be rights managed as well if it was not already rights protected. This includes the same file types created using Microsoft Office 2003, as well as XPS (.xps) file types. For instance, if a document with a file name extension type of .doc is created using Microsoft Word 2007 and is attached to an e-mail message created with Outlook 2003, and .doc file types are being rights managed, then this file will automatically become rights managed.

Important

When you attach a message (.msg) file to a rights managed e-mail message using Outlook 2003, Outlook 2007, or Outlook 2010, the attached message is not rights managed. IRM does not rights manage .msg file types.

XPS – XML Paper Specification

XPS is a Microsoft specification describing the architecture of the XPS Document file format, a representation of electronic paper based on XML. The XPS Document format is an open, cross-platform document format that allows customers to effortlessly create, share, print, and archive paginated documents.

XPS documents can be created by applications running on Windows XP, Windows Vista or Windows Server 2003. XPS documents can be viewed by users of those Operating Systems that have installed the .Net Framework 3.0 SP1 or one of the standalone XPS viewers available for download. Windows Vista has an XPS viewer installed by default.

XPS documents have a file name extension of .xps. XPS documents can be created by any application that can print documents to the “Microsoft XPS Document Writer” virtual printer. They can also be created by simply using ‘Save As’ and choosing XPS Document in Microsoft Office 2007. This allows you to extend rights management to the other applications within Microsoft Office 2007 or Office 2010. For example, you can choose to save a Microsoft Visio 2007 design as an XPS document. At this point, this document can be rights managed. This applies to Office 2007 and Office 2010 versions of Access, Publisher, and OneNote.

If you do not have Microsoft Office 2007 or Office 2010, or are using an older version, you can also create rights managed XPS documents by using the free Microsoft XPS Viewer. See the next section for additional information on the Microsoft XPS Viewer.

Office Viewers, XPS Viewers, and Rights Management Add-on

Since enforcement of rights is done at the application level, an AD RMS-enabled application, such as Microsoft Office 2003, Office 2007, or , Office 2010 is required to create and view/consume rights protected information. For users who are not running Office 2003, Office 2007, or Office 2010, Microsoft has made available the Microsoft Office Viewers, the XPS Viewers, and a free Rights Management Add-on for Internet Explorer that enables users to view protected information, while still enforcing the rights. These may be downloaded for free from the Microsoft Web site.

Microsoft Office Viewers

The following lists the Microsoft Office Viewers. A circle () indicates that the viewer can be used to view rights-protected content saved by the Office application named in the first column.

Office Viewers

Documents Microsoft Office 2003 Viewer
(Word, Excel, PowerPoint)
Microsoft Office 2007 Viewer
(Word, Excel, PowerPoint)
Microsoft Office Viewer
(Word, Excel, PowerPoint)

Microsoft Word 2003

Microsoft Excel 2003

Microsoft PowerPoint 2003

Microsoft Word 2007

Microsoft Excel 2007

Microsoft PowerPoint 2007

Microsoft Word 2010

Microsoft Excel 2010

Microsoft PowerPoint 2010

The following list contains links for downloading Microsoft Office Viewers. You can only view protected content with the Microsoft Office Viewers; you will not be able to edit it.

Rights Management Add-on

The Windows Rights Management Add-on for Internet Explorer provides a way for users of supported Windows operating systems to view, but not alter, files with restricted permission. These restrictions, as with all RMS protected content, enable authors to prevent sensitive documents, Web-based information, and e-mail messages from being forwarded, edited, or copied by unauthorized individuals. These restrictions provide protection, not only while the information is in transit, but also after the recipient of the information has received it.

Rights Management Add-on

Documents Rights Management Add-on for Internet Explorer

Microsoft Word 2003

Microsoft Excel 2003

Microsoft PowerPoint 2003

Microsoft Word 2007

Not Available

Microsoft Excel 2007

Not Available

Microsoft PowerPoint 2007

Not Available

Microsoft XPS Viewers

In order to view restricted XPS content, you can use one of the following two free XPS viewers provided by Microsoft.

  • Microsoft XPS Viewer – create/view rights managed XPS documents.

  • Microsoft XPS Essentials Pack – view rights managed XPS documents.

The table below summarizes the key features for each viewer.

XPS Viewers rights management feature summary

Microsoft XPS Viewer Features Microsoft XPS Essentials Pack Features

Use Network or Windows Live ID account to open RM protected XPS document

Use Network or Windows Live ID account to open RM protected XPS document

Selection of an account to be used when opening restricted document

Selection of an account to be used when opening restricted document

Visual feedback in XPS viewer when an XPS document is protected

Visual feedback in XPS viewer when an XPS document is protected(RM Button enabled or disabled on the toolbar)

Management of RM accounts

Grant access to one or more users for the following:

  • Read

  • Copy

  • Print

  • Sign

  • Full Control

Select users from Windows Address Book

Provide e-mail address to request additional permissions

Set an expiration date for applied permissions on XPS document

Each of these viewers can be downloaded from: View and Generate XPS

The following is a list of important information regarding the XPS viewers.

  • On Windows XP you need to install the .NET Framework 3.0 SP1.

  • On Windows Vista, you also need to install the latest version of the .NET Framework. There is a known issue with using the XPS viewer that is included with the .NET Framework 3.0 when trying to access rights protected content. For additional information on this, see Error message when you try to open or to create a protected XPS document

  • If you are outside of the domain and you need to locate your AD RMS installation you can do this by adding the following registry keys. Change the URL to match the URL for your server. These keys can be used with the XPS viewer, the Office Viewers, and the RMA add-on.

    HKEY_LOCAL_MACHINE/Software/Microsoft/MSDRM/ServiceLocation/Activation

    STRING: https://url.to.rms.server/\_wmcs/certification

    HKEY_LOCAL_MACHINE /Software/Microsoft/MSDRM/ServiceLocation/EnterprisePublishing

    STRING: https://url.to.rms.server/\_wmcs/licensing

    For more information on these registry keys, see AD RMS Client Deployment and Usage Considerations (https://go.microsoft.com/fwlink/?LinkID=153481)

  • When using either the 32-bit or 64-bit versions of Windows Vista and attempting to access an XPS document that has been rights protected, and you may receive an error similar to:

    System.Security.RightsManagement.RightsManagementException: Rights management operation failed INVALID USE OF SYMBOLS System.Runtime.InteropServices.COMException (0x8004CF79): Exception from HRESULT: 0x8004CF79.

    To resolve this, add the following registry key for the version of Windows Vista you are using.

    Windows Vista 32-bit: HKEY_LOCAL_MACHINE/Software/Microsoft/.NetFramework/Windows Presentation Foundation/Hosting

    Windows Vista 64-bit: HKEY_LOCAL_MACHINE/Software/WOW6432Node/Microsoft/.NetFramework/Windows Presentation Foundation/Hosting

    DWORD: RunUnrestricted

    Value: 1

2007 Microsoft Office Add-in: Microsoft Save as XPS

The XPS viewer requires setting IRM permissions within the viewer itself so that they cannot use IRM functions directly from the 2007 Microsoft Office applications. This functionality is not included in Office 2007 RTM. The 2007 Microsoft Office add-in allows you to export and save to the XPS format directly in eight Microsoft Office 2007 programs.

This functionality was included in Office 2007 Service Pack 2. If you are not on SP2 and need to download the add-in see 2007 Microsoft Office Add-in Microsoft Save as XPS