Modifying existing AD RMS Right Policy Templates.

  • Article

Updated: May 28, 2012.
Applies To: Windows Server 2008 R2

A common misconception when dealing with AD RMS Rights Policy Templates is that once they have been distributed, they cannot be modified, or if they were to be modified, they’d need to be redistributed to end-users again. This is completely false, as I will try to demonstrate in this article.

For those of you that are not familiar with the topic, let me explain what Rights Policy Templates are. An RPT is a pre-defined security policy that can be applied to a document when protecting it with RMS. A templates is basically a list of users or groups that can acess the document, along with the actions they may perform with it, such as read, edit, forward, print, etc. RPTs make it very easy for end-users to apply protection to the documents they create. Otherwise, they’d need to manually configure each individual action and authorized entities, for every new document that required protection.

In order for a user to apply a template when protecting a document, a copy of the template must be stored locally on the user’s computer or be accessible to the RMS-enabled application (Word, Excel,Outlook, etc.) in some other way, like through a network share. Templates are created by AD RMS administrators in the AD RMS server and can later be distributed to client computers using different mechanisms.

So, what happens if I released a template named Money-Issues that gave read permissions to the users in the Finance group but later I decide that users in the Accounting group may also access documents protected with that template? Do I have to re-protect and re-distribute the document again? The answer is, no. The RMS administrator can modify the Money-Issues template on the RMS server adding read permissions to the Accounting group.

But what if a few weeks later I decide that users in the Accounting group should no longer be able to access the information? Does removing the Accounting group from the template do the trick? Well, not really. When a user opens an RMS-protected document using, let’s say, Microsoft Word, the application contacts the company’s RMS server to request a Use License for that document. The server verifies the consumer credentials and issues a license that grants the user the ability to access the document. The problem is that Use Licenses are cached by default. While this allows clients to consume the document multiple times without having to contact the RMS server, it makes it impossible to restrict access to the document after the Use License has been granted. In our case, any user of the Accounting group that had accessed the document before the permissions were restricted can continue opening and read the document in the future.

Fortunately, RMS servers can be configured to issue what I call one-time Use Licenses, requiring users to obtain a new license every time a document is consumed, what is often referred to as "disabling client-side caching". If our Money-Issues template had been configured to make users request a new license every time they needed to access the document, users of the Accounting group would no longer have access to documents protected with the template, as the RMS server would deny the license.

One could wonder what happens when an old version of a template is used to protect a document. Let’s say that Alice has an old copy of the Money-Issues template on her laptop, the one that allowed both the Finance and the Accounting groups to access the information. What if Alice protects a document with her local template and sends the document to Bob, who is a member of the Accounting group? Would Bob be able to open it? The answer is no. When a document is protected against a given template, only the template identifier is attached to the document, not the explicit list of permissions specified in the template. In our case, when Bob attempts to consume the document, the RMS server receives the template ID and determines whether the current configuration for that template allows Bob to access the information. As the current version of the template does no longer authorize the Accounting group, the RMS server will deny the request and Bob will not be able to open the document.

Just in case something is not clear enough, let's go with another example: Contoso is about to release a new product, the Foo-o-matic, which provides a new revolutionary component, the Megabargrel. The technical documentation for the product was finished a week ago, but the product manager does not want the support engineers to have access to it until the exact moment the product is launched. Last time, someone in that group leaked some technical specs to the press a week before the launch, which negatively impacted the product’s momentum. However, the documentation needs to be readily available the minute the product is announced, so the support engineers can start learning about the new product immediately.

Alice, who is the AD RMS administrator in Contoso, logs into a Windows 2008 R2 server that has the RMS server role installed, and creates a new template called “New product Launch”.

   
  
  
The template doesn’t provide access to any user or group at all. It also disables Use License caching.

 

 

A week before the release, Bob, the product manager of Foo-o-matic, protects the Foo-o-matic_Specs&OperationsGuide.docx document with that template, and uploads the document to a network share that is publicly accessible within the organization.

 

 

Carol, a support engineer, and many other employees from different departments, notice the new document and try to open it. The RMS server denies all requests, as the “New Product Launch” template does not explicitly allow access to any user or group.

 

 

A week later, 5 minutes before the official release of the product, Alice modifies the template and grants users in the SupportEngineers group access to the documents protected with the template.

 

Now, when Carol opens the document, the RMS server verifies that she is a member of the SupportEngineers group, and issues a Use License that allows her to access the product’s documentation.

 

 

Any other user out of the SupportEngineers group is denied access.

 

In this article I have discussed what are AD RMS Rights Policy Templates in Windows 2008 R2 and what happens when templates are modified after they have been distributed and/or after a document has been protected with them.

 

The MITM.

 

Quick FAQ:

Q: Is it possible to modify a template after it has been distributed to the users?
A: Yes.

Q: What do I need to take into account when I create a template?
A: Make sure that you select the option “Require a new use license every time the content is consumed” if you think you’ll need to modify the template in the future.

Q: Do I need to update the local copies of a template in all client stations when I modify a template in the RMS server?
A: It is a good practice but is not absolutely necessary. If client-side caching is disabled, the permissions applied to the document will always be the ones specified in the “master” template, the one stored in the RMS server, at the time of consumption.

Q: What are the downsides of disabling client-side caching?
A: Users need to have connectivity to the RMS server every time they need to consume an RMS-protected document. Also, for large environments one should consider deploying a cluster of RMS servers along with some load-balancing mechanism.