Managing Exclusion Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can implement server-side exclusion policies to deny certificate and license requests that are based on either the rights account certificate or the lockbox version. Exclusion policies deny new certificate and license requests that are made by compromised principals, but unlike revocation, exclusion policies do not invalidate the principals. Administrators can also exclude potentially harmful or compromised applications, so that they cannot decrypt rights- -protected content. In addition, administrators can exclude certain versions of the Windows operating systems, thereby preventing rights-protected content from being consumed on client computers that are running those versions of the Windows operating systems.

When an entity is excluded, use licenses that are created by the RMS server have that entity specified in the exclusion list. If, after a period of time, you decide to delete an entity that you have previously included in an exclusion policy, you can delete the entity on the Exclusion policies page of the administration Web site. This will remove the entity from the exclusion list. Any new certification or licensing requests will not consider this entity as excluded.

Unless you inadvertently excluded an entity, it is recommended that you do not remove an entity from an exclusion policy until you can be sure that all of the certificates that were issued before the exclusion policy was created have expired. Otherwise, both the old certificates and the new certificates will allow the content to be decrypted, which may not be what your organization wants.

This topic provides information about managing exclusion policy. For step-by-step instructions on excluding entities, see “Enable Exclusion Policies” later in this subject.

This section covers: