IRM in Outlook 2007

This post is the first in a multi-part series dedicated to Information Rights Management (IRM) in Outlook 2007. While IRM has been a part of Microsoft Office and Outlook since the 2003 release, we often receive questions regarding the deployment of the system and its practical uses.

To address these questions we will be writing an IRM specific blog series that will cover the following topics:

• What is IRM in Outlook?
• What IRM infrastructure do I need?
• What are IRM Templates and how do I use them?
• How does Microsoft use IRM?
• How can I use IRM at my company?
• The IRM Resource index

A substantial amount of documentation for IRM is available on the Internet. It is, however, often difficult for people to get a good end-to-end overview of how to configure and use IRM in the Office 2007 system. As part of this series, we will be providing a list of resources that we think will help you in further understanding IRM.

Now let’s get to the fun stuff. ;-)

Firstly, what is IRM?

The official IRM ‘mantra’ is:

“IRM helps individuals enforce their preferences concerning the transmission of personal or private information. IRM also helps organizations enforce corporate policy governing the control and dissemination of confidential or proprietary information.” (Office Online)

IRM provides customers using Outlook with a method to specify “restrictions” on messages that they send so that they may control how their content is used. For example a sender can use IRM to ensure recipients cannot forward, copy, or edit the message.

For larger organizations, one of the coolest additions to the IRM “arsenal” in Microsoft Office 2007 is the ability to create custom permission templates by using a Rights Management Service (RMS) server. This enables customers to create custom permission templates specific to their organization. Due to the amount of detail we need to go into to cover this adequately we will explain RMS in more detail in a future post.

What is IRM good for? Are there any limitations?

It is important to understand that IRM is not a silver bullet. IRM protected messages can be used to help with the following scenarios

• Preventing the recipient from forwarding, copying, modifying, printing, or otherwise using your content without your permission.
• Preventing restricted content from being copied in Windows by using the Print Screen feature.
• Restricting your content with your chosen restrictions regardless of where it is sent.
• Providing a consistent level of restrictions to e-mail attachments created using the Microsoft Office 2007 suite of programs.
• Defining an expiration date so that content in documents and e-mail messages can no longer be viewed after a certain date.
• Enforcing your organizations policies that govern the use and dissemination of content in the company.

It is important to note that IRM can't prevent the following:

• Content from being erased, stolen, or captured and transmitted by malicious programs such as Trojan horses, keystroke loggers, and certain types of spy-ware.
• Content from being lost or corrupted because of the actions of computer viruses.
• Analog attacks such as hand-copying or taking a digital photograph of restricted content from the recipient's screen.
• Restricted content from being copied by using third-party screen-capture programs.

How do I set IRM permissions on a message I will be sending?

The example below shows two popular methods to compose an e-mail and send it using the IRM “Do Not Forward” restriction. This restriction allows recipients to read, copy, modify and print the message but not to forward it to other people.

1. Open Outlook 2007 and compose a new mail message by clicking on the “New Mail Message” button.
    
2. Select the “Do Not Forward” IRM restriction for the message. This can be done by clicking on the Microsoft Office Button and then choosing Permission, “Do Not Forward”.

Alternatively this can be accessed by clicking on the Permission button in the ribbon and then selecting the “Do Not Forward” restriction.

If the Microsoft IRM add-on has not been installed on your machine, Outlook 2007 will prompt you to download the latest version of the Rights Management Service (RMS) client software.

Once you have set the permissions, an InfoBar will show in the message explaining the restrictions that have been placed on the message. (The InfoBar is the banner near the top of a mail message.)

Once you have sent the message, your copy of the message in Sent Items will have a special icon next to it so that you can easily tell that it has an IRM restriction:

What does it look like when your recipient receives your IRM protected message?

Firstly, when your recipient attempts to open your IRM protected message, Outlook 2007 checks to see if a valid certificate (which is necessary to open IRM'd mail) is accessible. The certificate is a digital finger print that is used to verify a user’s identity. In the event that there is no certificate for this mail, Outlook 2007 will give the option to connect to Microsoft’s service to obtain one. (More on this in a future post.)

Once the certificate has been installed the message can be opened and viewed. The InfoBar will indicate that the message is restricted (and what the restrictions are) as well as disabling the appropriate commands. In this case, your recipient will see that forward is disabled but that Reply and Reply to All are still active.

And finally here is what the message looks like when your recipient opens it:

The following Microsoft articles were referenced in this post.

1. The purpose of IRM and its limitations
(http://office.microsoft.com/en-us/help/HA101003661033.aspx#1)

2. Protect confidential e-mail information using IRM in Outlook 2007
(http://office.microsoft.com/en-us/outlook/HA102325901033.aspx)

Next blog post: “What I need to get IRM working.”

Thanks,

Benjamin Gay and Alessio Roic
Software Developer in Test and Program Manger
Outlook Product Team