Windows & .NET Magazine UPDATE--December 16, 2003

This Issue Sponsored By

Argent Software



1. Commentary: Deploying Windows Rights Management Services

2. Hot Off the Press
- Microsoft Opens European Front in War on

3. Announcements
- Announcing a New eBook: "Content Security in the Enterprise--Spam and Beyond"
- Take Our Print Publications Survey!
- New--Microsoft Security Strategies Roadshow 2004!

4. Inside Windows Scripting Solutions
- January 2004 Issue
- Focus: Creative Coding

5. Instant Poll
- Results of Previous Poll: Upgrading to Windows XP
- New Instant Poll: Deploying Windows RMS

6. Resources
- Featured Thread: Roaming Profile Problem
- Tip: Which actions occur when I click Repair on a network connection in Windows XP and later?

7. Event
- Receive a Free Identity Management White Paper! 8. New and Improved
- Automate Disk Defragmentation
- Eliminate Spam
- Tell Us About a Hot Product and Get a T-Shirt!

9. Contact Us
- See this section for a list of ways to contact us.

==== Sponsor: Argent Software ====
Network Testing Labs, one of the world's leading independent research companies, put together a comprehensive Comparison Paper on two leading enterprise monitoring solutions. Their conclusion: "The Argent Guardian easily beats out MOM in all our tests... The Argent Guardian will cost far less than MOM and yet provide significantly more functionality." Find out for yourself why organizations like Major League Baseball, GE Capital, AT&T, Harley Davidson, and Nokia all rely on The Argent Guardian for their enterprise monitoring and alerting needs. Download this Comparison Paper now:


==== 1. Commentary: Deploying Windows Rights Management Services ====
by Paul Thurrott, News Editor, [email protected]

Last week, I discussed the impetus behind one of Microsoft's more interesting out-of-band (OOB) updates to Windows Server 2003, Windows Rights Management Services (RMS). Windows RMS helps protect enterprise information in email and other documents by applying rights management technology in a manageable, easily deployable fashion. As you might expect, the initial Windows RMS version is very much a version 1.0 product, fulfilling only the most needed functionality; for example, it provides no way to quickly apply rights to folders of preexisting documents, although various Windows RMS partners are working to fill that void. But like many of Microsoft's latest products, Windows RMS appears to be a high-quality and intriguing solution to real-world problems. This week, I look at how you deploy Windows RMS in your enterprise.

To test Windows RMS, I added a compatible server to my test domain. Windows RMS requires Windows 2003, Microsoft SQL Server 2000 Service Pack 3 (SP3) or Microsoft SQL Server Desktop Engine (MSDE--which is applicable only to test installations, but I tested SQL Server 2000 Enterprise Edition SP3 running on Windows 2003, Enterprise Edition), and Microsoft Internet Information Services (IIS) 6.0 with ASP.NET and Microsoft Message Queue Services (MSMQ) enabled. The server installer is a relatively simple affair, adding the Windows RMS components, Web-based administration front end, and documentation to the server, with no reboot required. You can also optionally configure a Hardware Security Module (HSM) for storing Windows RMS private keys and Secure Sockets Layer (SSL) for remote HTTP access to the Windows RMS administrative Web site; I didn't test either of these options.

After the installation finishes, you need to provision this first (and possibly only) Windows RMS server. The first Windows RMS server is called the root certificate server; this server is responsible for certifying rights requests to Windows RMS clients in your organization, although you can provision additional servers for redundancy and load balancing. I tested a single-server installation.

To provision Windows RMS, launch the Windows RMS Administration shortcut, found in the new Windows RMS folder on your Start menu. The Windows RMS front end is solely Web-based, with no Microsoft Management Console (MMC)- or wizard-based administration tools available. When you click the "Provision RMS on this Web site" link, you are provided with one page that steps you through the provisioning process. Frankly, I'd rather see a wizard-based provisioning tool because each step has various dependencies, and if you don't fill out the form on this page correctly, you're forced to return and reenter data. No biggie: Again, it's a 1.0 product, and this feature should improve by the next version, which is due in Windows Server Longhorn, the next Windows OS.

The "Provision the RMS Root Certification Server" page walks you through the process of provisioning the server. You need to provide information about the SQL Server database to use (locally or remotely), the domain account to which to tie the RMS service (you should have already created this account in the MMC Active Directory Users and Computers snap-in; the local system account is acceptable for single-server installations), and the URL for the root certification server (typically the server's URL). Then, you specify the software-based password you want to use for the RMS private key (or information about the hardware-based cryptographic service provider). The password must meet the password-strength requirements you've established for logons. If your network requires special proxy settings for outbound traffic, you need to specify those settings. Finally, you can specify a public key that can revoke your enterprise licensor certificate in the event of a disaster. This last feature can be useful if the RMS server fails catastrophically or if you need to revoke your root server, which you might want to do if your root private key has been compromised somehow.

If you enter all this information correctly, Windows RMS will provision the server. Next, you establish the RMS Service Connection Point certification URL in IIS and you're good to go. The Global Administration front end now lets you administer Windows RMS and provides some interesting options. For example, you can add exclusion policies that let you disable the rights of users who have left the company, or disallow users on various Windows versions that you consider insecure from accessing protected content.

Before you deploy the Windows RMS client to your users, you'll want to establish some rights policy templates, which describe rights that can apply to information, and the context in which those rights exist (e.g., specific recipients or an Active Directory--AD--group). To administer rights policy templates, open the Windows RMS Global Administration page and select "Rights policy templates" under "Administer RMS on this Web site." No rights policies exist at first, so you'll need to create your own. Each template has a name, a set of users or groups to which the template applies, and those users' rights, including Full Control, Export (Save As), View Rights, Save, View, Print, Extract, Edit, Allow Macros, Forward, Reply, and Reply All. You can also establish an optional expiration policy; determine whether the document author has full, perpetual rights; and specify a revocation policy. I established policies for such things as "read only" and "read only but allow printing" and experimented with expiration policies a bit, but this is the place you might create such real-world templates as "Company Confidential." My goal was to get a feel for how these policies work in the real world and how they affect users attempting to access protected content; the results were impressive, as I'll discuss further next week.

You have several options for deploying the Windows RMS client to your users. You can use Group Policy, Microsoft Systems Management Server (SMS), or a similar tool. The client systems support Windows 98 SE or later (or you can use Microsoft Internet Explorer--IE--6.0 with the RMS add-on; I didn't test this configuration). I used Group Policy and the new Group Policy Management Console (GPMC) update to Windows 2003 to roll out the service. The client is distributed as an .exe file so you can deploy it through Windows Update, but you can extract a Group Policy-friendly Microsoft Installer file from the .exe by running the following command:

MSDRMClient.exe /C /T:\[path to extract to\]

Windows RMS deployment is complicated enough that you'll want to follow the product's Deployment Guide thoroughly. The product has a lot of dependencies and requirements, and performing steps in a certain order is crucial. I specifically muddled through the process the way I believe most Windows administrators would, but if you're the kind of person who gets annoyed by Manage Your Server and its helpful wizards, don't make the mistake of working through Windows RMS without some help.

I'll finish this discussion of Windows RMS next week with a look at the client experience and answer reader questions about Windows RMS. I'll also provide some information about third parties who are building applications on top of Windows RMS and plugging some functional gaps.


==== Sponsor: MailFrontier ====
How To Test an Anti-Spam Solution, And Get Results You Can Trust – by MailFrontier
Learn how to mitigate the risk of misleading effectiveness rates and administration overhead while evaluating an anti-spam solution – Download Whitepaper Now!


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft Opens European Front in War on Faced with a formidable legal challenge in the United States, Microsoft has turned to Europe in its battle against Linux distribution maker A Swedish court recently granted Microsoft an injunction barring from advertising its OS in Sweden, and Microsoft has warned resellers in Europe not to distribute LindowsOS, citing's debatable infringement of Microsoft's Windows trademark. Meanwhile, in the United States, a court will determine in March 2004 whether that infringement is real and, perhaps more important, whether Microsoft can own a trademark on a generic term such as Windows. To read the entire story, visit the following URL:

==== 3. Announcements ====
(from Windows & .NET Magazine and its partners)

Announcing a New eBook: "Content Security in the Enterprise--Spam and Beyond"
This eBook explores how to reduce and eliminate the risks from Internet applications such as email, Web browsing, and Instant Messaging by limiting inappropriate use, eliminating spam, protecting corporate information assets, and ensuring that these vital resources are secure and available for authorized business purposes. Download this eBook now free!

Take Our Print Publications Survey!
To help us improve the hardware and software product coverage in the Windows & .NET Magazine print publications, we need your opinion about what products matter most to you and your organization. The survey takes only a few minutes to finish, so share your thoughts with us at

New--Microsoft Security Strategies Roadshow 2004!
Join industry-guru Mark Minasi on this exciting 20-city tour and learn more about tips and best practices to secure your Windows Server 2003 and Windows 2000 networks. There is no charge for this event, but space is limited, so register today!

~~~~ Hot Release: Free Trial – Fast and Easy Network Management ~~~~
Managing your company's IT assets means more than just selection and maintenance. Reporting, inventory, deployment and forecasting are also part of the job. Learn about an easy, full-featured IT asset management solution that provides you with the tools you need. Click here for a free trial download of NetSupport DNA.

4. ==== Inside Windows Scripting Solutions ====

Windows Scripting Solutions is a monthly paid print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. NONSUBSCRIBERS can access all the newsletter content in the online article archive from the premiere issue of Windows Scripting Solutions (December 1998) through the print issue released 1 year ago.

We've updated our Web site!
To continue bringing you the highest quality articles and information, and to make it easier for you to access our site, we have created a simple registration process that will let you access important security-related articles and other resources on the Windows & .NET Magazine Network plus receive special discounts and other benefits. When you register, you will pick a logon ID and password, tell us a little bit about yourself, and be on your way.

In addition to receiving the monthly print newsletter, SUBSCRIBERS can access all the newsletter content, including the most recent issue, at the Windows Scripting Solutions Web site ( ). Subscribe today and access all 2003 issues online!

January 2004 Issue
To access this issue of Windows Scripting Solutions, go to the following URL:

Focus: Creative Coding
To write useful scripts, you sometimes have to be creative. For example, you can use the Windows Clipboard to provide input to your scripts.

Using WMI to Manage AD Replication in Windows Server 2003
Manage AD replication with WMIADRepl.wsf.
-- Alain Lissoir

==== 5. Instant Poll ====

Results of Previous Poll: Upgrading to Windows XP
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "If you use an earlier desktop OS, what keeps you from upgrading to Windows XP?" Here are the results from the 397 votes:
- 16% Current hardware won't support it
- 30% Satisfactory performance of current OS
- 39% Software and licensing costs
- 4% XP security concerns
- 12% Other

(Deviations from 100 percent are due to rounding error.)

New Instant Poll: Deploying Windows RMS
The next Instant Poll question is, "Do you plan to deploy Windows Rights Management Services (RMS) technology in your enterprise?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, b) No, or c) I don't know.

==== 6. Resources ====

Featured Thread: Roaming Profile Problem
User wunderkind manages a Windows Server 2003 network. After upgrading clients from Windows 2000 to Windows XP, he couldn't get his supervisor's profile to roam. He set the "status" as roaming but the "type" would always be "temp," never local or roaming. He finally swapped out the PC and everything worked fine. What could have caused his problem? Join the discussion at the following URL:

Tip: Which actions occur when I click Repair on a network connection in Windows XP and later?
by John Savill,

If you right-click a network connection and select Status, Windows displays information about the connection's speed, duration of connection, and packet activity. For XP and later, a Repair option appears on the Support tab. When you click Repair, Windows attempts to resolve a range of problems. Specifically, the OS - attempts to renew the DHCP lease, if the connection obtains its IP address through DHCP, by using a broadcast message - flushes the Address Resolution Protocol (ARP) cache by using the command

arp -d *

- flushes the NetBIOS cache by using the command

nbtstat -R

- flushes the DNS cache by using the command

ipconfig /flushdns

- reregisters the NetBIOS name and IP address with WINS by using the command

nbtstat -RR

- reregisters the computer name and IP address with DNS by using the command

ipconfig /registerdns

==== 7. Event ====
(brought to you by Windows & .NET Magazine)

Receive a Free Identity Management White Paper!
Are your existing identity-management and access-control solutions fragmented, duplicated, and inefficient? Attend this free Web seminar and discover how to automate and simplify identity creation, administration, and access control. Leverage your investment in Microsoft technologies and benefit from greater security, improved productivity, and better manageability. Register now!

==== 8. New and Improved ====
by Carolyn Mader, [email protected]

Automate Disk Defragmentation
ABEXO released ABEXO Defragmenter Lite/Pro/Plus 1.1, a utility that automates disk defragmentation. The software runs on Windows XP/Me/98 systems and can clean up your hard disk, remove the pagefile, disable running applications, run Windows/DOS scandisk, run the Windows/DOS defragmentation utility, set the pagefile, enable running applications, and shut down or restart Windows. The Professional versions include command-line capability for automation purposes. The Plus versions include disk cleanup functionality. For pricing, contact ABEXO at [email protected]

Eliminate Spam
Spam Liquidator released Anti-Spam Filter 1.2, a Windows-based self-learning spam filtering system that provides spam protection without deleting the important correspondence. Anti-Spam Filter maintains its own collaborative spam-tracking database. The software is different from other antispam programs in that you're not the only one to teach it; a collection of project users contribute to it. The process of reporting spam takes only two mouse clicks, and you share your findings with an international community of Anti-Spam Filter users. For pricing, contact Spam Liquidator at [email protected]

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Link ====

Free Trial - Fast and Easy Network Management. - NetSupport DNA;6823752;8214395;q?


==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]

This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.