Windows & .NET Magazine UPDATE--December 9, 2003

This Issue Sponsored By

Argent Software

Unipress Software


1. Commentary: Protecting Sensitive Documents with Windows Rights Management Services

2. Hot Off the Press
- Microsoft Pulls Some Legacy Products from MSDN, Cites Sun Settlement

3. Networking Perspectives
- Malicious Hackers and Spam, Part 1

4. Announcements
- Free eBook--Migrating to Windows Server 2003, Active Directory, and Exchange 2003
- Receive a Free Identity Management White Paper!
- Take Our Print Publications Survey!

5. Instant Poll
- Results of Previous Poll: VoIP
- New Instant Poll: Upgrading to Windows XP

6. Resources
- Featured Thread: Reset Windows Server 2003 Password
- Tip: How can I stop my system from prompting me for a product ID during a Microsoft Remote Installation Services (RIS) installation?

7. Event
- New--3 Microsoft Security Road Shows! 8. New and Improved
- Join a Patch Management Discussion
- Customize Your Spam Control
- Tell Us About a Hot Product and Get a T-Shirt!

9. Contact Us
- See this section for a list of ways to contact us.

==== Sponsor: Argent Software ====
Network Testing Labs, one of the world's leading independent research companies, put together a comprehensive Comparison Paper on two leading enterprise monitoring solutions. Their conclusion: "The Argent Guardian easily beats out MOM in all our tests... The Argent Guardian will cost far less than MOM and yet provide significantly more functionality." Find out for yourself why organizations like Major League Baseball, GE Capital, AT&T, Harley Davidson, and Nokia all rely on The Argent Guardian for their enterprise monitoring and alerting needs. Download this Comparison Paper now:


==== 1. Commentary: Protecting Sensitive Documents with Windows Rights Management Services
by Paul Thurrott, News Editor, [email protected]

A little more than 2 months ago, I received my first introduction to Microsoft's new Windows Rights Management Services (RMS) for Windows Server 2003, one of the many out-of-band (OOB) updates the company planned for its latest Windows Server version. Microsoft describes Windows RMS as "information-protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use--both online and offline, inside and outside of the firewall," and that description is fairly accurate, if a bit sterile. In effect, Windows RMS provides an additional layer of security for sensitive documents and email whose distribution you'd like to limit in some way. Windows RMS is a premium service for all Windows 2003 versions. Every user who creates or views rights-protected content through an RMS server will need a Client Access License (CAL--which costs $29 to $37 per CAL), and if you're deploying the service in a large enterprise with numerous external users, you can purchase an external connector for $14,000 to $18,000. This connector provides unlimited access to the Windows RMS server without the need to purchase individual CALs for each external user.

About 2 years ago, Microsoft began talking to its enterprise and government customers about intellectual property theft, the fastest growing white-collar crime. You might be familiar with the Web site http://www.f#$ (replace the special characters with the appropriate letters to get the real URL), which has made a business out of publishing private internal memos from large companies. This information is precisely what most companies don't want publicized, and the amount of money that companies can lose to such theft is staggering, especially when large companies are in the middle of a complex merger and a malicious user steals and publishes legal documents or sales forecasts. With the click of a button, companies can lose their competitive advantage.

"We had this notion in our heads," Microsoft Security Business Unit Lead Product Manager Scott Hanan told me, "of a technology that was like \[Digital Rights Management (DRM)\], but not DRM. Enterprises have a lot of information they want to protect and a need for great levels of protection. Today, they take reasonable steps to protect that information. But once a recipient receives the information, you've lost control. Another problem is that while companies typically do have a formal document policy that defines what 'confidential' is, they overwhelmingly are unable to enforce it. This is the type of thing financial institutions put a huge amount of effort towards. How many times have you seen the 'please don't forward' text at the top of an email message or document? It's like an invitation to forward it."

In short, companies that work with sensitive data need a document usage policy that stays with the documents, defining how long recipients can read the document; whether the recipients can print it, forward it, edit it, extract its content, and save it in a nonprotected manner; and perform other tasks. The usage policy needs to be template-based so that companies can easily define custom policies, and it needs to be seamlessly integrated into the products the companies already use.

Responding to these needs, Microsoft worked up its Windows RMS technology, which it released early last month. Like many recent Microsoft products, Windows RMS comes with a host of requirements, most of which necessitate that your enterprise be fairly Microsoft-centric. For example, Windows RMS runs only on Windows 2003 and requires Microsoft SQL Server 2000 Service Pack 3 (SP3) or later (or SQL Server 2000 Desktop Engine SP3 or later). You must be running an Active Directory (AD)-based domain, and the Windows RMS servers must be running the Microsoft Message Queuing, Microsoft Internet Information Services (IIS) 6.0, and ASP.NET services. Supported clients--Windows 2003, Windows XP, Windows 2000 SP3, and Windows Me--must install the Windows Rights Management (RM) client, which you can deploy through Group Policy. And for enterprises looking to use this functionality in their custom applications, a set of Windows RM client software development kits (SDKs) is also available.

But Windows RMS is a platform-level service that any application can use to provide policy-based rights for any document types. Most documents support constructs such as "read only" and "print," and if you want to set permissions on application-specific tasks (such as graphics resizing in a graphics application), you can customize your policy templates so that "Company Confidential" (or similar name) is defined in one place and any RMS-enabled application can enforce the policy without you needing to create application-specific templates. You can also integrate Windows RMS into your own applications, and the poster child for that capability is, of course, Microsoft Office 2003, which includes a new Information Rights Management (IRM) feature in its Office Word 2003, Office Excel 2003, Office PowerPoint 2003, and Office Outlook 2003 applications. By using Windows RMS policies and these Office 2003 applications, you can control which users can open, copy, print, or forward email, Word documents, Excel spreadsheets, and PowerPoint presentations. Microsoft also ships a Rights Management Add-on for Internet Explorer that lets you share a protected Office document with users on previous Office versions. In the latest Word, Excel, and PowerPoint version, or in the Outlook 2003 New Mail window, IRM shows up as a Permission icon in the Standard toolbar; when you select this option, you can choose to restrict the permissions on the current document by using a simple UI to explicitly select the domain users and groups that can access the document, their exact permissions, and the expiration date of the document, if desired (after which point no one can read it).

IRM and Windows RMS won't protect you against all digital theft. You can't prevent a worker from reading the contents of a protected document over the phone, for example, although I've joked that the next generation of Microsoft Smartphone software will eliminate that problem as well. And although the technology can prevent screen captures, certain applications that bypass Windows' standard screen-capture functionality have successfully captured shots of Windows RMS-protected windows. But Windows RMS is quite a bit better than nothing, and it should be able to thwart most casual document theft.

Next week, I'll explore the process of installing, configuring, and managing Windows RMS. In the meantime, drop me a note if you're interested in knowing whether this intriguing product includes a certain feature or functionality you'd find valuable. I'll try to address all these queries next week.


Windows RMS

Windows RM client

Windows RMS SDK

Windows RM client SDK

Rights Management Add-on for Internet Explorer


==== Sponsor: Unipress Software ====
Are you optimizing your service desk? Why wait? Quickly reduce costs, improve agent workflow, & speed customer support with effective, flexible support automation. Get control over the complete customer problem management life cycle for your help desk and customer support center. Award-winning FootPrints(R) 100% web-based service desk software is easy-to-use, affordable, & fully customizable. In just days, you'll be centrally manage all requests from multiple channels, deliver self-help online, manage support email, and dynamically access your Microsoft Active Directory address book. Multiple Microsoft(R) tools are supported - Microsoft Windows, .Net Services, Access, SQL Server, Outlook, Exchange, and more.
Download our new white paper, "Service Desk Optimization - Do You Have the Right Tools for the Job?"


==== 2. Hot Off the Press ====
by Paul Thurrott, thurr[email protected]

Microsoft Pulls Some Legacy Products from MSDN, Cites Sun Settlement On December 15, Microsoft will retire a range of legacy products from its Microsoft Developer Network (MSDN) Subscriber Downloads service, which the company designed to give developer subscribers access to the company's most recent technologies and products. Citing its settlement with Sun Microsystems over the use of Microsoft-specific Java technologies in its products, Microsoft will pull Microsoft BackOffice Server 2000, Microsoft MapPoint 2002, the Microsoft Office 2000 suite and related products, Microsoft Office XP Developer, Microsoft SQL Server 7.0, and Windows 98. All these products include Microsoft Java Virtual Machine (JVM). However, critics and conspiracy theorists have noted that the software giant has until September 2004 to cease support for its products that include JVM. Why is the company removing access to these products almost a year ahead of schedule? Read the rest of the article at the following URL:

==== 3. Networking Perspectives ====
by Alan Sugano, [email protected]

Malicious Hackers and Spam, Part 1
My consulting company recently received a call from a client company that was having problems with backup failures and poor server performance when sending and receiving email. When we arrived at the client site, we found the problem was more serious than a failed tape drive and slow server. I logged on to the server and noticed it was running extremely slow. The server showed a lot of drive activity and high CPU usage. I pressed Ctrl+Alt+Delete to open Windows Task Manager and sorted the processes by CPU usage. I noted that store.exe was taking up most of the CPU cycles. Microsoft Exchange 2000 Server and Windows 2000 Server were running on this machine. Could the problem be a corrupted Exchange Store? Large email volume? The organization wasn't a heavy email user and had only 15 users connected to the server. To read the rest of the story, visit the following URL:

==== 4. Announcements ====
(from Windows & .NET Magazine and its partners)

Free eBook--Migrating to Windows Server 2003, Active Directory, and Exchange 2003
Are you planning to migrate from Windows 2000, Windows NT 4.0, Exchange 2000 Server, or Exchange Server 5.5? Reduce your learning curve by implementing practices that have proven effective in the field. Download this eBook today!

Receive a Free Identity Management White Paper!
Are your existing identity-management and access-control solutions fragmented, duplicated, and inefficient? Attend this free Web seminar and discover how to automate and simplify identity creation, administration, and access control. Leverage your investment in Microsoft technologies and benefit from greater security, improved productivity, and better manageability. Register now!

Take Our Print Publications Survey!
To help us improve the hardware and software product coverage in the Windows & .NET Magazine print publications, we need your opinion about what products matter most to you and your organization. The survey takes only a few minutes to finish, so share your thoughts with us at

~~~~ Hot Release: Need a Fax Server? (Whitepaper/FREE Fax Card Offer)
Receive a complimentary whitepaper designed to help organizations make informed decisions on network fax technology. While supplies last, get a FREE FAX CARD ($499 value) when you purchase a network fax server!
--> (details here!)

==== 5. Instant Poll ====

Results of Previous Poll: VoIP
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Has your organization deployed Voice over IP (VoIP) technology?" Here are the results from the 328 votes:
- 35% Yes
- 6% No, but we plan to within the next 6 months
- 5% No, but we plan to within the next 12 months
- 22% We're investigating VoIP but won't deploy it in the near future
- 32% No, and we have no plans to pursue it

New Instant Poll: Upgrading to Windows XP
The next Instant Poll question is, "If you use an earlier desktop OS, what keeps you from upgrading to Windows XP?" Go to the Windows & .NET Magazine home page and submit your vote for a) Current hardware won't support it, b) Satisfactory performance of current OS, c) Software and licensing costs, d) XP security concerns, or e) Other.

==== 6. Resources ====

Featured Thread: Reset Windows Server 2003 Password
User keithg wants to know how to reset the domain administrator password on a Windows Server 2003 server (the person in charge of the servers is unavailable). He has reset the local administrator password in the SAM and can boot into Active Directory (AD) recovery mode. Join the discussion and offer your help at the following URL:

Tip: How can I stop my system from prompting me for a product ID during a Microsoft Remote Installation Services (RIS) installation?
by John Savill,

Because the default RIS answer file (i.e., the ristndrd.sif file in the i386\templates folder of the RIS image) doesn't include a product ID, the system will prompt you for the product ID during installation. To avoid having to provide this information every time, perform the following steps:
1. Open the ristndrd.sif file in the i386\templates folder of the RIS image location for which you want to set the CD-ROM key.
2. Locate the \[UserData\] section of the file.
3. Add the line


and replace the text in quotes with the product ID.
4. Save the file.

For example, the \[UserData\] section of my ristndrd.sif file looks like

\[UserData\] FullName = "%USERFIRSTNAME% %USERLASTNAME%" OrgName = "%ORGNAME%" ComputerName = %MACHINENAME% ProductID = "32J4A-P07TY-86RE2-8U3H1-XXXXX"

==== 7. Event ====
(brought to you by Windows & .NET Magazine)

New--3 Microsoft Security Road Shows!
Don't miss out on three new Security Road Show events in December. Join industry guru Mark Minasi, and learn more about tips to secure your Windows Server 2003 and Windows 2000 network. There is no charge for this event, but space is limited, so register today!

==== 8. New and Improved ====
by Carolyn Mader, [email protected]

Join a Patch Management Discussion
Leading security experts have come together to launch a new moderated discussion mailing list and Web site called to help IT network managers, systems administrators, and security professionals better understand patch management and computer security vulnerabilities. offers the IT industry's first discussion list dedicated to security patch management topics. Moderators for the discussion list have extensive backgrounds in Internet security, application development, and patch management.

Customize Your Spam Control
DigiPortal Software released ChoiceMail One 2.0, antispam software that lets users customize the way they set up spam control on their desktops. Users can choose who they want to receive email from and add those addresses to an approved white list. ChoiceMail One recognizes mailing list servers and allows incoming mail from mailing lists without a challenge. Pricing is $39.95. Contact DigiPortal Software at [email protected]

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Link ====

Sybari Software
Free! "Admins Shortcut Guide to Email Protection" from Sybari;6574227;8214395;q?


==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]

This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.