Microsoft Plans DRM For Windows Server R2

In an hourlong interview with CRN on Wednesday, Bob Muglia, senior vice president of Microsoft's Windows Server Division, said the Redmond, Wash., company will incorporate Windows Rights Managements Services (RMS) and new identity-federation capabilities into R2. Windows RMS is now available as a separate add-on to Windows Server 2003.

The identity-federation capabilities, developed as part of a project formerly called TrustBridge, are designed to provide cross-company identity management, enabling better extranet and business-to-business scenarios between customers, partners, suppliers and vendors.

One major limitation of the first version of Windows RMS is that it was designed for internal corporate use only. Several solution providers told CRN that the DRM software's inability to exchange secure documents across the firewall stands as a big barrier to adoption.

RMS-enabled applications include Outlook 2003, Word 2003, PowerPoint 2003 and Excel 2003. Muglia said he didn't know if all the extranet pieces for RMS will make it into the Windows Server code in 2005. However, Windows Server R2 will go a long way toward meeting user demands for more secure, locked exchange of e-mail and documents, he noted.

Sponsored post

"We're seeing a lot of people interested in rights management," Muglia said. "It's an important feature that large companies look at. It's a hard thing to do."

He also confirmed that Microsoft is working to add support for Pocket PCs, which would enable mobile workers to use the RMS technology for more secure document exchange.

Though Muglia declined to discuss details about Microsoft's RMS plans for R2, several channel sources briefed about the company's strategy told CRN in recent weeks that the lack of extranet features are a big obstacle to adoption. The identity-federation feature in Windows Server R2 and other changes, they said, will enable the authentication mechanism for allowing outside partners to exchange RMS documents smoothly and safely.

"What you'll hear is more cross-enterprise authentication to the product. You can trust to Active Directory today, but that's a big leap," said one partner familiar with Microsoft's RMS plans. "It's a big limitation of version 1.0 today. They need to allow the RMS client to authenticate to a directory environment outside a company's network. What is new is that I can put Active Directory up on the DMZ on the perimeter of an organization and have users authenticate to it, separate from it having to be in an internal domain."

Microsoft also is integrating RMS hooks into SharePoint and other Microsoft server applications designed to pump up corporate use, partner sources said. Microsoft executives declined to comment on the timetable for its plans to build RMS hooks into applications.

In addition, sources close to Microsoft's RMS efforts said corporate customers want better privacy for secure transactions. To that end, they said, Microsoft is preparing to hand over Certificate Authority (CA) control to third-party ISVs, partners and customers. CA is the granting body for issuing keys that lock and unlock documents. Currently, Microsoft is the only CA provider.

Microsoft and partner SafeNet, formerly Rainbow Technologies, have announced the co-development of an appliance that would enable security-conscious customers, such as government agencies, to set up an in-house CA server that's not tied to the Internet. The appliance is slated to ship this year.

Although it's not clear if customers could use VeriSign and other ISVs as their CA this year or next year, one Microsoft partner said that opening up the CA would be a big business driver for Microsoft's RMS platform.

"Some organizations want control over their Certificate Authority. Like anything else, customers have varying comfort levels of control. Some want to take it all inside--like the Department of Defense, which doesn't want someone mishandling their keys--and other people want to use VeriSign, RSA or even [Microsoft] CA," said one ISV briefed on Microsoft's RMS plans. "Today, the hierarchy of keys stops with Microsoft."

The timing for those features isn't set in stone. In an interview last month, Microsoft executives acknowledged that extranet capabilities are planned for Windows RMS services, but they wouldn't comment on specific features or the timetable for the technology.

Yet sources familiar with Microsoft's plans said the company hopes to offer lockbox distribution support for the SafeNet appliance and Pocket PC support in the Windows Server 2003 Service Pack 1 due out in the second half of 2004 (see story). The SP1 release also is expected come with an enhanced RMS SDK that will allow third parties to better integrate external applications.

At Microsoft's 2004 Windows Hardware Engineering Conference in Seattle last week, company executives said significant extranet improvements for DRM features will be integrated into Windows Server 2003 R2 for enterprise and SMB customers.

During a panel discussion at WinHEC, Guy Haycock, product manager for Windows Server Marketing at Microsoft, told the audience that the extranet capabilities planned for Windows Server and Small Business Server in 2005 will smooth B2B interactions by using platforms that permit trading partners and customers to exchange protected documents.

"Small business gets it, and they want to share their documents with customers and suppliers in a way other than e-mail. But where do you go for your authentication?" Haycock said in a session focusing on Small Business Server. "Small businesses don't want to use Active Directory or set up [AD] trusts with a partner. Why not give them a fairly secure way of doing it?"

Muglia said the Small Business Server update in 2005 will be released shortly after Windows Server 2003 R2.

Adobe's upcoming entry into the corporate DRM software market late this year will press Microsoft to enhance its RMS platform and likely benefit smaller, specialized ISVs such as Authentica, Liquid Machines, Trusted Edge and Sealed Media, as well as their channel partners, according to industry analysts. Liquid Machines and managed service provider GigaAccess Media, for instance, applauded the expected RMS enhancements in the Windows Server R2 code.

"We're hearing from customers that they really want more RMS apps, support for down-level versions of Office and the ability to communicate with partners and suppliers," said Ed Gaudet, vice president of product management and marketing at Liquid Machines, Lexington, Mass.

By the end of this year, Liquid Machines plans to launch version 3.0 of its flagship offering, which will RMS-enable many non-Microsoft line-of-business applications, including those from Siebel Systems and PeopleSoft, company executives said. The current suite, version 2.1, leverages Microsoft's core DRM platform by supporting older versions of Office, including Office XP and 2003, giving ISVs a platform for rapidly enabling their applications for RMS.

For example, the GigaTrust DRM platform from GigaAccess Media gives SMBs a fully hosted solution with the extranet capabilities for Windows RMS that Microsoft currently lacks. It also supports older versions of Office.

GigaMedia President and COO Glen Gulyas said his company isn't threatened by the extranet features being added to Windows Server R2. Anything Microsoft can do to remove customer objections to RMS--including the company's recent legal settlement with InterTrust--is a win for GigaMedia, he noted.

"We welcome any updates to RMS, and the sooner they can get it out, the better," Gulyas said. "There are hundreds of millions of Microsoft users, and even a fraction of those moving to RMS is a significant market."

While adding RMS capabilities to older versions of Office and applications from other ISVs is essential for widespread market adoption, the current lack of extranet capabilities remains a big hole in Microsoft's corporate DRM platform, integrators said.

"It's no secret," said Bill Kilcullen, principal consultant for EDS' Technology Strategy and Architecture Group in Redmond, which is piloting the GigaTrust managed service to extend extranet services to customers that want to use Windows RMS. "There are ways to solve that problem today. We'll look at what partners are doing and what Microsoft is doing. It's part of the long-term strategy."