Helping customers, help themselves /w IRMCheck Pt. 3

  • Article

Todays discussion will focus on the Office registry information section of IRMCheck.

Essentially RMS does allot of things auto magically in the way that is discovers where all of the bits and pieces of your RMS organization are stored. It does this by making a call to DRMGetServiceLocation documented here:

https://msdn2.microsoft.com/en-us/library/aa362560.aspx

IRMCheck will tell you, (and me if you call into support) if you are doing this. Here is the translation of those keys:

Office Activation Service -
HKLM\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ: ActivationServer
Value:<https://url.of.your.activation.service>

Overrides DRMGetServiceLocation:DRM_SERVICE_TYPE_ACTIVATION when used with DRM_SERVICE_LOCATION_ENTERPRISE

This is not documented. Back in the 'dark ages' of RMS v1, all of your clients had to activate themselves by obtaining a lockbox from a Microsoft server on the internet by proxying the request through the RMS server. The lockbox is basically the component that does all of the encryption, decryption, validation, signing, etc. It's to RMS what the guy locked in the basement of the Chinese restaurant, cracking foreign messages is to the CIA. As such, RMS heavily protects this component. With the introduction of RMS SP1, this is no longer necessary as the lockbox is shipped with the components, and activates itself locally. See, I told you you should upgrade. :)

Office Enterprise Certification Service -
HKLM\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ: CorpCertificationServer
Value: <https://your.rms.server/_wmcs/Certification

Overrides DRMGetServiceLocation:DRM_SERVICE_TYPE_CERTIFICATION when used with DRM_SERVICE_LOCATION_ENTERPRISE

If you set this you will override the SCP that is registered (assuming you registered it) in your AD. Don't set this unless you have a specific reason to do so. If you have the SCP registered, you should let the client discover it automatically.

Office Enterprise Client Enrollment Service -
HKLM\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ: CorpLicenseServer
Value: <https://your.rms.server/_wmcs/Licensing>

Overrides DRMGetServiceLocation:DRM_SERVICE_TYPE_CLIENTLICENSOR when used with DRM_SERVICE_LOCATION_ENTERPRISE

If you set this you override the location that you will get your CLC (Client Licensor Certificate) from. That useful certificate that gives you the ability to 'create' RMS content.

Office Cloud Certification Service -
HKLM\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ: CloudCertificationServer
Value:<https://location.of.passport.service/_wmcs/Certification>

Overrides DRMGetServiceLocation:DRM_SERVICE_TYPE_ACTIVATION when used with DRM_SERVICE_LOCATION_INTERNET

This is not documented. This little gem will override, the location of the Passport service. If you have RMS SP1, don't worry about it. If you have RMS V1 fill it in with https://licensing.drm.microsoft.com/_wmcs/Certification. If you have RMS V1, and you don't fill this in, your RMS client will go out to the Universal Description, Discovery and Integration service (https://uddi.microsoft.com), and get the URL specified above. You can do this but, I recommend that you just fill it in. It saves bandwidth, and is one less service that you have to worry about depending on for your clients to work properly.

Office Cloud Client Enrollment Service -
HKLM\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ: CloudLicenseServer
Value: :<https://location.of.passport.service/_wmcs/Licensing>

Overrides DRMGetServiceLocation:DRM_SERVICE_TYPE_CERTIFICATION when used with DRM_SERVICE_LOCATION_INTERNET

This is not documented. This overrides the Passport Licensing URL. Leave it the way it is in your registry if you are on RMS SP1. If you are on V1, then do yourself a favor and fill it in with https://licensing.drm.microsoft.com/_wmcs/Licensing .

Office RM Client Setup URL -
HKLM\Software\Microsoft\Office\11.0\Common\DRM\DRM Setup\
Reg_SZ: DRMPostSetupURL
Value: <https://url.to.your.client.setup/mclientsetup.exe>

This is not documented.  If a client gets an RMS protected document, and Office notices that RMS isn't installed, it will try to go out to the internet to download and install the client. If you want to control this, in-house, then you can set this key, so that Office will go to your internal site to get the pre-downloaded bits. Good for air gap networks, or locked down situations.

Office IRM Disable -
HKCU\Software\Microsoft\Office\11.0\Common\DRM\
Reg_DWORD: Disable
Value: 1 (disables) 0 (enables) 

You know all those people that you didn't deem worthy of using RMS (or the people you just don't like)? Well here's how you cut them off from using RMS with Office 2003 IRM. :)

Office IRM DisablePassportCertification -   
HKCU\Software\Microsoft\Office\11.0\Common\DRM\
Reg_DWORD: DisablePassportCertification
Value: 1 (disables) 0 (enables)

This disables the Passport functionality in Office 2003 IRM, enabling you to lay the 'smack down' on people sending RMS protected mail outside the company using the Passport service.

Office IRM DisableCertificateValidation -
HKCU\Software\Microsoft\Office\11.0\Common\DRM\
Reg_DWORD:DisableCertificateValidation
Value: 1 (disables) 0 (enables)

This is not documented, and I have no 'official' idea of what it does. I'll have to dig into the source and figure it out. I'm thinking that is you are testing RMS via SSL, and you have a bogus certificate (you know that pop-up you get when a certificate is not valid), this will allow RMS to work anyways. Normally if you have a bogus cert, RMS will stop in its tracks. There, I've left one out that will be a surprise for all of us. If someone has an RMS server that is using a bogus certificate, try this one out and let us all know what it does, or I will when I have some time to play with it. :)

Office IRM Permission Policy Path -
HKCU\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ: AdminTemplatePath
Value: (unc path or local path of your RMS templates)

This sets the location where Office 2003 looks for the RMS templates.  You can set this to a local folder or a UNC share.  Unfortunately, Office does not support a web folder for the template location.

Office Cached Enterprise Client Enrollment Service -
HKCU\Software\Microsoft\Office\11.0\Common\DRM\
Reg_SZ:CachedCorpLicenseServer
Value:<https://url.to.your.rms.cached.licensing.server/_wmcs/Licensing>

This is not documented.  I suspect it is for future use. Ahh..yet again another mystery like the meat used in 'sloppy joes' in elementary school cafeterias around the globe. I'll have to get back to you on this one.

So we have covered all of the Office related registry keys that are checked by IRMCheck. In the next episode, I will cover the rest of the information collected by IRMCheck.

- Jason