For those of you that don't know, the ADRMS development team actually has their own blog. They have been posting articles out there with some good information, and it is an 'official' ADRMS blog, unlike mine, which is just a bunch of crazy ramblings I've put together in the early morning hours so I have a public repository of things I need to remember. Plus, I'm not allowed at the local stand-up comedy club anymore. Those people just don't appreciate the humor of someone installing ADRMS on a Domain Controller, that only my audience here does.
Plus...when you make comments on their blog, it actually goes to the team that is writing and designing the product. If there is something you want to see in the product, or something you don't like and would like to see changed, or if you just want to write a long story about how ADRMS helped you survive your horrific life-altering ordeal in the Australian outback, you can rest assured that the team responsible for ADRMS will be reading it. Not that I don't love those stories, and all of the comments and questions I get, but now you have *two* places to ask, and as I always say 4-1/2 heads are better that 2-1/4.
ADRMS Team Blog
UPDATE: Rather than waste a whole new post to tell people this I'll post it here. I just put *all* of the click-through demos I have in my previous click-through post. http://blogs.technet.com/rmssupp/archive/2009/02/04/click-through-demos-they-re-the-cats-pajamas.aspx . You're welcome.
-Jason
So....it appears that President Obama has been reading my blog...
O.K. I made that part up, but it was pretty exciting to watch his speech today on cyber security (..not sure when I turned into a total nerd).
The whole speech I was just saying to myself "ADRMS would prevent that...ADRMS would prevent that...ADRMS can do that...ADRMS would cover that", and even a few "Forefront Security would prevent that". Heck they'd solve 90% of their problems if they went and visited microsoft.com/security, or microsoft.com/ida.
I wonder who the new 'Cyber Czar' will be. I don't know that I'd like to have that job. You've got 10,000,000 hackers that will attack you non-stop to make a point. In fact, I'd be willing to gamble that shortly after the announcement, you'll see something like "Cyber Czars e-mail hacked" in the news. I'd almost be willing to gamble that the hacker community will know who the new Czar is, before the new Czar does. (Unless of course they are already using ADRMS..then the odds are in favor of the Czar.). <g>
So my tip for the day to the president and his staff. Make sure you secure all of your e-mails and data regarding this announcement with ADRMS (you should be doing it for everything anyways), and make sure the people exchanging this data are using secure systems with good passphrases and/or secure smart cards. You *really* don't want the hacker community announcing things related to your cyber security plans before you do. That would be a BAD THING®. There is even a few ADRMS solutions for your blackberry, although you really need to start thinking about getting yourself a Windows Mobile phone.
Gimme a call...I might know some people that can hook you up. ;)
-Jason
Consider this scenario.
Customer has two forests.
Resource Forest (RFCOM) - Houses resources like RMS and MOSS.
Account Forest (AFCOM) - House all of the user accounts.
Situation: Customers wants to have *one* RMS cluster housed in the resource forest. Has a one way trust where the resource forest trusts the account forest (for some other applications including MOSS auth (although I think MOSS will work with ADFS as well)). Wants to use ADFS to do SSO to ADRMS server to get content served by MOSS server in the resource forest.
Problem: In order to use ADFS with ADRMS there typically needs to be *no* trust between forests. The way that the RMS client works, is that it will try to obtain a RAC via the standard Windows Auth pipeline (https://rms.rfcom.com/_wmcs/certification/certification.asmx). If this fails, it will use the ADFS token pipeline (https://rms.rfcom.com/_wmcs/certificationexternal/certification.asmx), and pass the ADFS server specified in the FederationHomeRealm registry key. The RMS server *has to* reside in the same forest with MOSS since there is no ADFS pipeline for service accounts.
If there is a one way trust then the user will legitimately be able to get to the Windows Auth Pipeline through IIS. This is a problem, because the return code is 200 (which means OK), although the RMS server will reject the request from a user in another forest to this pipeline, because it expects to find the user in its own forests AD. This puts the RMS client in a bad state. It simply thinks the RMS server has rejected the request, and cries about it with an error message.
So we have a few options.
Solution 1: Remove the one-way trust. If you remove the one-way trust, then IIS will not authenticate the user to the Windows Auth certification pipeline, and the RMS client will automatically roll over to the ADFS tokenized pipeline.
Solution 2: (The one we used). We went to the properties of C:\Inetpub\wwwroot\_wmcs\certification\certification.asmx, and added an ACE to the security tab for the 'AFCOM\Domain Users' group, and gave it explicit *deny* permissions. This forces all clients in the AFCOM forest to rollover to the ADFS certification pipeline.
Solution 3: Setup a RMS cluster in the account forest, and then export the SLC from the AFCOM forests RMS server, into the RFCOM forests RMS server as a TUD (Trusted User Domain).
Anyways, option 2 worked for this customer. Any forests that he now adds to his forest that have a one way trust, he just needs to add a deny ace to the certification.asmx file for the 'domain users' group of that forest. We also added an SCP to the account forest with the cluster URL of the resource forest, so that all of the clients in the account forest would auto-discover the ADRMS service without needing registry overrides.
ADRMS is a pretty flexible product. Even though every single possible environment situation isn't documented, doesn't mean that with a little playing around you can't get just about any situation to work (within the support boundaries...and sometimes outside of them. <-- I didn't just say that. :)).
-Jason
I recently got a call from a customer having problems opening content from the internet using the Passport Trust option of RMS. Looking at the DebugView Logs RMS was returning an error code of 8004CF3B. So I look up the error in my handy-dandy technet:
http://msdn.microsoft.com/en-us/library/bb204613(VS.85).aspx
E_DRM_NO_CONNECT. Hmmmm...
So I had him try to access the licensing pipeline URL from the machine, and...it connects no problem. <<There's something on the wing....SOME...THING!!!>>
Certificate looks good, but it is a... internal CA cert.... Hmmmm...
Let's disable CRL in I.E.s settings (Tools>Internet Options>Advanced>Security | Uncheck both certificate revocation validation options).
Wallah..it works. So, morale of the story. Vista doesn't like it when you use an internal CA certificate, externally, when you have these options checked, and you are trying to use RMS. Use a Verisign or GoDaddy cert instead. XP doesn't seem to be bothered.
Whodathunkit?
-Jason
UPDATE: A buddy of mine, Barclay, pointed out that the other option is to expose your CRL Distribution point externally. Duh!!
Welcome to the party Foxit!!!
http://www.foxitsoftware.com/announcements/2009487743.html
http://www.foxitsoftware.com/rms/
I expect we will see alot more of this from alot more vendors soon. The trend is showing that customers are no longer *requesting* their application providers protect their content. They are *demanding* it. If you are writing software that allows customers to create sensitive data, be warned. You should definitely get on the IRM integration bus before you get run over.
Long live Jimmy!!
ARE YOU IRM EXPERIENCED???
http://www.microsoft.com/windowsserver2008/en/us/ida-information-protection.aspx
Trippy Tip: Use the live translator link at the top of my blog to translate this post to a different language. You will get a split screen page. Turn your speakers up and enjoy the Jimmy Hendrix Experience!!!
Ever wonder when support for *your* version of RMS will officially end?
Well we all know that RMS V1 /w no SP has already expired...*but* did you know that RMS V1 SP1 also has expired, and that you need to upgrade to SP2 to be in full support?
http://support.microsoft.com/gp/lifesupsps
| Windows Rights Management Services Service Pack 1 |
18-Apr-2005 |
13-Jan-2009 |
|
| Windows Rights Management Services Service Pack 2 |
22-Nov-2006 |
Not Applicable
See Note |
Support ends either 12 or 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. Visit the Lifecycle page to find the support timelines for your particular product. |
ADRMS on Windows 2008 falls under the Operating System lifecycle, since it is a role in the operating system.
Now you know. All of you slackers need to update your V1 SP1 installs to SP2, ASAP. :D
-Jason
O.K. So I get asked this question a lot. "I've got one forest with a single domain. Do I still need to use a universal group?"
The answer is 'you don't technically have to'. Here is the deal. As we all know Universal groups are the only groups that replicate their membership across the forest. Let's say you have a forest 'foo.com' with a domain 'domain.foo.com'. Now you RMS protect a message and send it to a group. How does RMS deal with this?
Well RMS is going to grab the first 5 GCs that respond to the request, and cycle through them for EUL validation. So let's say you have a Security group called SecGroup1@domain.foo.com that mail is being sent to that joe@domain.foo.com is a member of, and rms grabs these 5 GCs.
GC1.domain.foo.com
GC2.domain.foo.com
GC3.domain.foo.com
GC4.domain.foo.com
GC.foo.com
What do you think will happen when RMS queries each of these GCs for the membership of SecGroup1?
GC1.domain.foo.com - Good
GC2.domain.foo.com - Good
GC3.domain.foo.com - Good
GC4.domain.foo.com - Good
GC.foo.com - Fail
So your user has a 1 in 5 chance of getting an EUL, when a message is sent to a security group in domain.foo.com.
What are your options?
Well you've really got 3. The first is leave it alone, and take your chances at the wheel. OK. Maybe that's not the best option. The next option is to make that group a universal group. The membership will get replicated to GC.foo.com, and you now have 5 in 5 chance of getting an EUL. The last option, which not many people know about is that you can tell RMS which GCs it should query. You would set the following key:
HKLM/Software/Microsoft/DRMS/1.0/ <--Change the 1.0 to 2.0 for WS2008 ADRMS
REGSZ: GC
VALUE: Comma delimited list of GC FQDNs (i.e. GC1.domain.foo.com,GC2.domain.foo.com,GC3.domain.foo.com,GC4.domain.foo.com)
Now you have a 4 in 4 chance of getting an EUL using a security group, or another domain local group.
Now, if you have multiple domains in your forest, you need to use universal groups...period.
I need a nap.
-Jason
Update: Nap music added to this post. :D
I've often wondered if we ever had documentation that explains what the rights you assign to a template actually translate to. I've travelled to the deepest, darkest corners of Microsoft searching for answers. Armed with a map of the mother ship, and the 'Staff of Ra', and with no lack of dangerous boobie traps and poisonous snakes, the tomb that held these ancient scripts for so long was revealed....and now I bring them to you. (Thanks Jim!!).
This was me, but this guy is way tougher looking.
Active Directory Rights Management Services (AD RMS) rights provide the means for controlling how a user can access, use, and redistribute rights-protected content. Some rights are enforced exclusively by AD RMS-enabled applications or browsers, while others are enforced primarily by the AD RMS client (although applications can still apply their own interpretation of the right). The rights enforced by the AD RMS client control how license information is used, such as whether the license can be used to re-encrypt previously decrypted content. Rights that control how content is used are interpreted and enforced by AD RMS-enabled applications, such as Microsoft Office applications. For example, Microsoft Office applications enforce the View right by allowing a user to decrypt and view the contents of a protected document if the user has been granted the View right.
The following table lists the rights that are available by default when you create a rights policy template and gives a brief description of how the right is enforced by the AD RMS client and interpreted by common AD RMS-enabled applications.
|
Note |
|
AD RMS-enabled applications can interpret these rights differently. This is intended as a general description for how these rights are typically used. Consult the documentation of the specific application for information on how these rights are enforced. |
|
Right |
Description |
|
Full control |
If granted, this right allows a user to exercise all rights in the license, whether or not the rights are specifically granted to that user. |
|
View |
If this right is granted, the AD RMS client allows protected content to be decrypted. Typically, when this right is granted, the application will allow the user to view protected content. |
|
Edit |
If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Save right. |
|
Save |
If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to change protected content and then save it to the same file. This right is effectively identical to the Edit right. |
|
Export (Save As) |
If this right is granted, the AD RMS client allows protected content to be decrypted and then re-encrypted by using the same content key. Typically, when this right is granted, the application will allow the user to use the “Save As” feature to save protected content to a new file. |
|
Print |
Typically, when this right is granted, the application will allow the user to print protected content. |
|
Forward |
Typically, when this right is granted, the application will allow an e-mail recipient to forward a protected message. |
|
Reply |
Typically, when this right is granted, the application will allow an e-mail recipient to reply to a protected message and include a copy of the original message. |
|
Reply All |
Typically, when this right is granted, the application will allow an e-mail recipient to reply to all recipients of a protected message and include a copy of the original message. |
|
Extract |
Typically, when this right is granted, the application will allow the user to copy and paste information from protected content. |
|
Allow Macros |
Typically, when this right is granted, the application will allow the user to run macros in the document or use an editor to modify macros in the document. |
|
View Rights |
If this right is granted, the AD RMS client allows a user to view the user rights that are assigned by the license. |
|
Edit Rights |
If this right is granted, the AD RMS client allows a user to edit the user rights that are assigned by the license. |
There seems to be an influx of cases lately, where an administrator has either 'lost', or inherited an RMS environment that they don't know the private key password for.
Let me assure you, I don't know it either. You can go to the security tab in your RMS admin console and reset it to a password you know, but before you do this 'BACK UP YOUR SLC AND PUBLISHING CERTIFICATE'.
So...if you get stuck with an environment that you do *not* know the private key password for do *NOT* uninstall RMS, and re-install a new environment without *first* exporting the SLC, and publishing certificate. If you delete everything without backing up these keys, and don't know the private key password ...'I CAN'T HELP YOU!!'. Even if you have a back-up of the database....'I CAN'T HELP YOU!!!'. You will lose all of your data and ...."I CAN'T HELP YOU!!!'.
There is no secret fix, magic command, or ritualistic dance that I can perform to restore your environment, unless you have backed up the database *and* original RMS server. If you didn't you should lay down on the floor and play dead until your boss goes home for the day, and then see if anyone has an older backup of the system hidden somewhere, and if not, some good quality resume paper.
Hopefully I've made the message clear, on the importance of backing up those keys, and outlined your options if you don't heed this advice. :D
-Jason
Announced today. RMS V1 with no Service Pack is dead, muerta, gone, kaput! Support has officially ended.
From: http://blogs.msdn.com/rms/default.aspx
End of support for Windows Rights Management Services V1.0
March 23, 2009 will bring a close to support for Windows Rights Management Services V1.0 as part of the Microsoft Lifecycle Policy. Microsoft will retire public and technical support, including security updates, by this date.
As of this date users will no longer be able to activate or re-activate clients, and may be unable to produce or use Rights-Protected content unless they upgrade to a newer version of Windows Rights Management Services Client. This includes Windows Rights Management Services Client V1.0 SP2, or the Windows Rights Management Services Client available as part of Windows Vista or Windows Server 2008. When users attempt to activate Windows Rights Management Services Client V1.0 using Microsoft Office they will receive the following error message “This service is temporarily unavailable. Ensure that you have connectivity to the server. This error could be caused because you are offline, your proxy settings are preventing your connection, or you are experiencing intermittent network issues.” Users attempting to activate via other RMS enabled applications may receive different error messages.
Microsoft is retiring support for this product because it is outdated and can expose customers to security risks.
We recommend that customers who are still running Windows Rights Management Services Client V1.0 upgrade to a newer version as soon as possible. Windows Rights Management Services Client V1.0 SP2 can be downloaded from the following links.
Windows Rights Management Services Client V1.0 SP2 client (x86)
Windows Rights Management Services Client V1.0 SP2 client (x64)
Windows Rights Management Client V2.0 is also available as part of the Windows Vista and Windows Server 2008 operating systems. Information about Windows Vista is available at http://www.microsoft.com/windows/windows-vista/default.aspx. Information about Windows Server 2008 is available at http://www.microsoft.com/windowsserver2008
We recommend that customers who are still running Windows Rights Management Services V1.0 servers upgrade to a newer version such as Windows Rights Management Services with Service Pack 2 as soon as possible.
I feel like I'm saying goodbye to an old friend....a friend that use to steal my money, and eat my food that is!
-Jason
So I have as late been working on an issue involving someone trying to install RMS v1 on Windows 2003 x64 Standard Edition. Of course RMS v1 came in only a 32-bit flavor, but you could get it to run in WOW mode on x64 (With 2008 ADRMS comes in all the flavors of the OS). I don't know exactly why we are having issues (hopefully I'll figure it out this week), but I just went through a little test to make sure I'm not crazy (well...you know what I mean), and recorded it.
Here is the text of the file I was using in the demo:
1.) Make sure .NET 1.1, IIS and MSMQ are installed
2.) Allow IIS to run in WOW mode – cscript %SystemDrive%\inetpub\AdminScripts\adsutil.vbs set w3svc/AppPools/Enable32bitAppOnWin64 1
3.) Install and enable ASPNET – %windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i -enable
4.) Allow ASP.NET 1.1 - cscript %systemroot%\system32\iisext.vbs /EnApp "ASP.NET v1.1.4322"
5.) Set default website version - %windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe –s /w3svc/1/root
Here is the demo for your viewing pleasure. (Just unzip the files, and open the .html file)
RMS X64 Demo
P.S. I'll update this post with whatever I did to fix the 'problem' I ran into in the video. (Now you *have to* watch it or you won't know what I'm talking about.)
..and I already know 'I SHOULD HAVE USED A FQDN FOR THE CLUSTER URL!!' Don't judge me!!!
- Jason
Ever wonder how to setup a pre-production environment and use Office with it (after all Office is signed with a production cert)?
Live...via satellite from Germany <dunt duh da da..du du du du du dunt da ta da>...iiiiiiiiitttttt's Carsten!
Hi, Carsten here.
Today I want to share information how to set up Microsoft Office 2007 in a Windows Server 2008 RMS pre-production environment.
Setting up the RMS preproduction server
Let’s start with the RMS server:
1. Before the RMS server role is installed on the Windows Server 2008 server, you must configure the registry. As documented in Configure the Registry, the following value must be set:
HKLM\Software\Microsoft\DRMS\2.0\Hierarchy=DWORD:0x00000001
2. As a next step, the Active Directory Rights Management server role must be installed. Once the role setup has finished, open the Active Directory RMS MMC and verify in the server’s Properties in the Server Certificate tab that the Hierarchy is set to Preproduction.
The following steps must be performed once on every client computer where Microsoft Office 2007 is used with certificates and licenses from the Preproduction RMS server.
1. As documented in Configure the Registry, the following value must be set:
HKLM\Software\Microsoft\uDRMS\Hierarchy=DWORD:0x00000001
2. Download the Office Format Protector Sample Code which is part of the Microsoft Office File Format Protectors home page.
3. Read the Office2007IRMInPreProductionHierarchy.docx document from the OfficePreProductionHierarchy folder within the downloaded ZIP file.
4. Make sure that you are backing up all XLM files as described in step #2 in the Step by Step instructions for configuring Office 2007 section in the document. If you don’t do so, you cannot change back from the pre-production hierarchy to the production hierarchy.
5. Note that step #7 in the Step by Step instructions for configuring Office 2007 section in the document says nothing about elevation. The command prompt that runs genmft.bat or genmft.64.bat must be elevated. The script will run without elevation but registration of the components will silently fail.
Note: Do not rerun the script because it will silently replace the Office 2007 installation XML files that had been renamed to *.OLD in the first run. However, the Office 2007 installation XML files can be restored from the backup that you made according to step #2 in the Step by Step instructions for configuring Office 2007 section in the Office2007IRMInPreProductionHierarchy.docx document.
To test your own RMS enabled application, you can install the RMS SDK SP2 on the client computer.
Troubleshooting
If you have set up a preproduction RMS server but missed to configure the client you will receive the following error message from Microsoft Office 2007 when a new XrML certificate is requested from the RMS server:
Cannot use test manifests against production servers
In case you have enabled RMS tracing, you will see error DRMInitEnvironment HR=0x8004cf19 in the DebugView log.
Moving from preproduction to production
To revert the RMS server from the pre-production hierarchy back to the production hierarchy, perform the following steps:
1. Uninstall the Active Directory Rights Management server role. To do so, see the Step-by-Step guide Decommission AD RMS Root Cluster.
2. Set the following registry key on the RMS server
HKLM\Software\Microsoft\DRMS\2.0\Hierarchy=DWORD:0x00000000
3. Re-Install the Active Directory Rights Management server role.
To change a client computer from the preproduction hierarchy to the production hierarchy, perform the following steps:
1. Change the following registry key
HKLM\Software\Microsoft\uDRMS\Hierarchy=DWORD:0x00000001
2. Restore the Office 2007 XLM files containing the production hierarchy back into %programfiles%\microsoft office\office12.
So, I'm here is Seattle for Tech-Ready this week and I'm talking to my buddy Cristian Mora who is the TPM (Technical Product Manager) for IDA technologies. I'm telling him how cool it would be if we had some click through demos of the RMS technologies for doing hands-on-labs etc. He proceeds to inform me that he already made a whole bunch of them, and then opens a folder on his hard-drive with the holy grail of RMS click-through demos.
uhhh.....<drewl>
So I say's "Hey mang! Do you mind if I post some of these to my blogosphere so people can see what's up?"
To which he replies, "No, mang! Thats what they are for.".
Then he also gave me a copy /w license of Demo-Builder. Ohhh.....the things I can do with this. I can provide an entire user experience of setup and everything without the overhead of massive amounts of hardware and hard-drive space (over 50GB in our last lab) , licensing issues, expired certs, products needing to be registered, unaccounted for problems that you *always* run into with hands-on-labs. Nothing but a clean user experience, without getting side-tracked on unrelated nonsense.
Kudos again to Cristian Mora for building these.
Client Side Demos:
WM6 IRM Demo
MOSS IRM Demo
XPS IRM Demo
WORD IRM Demo
POWERPOINT IRM Demo
OUTLOOK IRM Demo
INFOPATH IRM Demo
EXCEL IRM Demo
Server Side Demos:
-Jason
I had a chance last week to attend a demo given by the people at Liquid Machines. I always like to see what our partners are offering, so when we have customers asking us for a list of what partners provide groovy add-ons for RMS, I know who has what. Well Liquid Machines has got *alot*. In the two hours I spent watching the demos and asking questions it really left my brain spinning with not only the number of solutions they provide, but the crazy amount of granular functionality built into each solution.
Let's start with their MOSS protectors. This thing can protect 400 different file types when you check them out of MOSS. For people that don't like the default behavior of MOSS, which only allows the user who checked the content out of MOSS to have access to it, Liquid's protector allows the person checking it out to share that content with other users that have access to the document library.
Need to mass protect content that is in a file share? Well, their Fileshare Gateway can do that with ease, and again....400 filetypes. Holy !@#$%!
Their Document Control Client handles Adobe PDF files, Acrobat files, and even older versions of Office. Extra cool points for allowing copy and paste to other documents, while retaining the original policy on the pasted data. You can also do real-time policy updates, so you don't have to redistribute data if you need to add people to or bump people off the access list for the content. Want to have a default policy applied to newly created content? They handle it. They even have a command line tool for all you cranky old admins that want to apply and remove policies 'old skool'.
Of course they have their famed PDF viewer, a lightweight, limited version of their full featured viewer. Their full featured viewer can securely view 400 file types, including a slew of graphic files. I can't even count to 400.
Their Document Control Center is slammed with features that allow you to control document policies, users, view auditing data (like seeing who has been printing, opening, editing) as well as, limiting who has access to what pieces of the control center for granular delegation of duties. They also have a reporting dashboard for this that gives you a graphical view of all your data.
They have a Blackberry solution that allows Blackberry users to consume RMS protected content. Seems like a pretty slick solution for organizations with a big patch of Blackberry users (he he he). If it weren't for this terrible Blackberry allergy I have....
They also have an archival gateway for scanning, decrypting and re-encrypting content for virus scanning, or when your lawyers need to lay the smack down. They worked with Symantec E-vault to come up with the adapter that allows decryption of RMS protected content for e-discovery.
...and on top of all this, they have a rich API set that allows you to write custom applications that uses the functionality they provide.
Some really nice people, delivering really nice solutions.
Check em' out at.
http://www.liquidmachines.com
..and wear a helmet.
-Jason
I recently made a trip out to Washington, D.C. to check out the new products that GigaTrust has been working on.
For those of you who don't know, anyone that is familiar with RMS knows that GigaTrust provides the best extranet hosting solution out there. They can provide RMS capabilities for a company, without actually making you put RMS in your environment, or even worrying about having to set things up. They are sort of like the scrubbing bubbles cleaner. "They work hard so you don't have toooooo." What I bet alot of you didn't know if that GigaTrust goes *way* beyond just that capability. They have a slew of products that will help solve all of your IP protection needs.
Let's discuss a few that I saw. I couldn't possibly tell you everything they showed me. I was like a kid in a toy store running around trying to play with as many as possible before it was time to go.
The first and most notable addition is their PDF viewer. GT used to have their own proprietary viewer that could open RMS protected content. While there is nothing wrong with this, and it was actually really cool, it is just one more thing to download, which some people don't like. Well now they have actually written their solution to work with the native viewer, so that was pretty cool. They also re-wrote their Outlook solution so that you can now read RMS protected e-mails directly in the Outlook reading pane, instead of in their own viewer. Essentially, they have spent alot of time integrating with the native products for a seemless experience.
They've got a sweet solution for Blackberry, that allows you to send and receive RMS protected content right on your device. They demonstrated this capability to us, and it is flawless. If I had a Blackberry, I would use this solution. I'm of course a Windows Mobile guy, so the only Blackberry I'll be using will be in my cereal. Still very cool.
Ever have lawyers crawling down your back needing to make sure that they can decrypt someones mailbox for e-discovery? GigaTrusts solution is fast and furious. If your in the market for an e-discovery solution check em' out.
Their Enterprise Plus solution is what they are famous for. They do all the work for you, and also give you the ability to send RMS protected content to people that are outside of your organization. The coolest feature I saw on this was the business auditing. You can see who has accessed specific content with a few clicks of the mouse. Super fast, super easy. You can even setup filters for your content that protect content based on what is in it. Let's say you want to protect any content that contains a social security number or credit card number. Well you can do this with their filters. It automagically scans the content, and if something the user enters matches the filter, it automatically classifies and protects the content. Your end-users don't even have to think anymore. Too many features to list. Brilliant work!
Dynamic File folders. Ever wish you could just dump files into a directory on your system and have it automatically protect or unprotect the content? Well their Dynamic File Folders solution will give you that.
The new stuff they showed me, that they are working on for MOSS is fantastic....but for another post.
They have even given their product line a face-lift, and redesigned the UI. Looking good.
The cool thing about GigaTrust is that they are true *solution* providers. In talking with them it seems that there really isn't a problem that they can't solve. Third-party LDAP directory...no problem. Third-party file formats you need to RMS protect...no problem. They recently acquired Pinion software, who wrote some amazing CAD solutions, and are now re-writing them to work with RMS. This is *huge*. Every automaker, or engineering company in the world will now be able to put persistent protection on their CAD designs, something the engineering world has been in dire need of. Think about what would happen if someone leaked your CAD designs to a competitor? Millions if not billions of dollars potentially lost. If you have a need to protect your CAD designs, you definitely need to give these guys a call.
Amazing solutions. Super nice people. Really smart products, and they will work hard to earn your business. Check them out at http://www.gigatrust.com or give them a call to see if they have a solution for your specific environment needs.
This trip fueled by:
The BIG cans!
