Rights Management Rights Management ServicesServices
(RMS)(RMS)
Paul CullimorePaul [email protected]
Graham CalladineGraham [email protected]
Security Solutions Team, MCS, UKSecurity Solutions Team, MCS, UK
What is RM?What is RM?
““RMS is a technology that works RMS is a technology that works with enabled applications to help with enabled applications to help protect digital information from protect digital information from unauthorised use.”unauthorised use.”
Relies on a system of trust•Trusted user (using a)•Trusted application (installed on a)•Trusted computer
Defining Rights ManagementDefining Rights Management
Windows Media Rights Manager v1, v7,
9 Series (1997 ff)
Digital Asset Server(2000)
Windows Rights Management Services for Windows Server 2003
Expansion of client support, usage scenarios and value to the enterpriseExpansion of client support, usage scenarios and value to the enterprise
User experience
Windows Media® Player & licensees of Windows Media Format SDK
Rights Management Category:
Digital Rights Management
Enterprise benefits:
Protection of both live and on-demand streamed audio and video files (e.g. sensitive internal or external audio/video communications, on-demand training, and corporate meetings
User experience
Microsoft Reader
Rights Management Category:
Digital Rights Management
Enterprise benefits:
Not an enterprise-focused solution
User experience
Users engage rights-protected content via a browser or with RM-enabled applications.
Rights Management Category:
Enterprise Rights Management
Enterprise benefits:
Allows for flexible and persistent policy expression and enforcement for information: material drawn from database or content management queries, e-mail messages, documents, spreadsheets, other Web content
Existing Rights Management technologies
Greater flexibility for corporate scenarios, new business
opportunities
eBookeBook
Known reader softwareKnown reader software Must be activated for protected Must be activated for protected
contentcontent Digital Asset Server (DAS)Digital Asset Server (DAS)
Windows MediaWindows Media
Series 9Series 9 Secure Audio PathSecure Audio Path Live broadcastLive broadcast CommercialCommercial
Napster v2Napster v2 iTunesiTunes OD2 (MSN, Ministry of Sound)OD2 (MSN, Ministry of Sound)
Windows Rights Management Windows Rights Management ServicesServices
Persistent protectionPersistent protection Policy enforcementPolicy enforcement Template based administrationTemplate based administration Who can accessWho can access And, what they can doAnd, what they can do
Cut, Copy & PasteCut, Copy & Paste Print, Print ScreenPrint, Print Screen ForwardForward ExpireExpire
Where does RMS fit technologically?Where does RMS fit technologically?
EFSEFS – prevents stolen laptops from – prevents stolen laptops from having their information compromisedhaving their information compromised
ACLsACLs – Protects the integrity of files on – Protects the integrity of files on a network share.a network share.
S/MIMES/MIME – provides over-the-wire – provides over-the-wire information security for e-mailinformation security for e-mail
Document ProtectionDocument Protection – Strongly – Strongly encrypts Office documents.encrypts Office documents.
RMRM – Stops accidental abuses of Office – Stops accidental abuses of Office contentcontent
What RM is What RM is NOTNOT!! RM is NOT a security RM is NOT a security
solutionsolution Also, users with Also, users with
malicious intent may malicious intent may circumvent RM circumvent RM policies.policies.
Restrict MP3 usage so Restrict MP3 usage so you can’t play them you can’t play them the way you wantthe way you want
Provide unbreakable, Provide unbreakable, hacker-proof securityhacker-proof security
Technology alone cannot Technology alone cannot stop the inappropriate stop the inappropriate spread of information:spread of information: Screen capture utilities Screen capture utilities
workwork Digital camerasDigital cameras Read over the phoneRead over the phone
RM ComponentsRM Components
Windows Rights Management Services (RMS) - Windows Rights Management Services (RMS) - Windows Server 2003Windows Server 2003
Updates to Windows clientUpdates to Windows client RM client APIs for Windows 98SE+RM client APIs for Windows 98SE+ RM Add-on for Internet ExplorerRM Add-on for Internet Explorer
Software Development KitSoftware Development Kit For both client-based & server-based developmentFor both client-based & server-based development
RM-enabled applicationsRM-enabled applications Any application which has utilized the RM SDKAny application which has utilized the RM SDK Office 2003 is the first set of apps to implement RM = Office 2003 is the first set of apps to implement RM =
Information RMInformation RM
RMS ArchitectureRMS Architecture RMS is an ASP.NET Web serviceRMS is an ASP.NET Web service
SOAP over HTTP/HTTPSSOAP over HTTP/HTTPS IIS 6 onlyIIS 6 only Stateless for most requests – all processing Stateless for most requests – all processing
on front endon front end Database used for configuration & loggingDatabase used for configuration & logging
RequestsRequests Machine Activation: One time process to Machine Activation: One time process to
create and download secure trusted root per create and download secure trusted root per machinemachine
Certification and Client Enrollment: Binding Certification and Client Enrollment: Binding a user key pair to a specific machine.a user key pair to a specific machine.
Licensing: requesting a license to use a Licensing: requesting a license to use a piece of content.piece of content.
Deployment PrerequisitesDeployment Prerequisites
P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / 40GB)40GB)
Windows Server 2003 Windows Server 2003 Internet Information Services 6.0Internet Information Services 6.0 ASP.NETASP.NET MSMQ client for loggingMSMQ client for logging MSDE or SQL server 2000MSDE or SQL server 2000
Active Directory (AD): Windows 2000 SP3 or later Active Directory (AD): Windows 2000 SP3 or later Test users must have accounts with mail Test users must have accounts with mail
attribute in the ADattribute in the AD RM client bits installed on client test machinesRM client bits installed on client test machines RM-enabled applicationRM-enabled application RM server must have access to the InternetRM server must have access to the Internet
““Do Not Forward” e-mailDo Not Forward” e-mail Includes optional expirationIncludes optional expiration
““Do Not Distribute” documentsDo Not Distribute” documents Provides more granularityProvides more granularity Access can be Read, Change, or Full ControlAccess can be Read, Change, or Full Control Additional options include Printing and ExpirationAdditional options include Printing and Expiration
Specifying recipients uses e-mail addressesSpecifying recipients uses e-mail addresses Support for Exchange DLs makes it easy to manage Support for Exchange DLs makes it easy to manage
access control as group membership changesaccess control as group membership changes ““Company Confidential” policiesCompany Confidential” policies
Supports “permission policies” in enterprisesSupports “permission policies” in enterprises Admins control policies, even after content is protectedAdmins control policies, even after content is protected
IRM Features in Office 2003IRM Features in Office 2003
Office versionsOffice versions
ApplicationApplication Create ContentCreate Content Consume ContentConsume Content
Office 2003 Professional Yes Yes
Office 2003 Standard No Yes
Standalone Office 2003 Applications Yes Yes
Office XP
(all versions) No No
Office 2000/97
(all versions) No No
Rights Management Add-on for Internet Explorer
No Yes
Deployment BlockersDeployment Blockers AD deployment is #1 blockerAD deployment is #1 blocker
Not all customers have appeared to have Not all customers have appeared to have deployed AD yet.deployed AD yet.
No AD schema extensions requiredNo AD schema extensions required
Office 2003 deployment is #2 blockerOffice 2003 deployment is #2 blocker Office 2003 is only RMS-enabled authoring tool at Office 2003 is only RMS-enabled authoring tool at
presentpresent
Exchange is a big bonus, but not requiredExchange is a big bonus, but not required Deploying Windows Server 2003Deploying Windows Server 2003
Only need one server at minimumOnly need one server at minimum
Air-gapped networks can’t talk to MSNAir-gapped networks can’t talk to MSN RMS SP1 and Churchill – more later.RMS SP1 and Churchill – more later.
SummarySummary
RM extends the control users and IT RM extends the control users and IT have over sensitive communicationshave over sensitive communications
No user can claim “they didn’t know” No user can claim “they didn’t know” when they are caught abusing RM when they are caught abusing RM protected contentprotected content
RMS is an enterprise class service – RMS is an enterprise class service – plan accordinglyplan accordingly
Think early about roaming use and Think early about roaming use and collaboration needscollaboration needs