1.1. TechNet Security Summit 2004 Rights Management Services Jimmy Andersson Principal Advisor Q...
-
Upload
samantha-booth -
Category
Documents
-
view
214 -
download
0
Transcript of 1.1. TechNet Security Summit 2004 Rights Management Services Jimmy Andersson Principal Advisor Q...
TechNet Security Summit 2004 1.
Rights Management Services
Jimmy AnderssonPrincipal Advisor
Q Advice AB
TechNet Security Summit 2004 2.
AGENDA
• Part 1: Overview – Business Value
• Part 2: Components
• Part 3: Key Flow (if we got time)
TechNet Security Summit 2004 3.
Clarification
• DRM - Digital Rights Management
• RMS - Rights Management Services
• IRM - Information Rights Management
• RMA - Rights Management Add-on
TechNet Security Summit 2004 4.
Part 1: Overview• Define the problem
• Windows Rights Management Services– Overview– Scenarios– Demo– Infrastructure Requirements
TechNet Security Summit 2004 5.AC
L
Yes
No
PerimeterPerimeter
Today
TechNet Security Summit 2004 6.
Todays Policy
Today, most communication policies only exist on paperToday, most communication policies only exist on paperIts easy to unintentionally forward e-mails & documentsIts easy to unintentionally forward e-mails & documentsIts easy to intentionally share/sell plans w/competitors, press, InternetIts easy to intentionally share/sell plans w/competitors, press, Internet
TechNet Security Summit 2004 7.
Windows Rights Management Services (RMS)
Windows platform information protection technology • Better safeguard sensitive information
– Keeps Internal Information Internal• Protected information can only be viewed by authorized users
– Establishes an audit trail to track usage of protected files – Augments existing perimeter-based security technologies
• Persistent protection – Protects your sensitive information, no matter where it goes
• Protected information is encrypted with AES 128 bit encryption– Enforces organizational policy digitally via RMS templates– Users can easily define how the recipient can use their information
• Sample rights include view, read-only, copy, print, save, forward, modify, and time-based
• Flexible and customizable technology– Integrates with familiar applications and is easy to use
• Utilizes familiar e-mail names & groups (distribution lists in AD)– Provides the flexibility to designate full control to a
named group of users– Enables custom solutions through SDKs
TechNet Security Summit 2004 8.
Components (quick overview)• Server
– Windows Rights Management Services (RMS)• A Windows Server 2003 information protection service
• Desktop– Updates to Windows client
• Rights Management APIs for Windows 98SE+• “Rights Management Add-on for Internet Explorer”
– RMS-enabled applications• Any application which has utilized the RMS SDK• Office 2003 is the first Enterprise app to implement RM
• Software Development Kit– For both client-based and server-based development
TechNet Security Summit 2004 9.
Windows RMS Workflow
AuthorAuthor RecipientRecipient
RMS ServerRMS Server
Database Database ServerServer
Active Active DirectoryDirectory
2 3
4
5
2.2. Author defines a set of usage rights Author defines a set of usage rights and rules for their file; Application and rules for their file; Application creates a “publishing license” and creates a “publishing license” and encrypts the file.encrypts the file.
3.3. Author distributes file.Author distributes file.
4.4. Recipient clicks file to open, the Recipient clicks file to open, the application calls to the RMS server application calls to the RMS server which validates the user and issues a which validates the user and issues a “use license.”“use license.”
5.5. Application renders file and enforces Application renders file and enforces rights.rights.
1.1. Author receives a client licensor Author receives a client licensor certificate the “first time” they rights-certificate the “first time” they rights-protect information. protect information.
1
TechNet Security Summit 2004 10.
RMS Usage Scenarios
Control access to sensitive plansSet level of access: view, change,
print, etc.Determine length of access
Protect Sensitive Files
Word 2003, PowerPoint 2003Excel 2003, Windows RMS
Keep Executive e-mail off the InternetReduce internal forwarding of
confidential informationTemplates to centrally manage policies
Do-Not-Forward Email
Outlook 2003Windows RMS
Safeguard financial, legal, HR content Set level of access: view, print, exportView Office 2003 rights protected info
Safeguard Intranet Content
IE w/RMA, RMS SDKWindows RMS
Keep Internal Information Internal
TechNet Security Summit 2004 11.
DEMO
TechNet Security Summit 2004 12.
Scenario 1: Protecting Sensitive E-mail
TechNet Security Summit 2004 13.
TechNet Security Summit 2004 14.
TechNet Security Summit 2004 15.
TechNet Security Summit 2004 16.
TechNet Security Summit 2004 17.
TechNet Security Summit 2004 18.
TechNet Security Summit 2004 19.
Receiving rights-protected E-mail
TechNet Security Summit 2004 20.
TechNet Security Summit 2004 21.
TechNet Security Summit 2004 22.
TechNet Security Summit 2004 23.
TechNet Security Summit 2004 24.
TechNet Security Summit 2004 25.
Thank you for the advance notice of the pending changes. I will provide you with the requested feedback by noon tomorrow.
Carol
TechNet Security Summit 2004 26.
Protecting Sensitive Information in Word 2003
TechNet Security Summit 2004 27.
TechNet Security Summit 2004 28.
TechNet Security Summit 2004 29.
TechNet Security Summit 2004 30.
Research DivisionResearch Division (All)
Cynthia; AdamCynthia Randall; Adam Barr
TechNet Security Summit 2004 31.
12/03/2004
TechNet Security Summit 2004 32.
TechNet Security Summit 2004 33.
TechNet Security Summit 2004 34.
Opening a Rights-Protected Document
TechNet Security Summit 2004 35.
TechNet Security Summit 2004 36.
TechNet Security Summit 2004 37.
TechNet Security Summit 2004 38.
TechNet Security Summit 2004 39.
TechNet Security Summit 2004 40.
TechNet Security Summit 2004 41.
TechNet Security Summit 2004 42.
TechNet Security Summit 2004 43.
TechNet Security Summit 2004 44.
TechNet Security Summit 2004 45.
TechNet Security Summit 2004 46.
TechNet Security Summit 2004 47.
Intranet Scenario
TechNet Security Summit 2004 48.
TechNet Security Summit 2004 49.
TechNet Security Summit 2004 50.
TechNet Security Summit 2004 51.
TechNet Security Summit 2004 52.
TechNet Security Summit 2004 53.
TechNet Security Summit 2004 54.
TechNet Security Summit 2004 55.
TechNet Security Summit 2004 56.
TechNet Security Summit 2004 57.
TechNet Security Summit 2004 58.
TechNet Security Summit 2004 59.
TechNet Security Summit 2004 60.
TechNet Security Summit 2004 61.
TechNet Security Summit 2004 62.
TechNet Security Summit 2004 63.
TechNet Security Summit 2004 64.
TechNet Security Summit 2004 65.
TechNet Security Summit 2004 66.
RMS Will NOT …• …provide unbreakable, hacker-proof security• …protect against analog attacks
TechNet Security Summit 2004 67.
Technology RequirementsServerServer
– Window Server 2003 running RMS• Standard, Enterprise, Web or
Datacenter Editions
– Active Directory® directory service• Windows Server 2000 or later• Provides a well-known unique
identifier for each user– E-mail address property for each user
must be populated
– Database Server• Stores configuration data & use
license requests• Microsoft SQL Server™ or similar
– Per Proc or with SQL CALs
• MSDE (single server deployments)
ClientClient
– Windows desktop with RMS client software
– An RMS-enabled application• Required for creating or
viewing rights-protected content.• Microsoft Office 2003
includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook
– Office 2003 Professional is required for creating or viewing rights-protected content
– Office 2003 Standard allows users to view—but not create—rights-protected Office content.
• Internet Explorer with the Rights Management Add-on (RMA) allows users to view rights-protected content
TechNet Security Summit 2004 68.
Part 1: Summary• RMS enables customers to keep internal information
internal• Key benefits:
– Safeguards sensitive internal information– Augments existing perimeter security technologies– Digitally enforces organization policies– Persistently protects information– Easy to use
• RMS availability: www.microsoft.com/rms
TechNet Security Summit 2004 69.
Part 2: RMS Components
TechNet Security Summit 2004 70.
Components of RMS• RMS Client Lockbox • RMS Client APIs• RMS Certificates & Licenses• RMS-Enabled Applications• RMS Server• MSN RMS Services• Rights-Protected Information• Supporting Technologies for RMS• How Does RMS Client Validate Your Access?
TechNet Security Summit 2004 71.
RMS Client Lockbox• Lockbox is a unique, per-machine, Microsoft-generated DLL (by
servers at MSN)
• Lockbox contains private key for machine, bound to HWID for that machine
• HWID is based on computer parameters such as:– Disk geometry, network card address, processor type
• Lockbox (secrep.dll) performs critical RMS functions on the client:– Validate machine against HWID– Validate applications (manifest check)– Authenticate & validate users– Encryption/decryption (has own DES & AES128 implementations)
TechNet Security Summit 2004 72.
RMS Client Components & APIs• Client Components & their APIs are the glue between RMS-enabled
applications and the lockbox– Msdrm.dll, Msdrmhid.dll, Msdrmctrl.dll
• All RMS-enabled applications perform their work through these APIs, and any applications can program to these APIs (Client SDK), e.g.:– Requesting machine activation– Finding RMS services– Requesting, parsing licenses & certificates– Managing licenses (enumerate, store)– Creating offline publishing licenses
• Client components call the lockbox to perform the security operations
TechNet Security Summit 2004 73.
Certificates and Licenses• Machine Certificate – Identifies a trusted PC and contains the unique Public Key for
that machine (one for each PC)
• RM Account Certificate (RAC) – Names a trusted user identity (e-mail address) and contains the public-private key pair for that user (one per user on a PC); private key is encrypted with machine’s public key.
• Client Licensor Certificate (CLC) – Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to a RMS server. Allows the user to sign Publishing Licenses and owner use licenses via the Lockbox (one per user on a PC).
• Publishing License – Issued by either an RMS server or by a CLC through the lockbox, it defines the policy (names principals, rights & conditions) for acquiring a Use License for rights-protected information and contains the symmetric key that encrypted the rights-protected information encrypted to the public key of the RMS server that will issue Use Licenses
• Use License – Issued only by an RMS server, it grants an authorized principal (user with a valid RAC) rights to consume rights-protected information based on policy established in the Publishing License.
• Revocation Lists – Names principals (mainly public keys) that are no longer trusted by the RMS system. Use Licenses can require a fresh revocation list to be present prior to any RMS-enabled application being able to decrypt the information
RM Account
Certificate
MachineCertificate
Client Licensor
Certificate
RM AccountCertificate
RM Publishing License
RMS Licensor
Certificate (or CLC)
RM Use License
RM Publishing License
MachineCertificate
Lockbox DLL
Lockbox DLL
Revoke RAC key
RM Account Certificate
Revocation List
TechNet Security Summit 2004 74.
RMS-Enabled Applications• RMS-enabled applications may implement RMS features such as pre-
licensing, content access, certificate requests• Applications can be based on the Server SDK (e.g. sample “RMS-enabled
SPS server” from Server SDK)• Applications can be based on the Client SDK (e.g. Office Word 2003, Office
Outlook 2003, RMA)• Applications need to have all RMS-enabled libraries and executables listed in
the application manifest, which is signed with an RMS code-signing private key• The signature is included in a manifest (XML file) for the application
– The manifest is a signed XML file containing hashes of all listed files– The manifest should include all files that call RMS Client APIs
• RMS Client APIs validate the hashes in the manifest against all listed files before unlocking rights-protected information
TechNet Security Summit 2004 75.
RMS Server Architecture• RMS server is an ASP.NET Web service
– Protocol is SOAP over HTTP/HTTPS– Internet Information Server (IIS) 6 only– Single request/response transaction model– Stateless for most requests – all processing on front end– Relational database such as SQL Server (or MSDE) used for configuration
& logging• Requests
– Client Machine Activation: One time process to create and download lockbox per machine
– Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine
– Licensing: requesting a license to use a piece of content (“Use License”); One time per content per user
• XrML-based input/output• Pluggable Crypto Provider
TechNet Security Summit 2004 76.
RMS Server components• RMS Server is an ASP.NET application
– Uses AD for authenticating users, determining email addresses for users, confirming membership of users in groups
– Uses MSMQ to forward logging entries to SQL Server– Uses SQL Server to store RMS configuration, AD group
expansion cache, and all logged client activities– Uses IIS (Windows Integrated authentication) to authenticate all
users
TechNet Security Summit 2004 77.
MSN RMS Services• MSN hosts necessary services to support Windows RMS
– Server enrollment & Machine activation service
• MSN also hosts the “trial” Passport certification service (for Office 2003 users)– Certification service– License service
• The trial service gives people a chance to try Rights Management Services features without deploying an Enterprise RMS
TechNet Security Summit 2004 78.
Rights-Protected Information
a
Rights Info w/ email addresses
Content KeyEncrypted with the server’s public key
Publishing License
The Content of the File(Text, Pictures, metadata, etc)
End User Licenses
Content Key(big random number)
Rights for aparticular user
Encrypted with the user’s
public key
Created when file is protected
Only added to the file after
server licenses a user to open it
Encrypted with Content Key, a
cryptographically secure 128-bit AES symmetric encryption key
Encrypted with the server’s public key
Encrypted with the user’s
public key
E-mail ULs are stored in the local RMS license cache, not in the e-mails directly
TechNet Security Summit 2004 79.
Technologies Supporting Windows RMS
• AD & LDAP– Store user accounts, DLs, provide directory of email addresses, SCP location
• .NET Framework & ASP.NET– Application environment for all critical RMS server application code
• MSMQ & DB– Stores RMS configuration information, user keypairs, activity logs, cache of AD
groups for expansion• XrML
– Standard* in which all the licenses, certificates are structured• SOAP
– Protocol standard for all message exchanges between client and server, server and MSN, and client and MSN
• UDDI– Directory for finding the MSN RMS services
TechNet Security Summit 2004 80.
How Does RMS Client Determine You’re Allowed to Access Content?
• Validate the RAC and UL are “trusted”– File hasn’t been altered since signing (encrypted hash matches current hash)– Digital signature on RAC/UL - validate the signing key matches the signature (RSA)– Check that signature chains to MSN root server– Lockbox knows which hierarchy (production, test) it’s a member of, and knows the public key
for the hierarchy
• Validate RMS-enabled application– Extract manifest for app (signed list of all DLLs and their hashes)– Check hash of all files in the manifest = hash listed in manifest
• Validates the user’s rights – each app has to request specific rights to open a doc – RMS Client ensures the user has those rights before granting access
• If it’s a Permanent Windows RAC, it also validates the logged on user’s SID with SID in RAC
• You can’t use a RAC or server private key to sign an app – RMS Client checks that the signing key was issued by the right kind of server (i.e. issued by an RMS App-signing CA)
TechNet Security Summit 2004 81.
Summary & More Information
http://www.microsoft.com/[email protected]
TechNet Security Summit 2004 82.
Q&A