主講人： 精誠公司恆逸教育訓練中心 資深講師：張書源 運用版權管理服務實現文件控管稽核 主講人： 精誠公司恆逸教育訓練中心 資深講師：張書源

大 綱 版權管理服務架構 版權管理服務的設定與部署 如何利用版權管理服務保護文件安全性

Legal & Regulatory Compliance Information Loss is Costly Information loss – whether via theft or accidental leakage – is costly on several levels Financial The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004 Loss of revenue, market capitalization, and competitive advantage Legal & Regulatory Compliance Increasing regulation: SOX, HIPAA, GLBA Bringing a company into compliance can be complex and expensive Non-compliance can lead to significant legal fees, fines and/or settlements Image & Credibility Leaked executive e-mails can be embarrassing Unintended forwarding of sensitive information can adversely impact the company’s image and/or credibility

Information leakage is top-of-mind with Business Decision Makers Virus infection 20% 22% 35% 36% 63% Unintended forwarding of e-mails Loss of mobile devices Password compromise E-mail piracy Loss of digital assets, restored 0% 10% 20% 30% 40% 50% 60% 70% “After virus infections, businesses report unintended forwarding of e-mails and loss of mobile devices more frequently than they do any other security breach” Jupiter Research Report, 2004

Traditional solutions protect initial access… Authorized Users Yes Information Leakage No Access Control List Perimeter Unauthorized Users Unauthorized Users Trusted Network …but not ongoing usage

Today’s policy expression… …lacks enforcement tools

How does RMS address this? Augments Existing Technologies to Provide Persistent Protection Encrypts sensitive content Protects inside and outside the trusted network Protects during and after delivery Enforces Organizational Policies Allows organizations to establish and apply centrally-managed policies Allows organizations to track the information’s lifecycle Supports smartcard authentication Provides a platform for value-added solutions Supports development of rich, third-party solutions on top of RMS via the RMS Software Development Kit (SDK) Provides flexibility to integrate with an enterprise’s existing internal applications

Common Usage Scenarios Client-side Scenarios Do-not-forward e-mail Persistent document protection Mixed-version Office environments Server-side Scenarios Regulatory compliance & IP protection Secure business process automation Central control of information protection Platform and Management Scenarios Centrally define and manage permission templates Log and audit who has accessed rights-protected information Extend RMS platform to apply and enforce rights protection on HTML content via the Rights Management Add-on for IE (RMA)

Client Usage Scenarios Requires RMS + Do-Not-Forward E-mail Reduce internal/external forwarding of confidential information Keep sensitive e-mail where it belongs Outlook 2003 Protect Sensitive Files Control access to sensitive content Set granular permissions per user Determine length of access Word 2003 Excel 2003 PowerPoint 2003 Communicate in a Mixed Version Environment Users without Office 2003 can view rights-protected files via Internet Explorer Does not provide authoring capability Rights Management Add-on for IE (RMA)

Case Study: Swisscom Situation Solution Benefit Sensitive executive e-mails and internal confidential documents needed to be protected for competitive reasons “The integration of RMS with Office 2003, combined with the product’s ease of deployment and management, makes it easy for virtually all of Swisscom’s employees to keep their critical documents and information safe – without having to learn a cumbersome set of new technologies.” Heinz Schär Member of Management Swisscom IT Services AG Solution Tested RMS/IRM for six months, then conducted pilot evaluation Positive end-user feedback drove a full rollout of Office 2003 plus RMS to 19,000 desktops Benefit Improved confidentiality Great end-user adoption due to intuitive integration in Office 2003 Strong platform for extended information protection solutions

Server Usage Scenarios Enable Regulatory Compliance & IP Protection Extends protection to managed content stored by document and records management solutions Enables archival of RMS-protected e-mails Protected content can be securely indexed and searched Secure Business Process Automation Enables workflow engines to extend information protection to business process automation Applies rights protection in a centralized way Control Information Protection Centrally Enables content inspection gateways to inspect RMS-protected content and apply RMS-protection centrally Enables ISVs to develop server-based solutions

Windows RMS Workflow Author receives an identity certificate the first time they rights-protect information SQL Server Active Directory Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file RMS Server Author distributes file 1 4 Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 2 5 3 Application renders file and enforces rights Information Author The Recipient

How does RMS work? App App RMS Client RMS Client OS OS

OS RMS Client App

App App RMS Client RMS Client OS User tries to publish or consume content User tries to publish or consume content RMS Client RMS Client OS Application calls into RMS Client to create a new session

App RMS Client OS User tries to publish or consume content Application calls into RMS Client to create a new session RMS Client starts bootstrapping process… Machine Activation

App RMS Client OS Machine Activation RMS Client generates 1024-bit RSA key pair RMS Client OS Private key secured by CAPI Public key stored in security processor certificate (SPC) SPC signed by client

App RMS Client OS Machine Activation RMS Client generates 1024-bit RSA key pair RMS Client OS Private key secured by CAPI Public key stored in security processor certificate (SPC) SPC signed by client

App RMS Client OS Machine Activation RMS Client generates 1024-bit RSA key pair RMS Client OS Private key secured by CAPI Public key stored in security processor certificate (SPC) SPC signed by client New for SP1: The RMS Client is activated without contacting a server or requiring admin privileges. The user’s identity must be established on the machine by account certification. SPC

Account Certification RMS Account Certification SPC

Account Certification RMS DOMAIN\username SID username@domain.com Account Certification RMS Client contacts RMS Server with a certification request, sending SPC SID DOMAIN\username SID User is authenticated SPC Server validates SPC E-mail address is retrieved from AD User’s 1024-bit RSA key pair is generated and stored in database SPC

Account Certification RMS DOMAIN\username SID username@domain.com Account Certification RMS Client contacts RMS Server with a certification request, sending SPC User is authenticated SPC Server validates SPC E-mail address is retrieved from AD User’s 1024-bit RSA key pair is generated and stored in database User’s private key is encrypted with machine public key SPC

Account Certification RMS DOMAIN\username SID username@domain.com Account Certification User’s private key is encrypted with machine public key RAC is created and user’s e-mail address and public key are added RAC Server signs RAC SPC

Account Certification RMS Account Certification User’s private key is encrypted with machine public key RAC is created and user’s e-mail address and public key are added RAC Server signs RAC RAC is returned to client The user now has a RAC that can be used for consumption. In order to publish, the user needs a Client Licensor Certificate (CLC). SPC

RMS Client contacts RMS Server for client enrollment, sending RAC RMS Server validates RAC RAC Server generates CLC 1024-bit RSA key pair CLC private key is encrypted with RAC public key SPC RAC

RMS Client contacts RMS Server for client enrollment, sending RAC RMS Server validates RAC RAC CLC Server generates CLC 1024-bit RSA key pair CLC private key is encrypted with RAC public key CLC is generated, granting the user the right to publish Server information, such as URL and server public key, is also added to CLC SPC RAC

CLC is returned to client RMS Client Enrollment Server information, such as URL and server public key, is also added to CLC Server signs CLC CLC is returned to client CLC CLC The client is now ready for both publishing and consumption of protected content. SPC RAC

App App RMS Client RMS Client OS Publishing User creates content using RMS-enabled application User specifies recipients, rights, and conditions to publish content, or chooses a template Application calls into RMS Client for publishing App App RMS Client RMS Client group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS Publishing Application calls into RMS Client for publishing RMS Client generates 128-bit AES content key Client encrypts content Client creates publishing license (PL) App PL RMS Client group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS Publishing Client creates publishing license (PL) Rights data and content key are encrypted by server public key from CLC Server URL is added to PL CLC signs PL App PL RMS Client group@example.com read, print expires 30 days group@example.com read, print expires 30 days OS SPC RAC CLC

App RMS Client RMS Client OS Publishing CLC signs PL The client returns the PL to the application The application can now package the PL with the content The content can now be sent to its recipients App PL group@example.com read, print expires 30 days RMS Client RMS Client PL group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS Publishing The content can now be sent to its recipients Publisher sends protected content to recipient using any mechanism Assume recipient has already been bootstrapped The recipient needs a use license in order to access the content App RMS Client PL group@example.com read, print expires 30 days OS CLC SPC RAC CLC SPC RAC

App App RMS Client RMS Client OS Licensing Recipient opens document in RMS-enabled application Application calls RMS Client to retrieve a use license. PL RAC group@example.com expires 30 days read, print group@example.com expires 30 days read, print RMS Client sends PL and RAC to RMS Server Server validates RAC and PL Data from PL is decrypted App App RMS Client RMS Client PL group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS Licensing Data from PL is decrypted If content was published to a group, server checks group membership in the AD group@example.com read, print expires 30 days user@example.com read, print expires 30 days UL RAC user@example.com expires 30 days read, print group@example.com expires 30 days read, print If identity in RAC matches PL or group membership, server begins constructing use license (UL) Rights are granted to user App RMS Client PL group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS Licensing Rights are granted to user Content key encrypted by RAC public key UL user@example.com expires 30 days read, print RAC Encrypted key added to UL UL signed by server UL returned to client App RMS Client PL group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS Licensing Rights are granted to user Content key encrypted by RAC public key Encrypted key added to UL UL signed by server UL returned to client Recipient can now bind the license and open the content App RMS Client UL user@example.com expires 30 days read, print PL group@example.com read, print expires 30 days OS CLC SPC RAC

App RMS Client OS App RMS Client OS Accessing Content SPC RAC UL UL PL user@example.com read, print expires 30 days App RMS Client OS App RMS Client UL user@example.com expires 30 days read, print PL group@example.com read, print expires 30 days OS SPC RAC CLC

App App RMS Client RMS Client OS Accessing Content Application calls RMS Client to bind license and decrypt content RMS Client uses security processor to decrypt RAC private key RAC private key decrypts content key SPC RAC UL App App RMS Client RMS Client user@example.com read, print expires 30 days OS

App RMS Client RMS Client OS Accessing Content RAC private key decrypts content key RMS Client decrypts content Application renders content and enforces rights App SPC RAC UL RMS Client RMS Client user@example.com read, print expires 30 days OS

RMS Solution Components Server Client RMS Server Runs on Windows Server 2003 (Standard, Enterprise, Web or Datacenter Editions) Provides certification and licensing Active Directory® directory service Windows Server 2000 or later Provides a well-known unique identifier for each user E-mail address property for each user must be populated Database Server Microsoft SQL Server™ (recommended) or MSDE Stores configuration, user keys, and logging data RMS Client software An RMS-enabled application Required for creating or viewing rights-protected content Microsoft Office 2003 Editions includes RMS-enabled applications – Word, Excel, PowerPoint, Outlook Office Professional 2003 is required for creating or viewing rights-protected content Other Office 2003 Editions allows users to view – but not create – rights-protected content. Rights Management Add-on (RMA) for Internet Explorer 6.0 Allows users to view rights-protected content in IE Enables down-level viewing support for content protected by Office 2003

RMS Server RMS server is an ASP.NET Web service Requests Protocol is SOAP over HTTP/HTTPS Internet Information Server (IIS) 6 only Single request/response transaction model Stateless for most requests – all processing on front end DB such as SQL (or MSDE) used for configuration & logging Requests Machine Activation: One time process to create and download secure trusted root per machine Certification and Client Enrollment: Binding a user key pair to a specific machine. One time per user per machine Licensing: requesting a license to use a piece of content (“Use License”); One time per content per user XrML-based input/output Pluggable Crypto Provider

RMS Server RMS Server is an ASP.NET application Uses AD for authenticating users, determining email addresses for users, confirming membership of users in groups Uses MSMQ to forward logging entries to SQL Server Uses SQL Server to store RMS configuration, AD group expansion cache, and all logged client activities Uses IIS (Windows Integrated authentication) to authenticate all users

Technologies Supporting Windows RMS AD & LDAP Store user accounts, DLs, provide directory of email addresses, SCP location .NET Framework & ASP.NET Application environment for all critical RMS server application code MSMQ & SQL Stores RMS configuration information, user keypairs, activity logs, cache of AD groups for expansion XrML standard* in which all the licenses, certificates are structured SOAP Protocol standard for all message exchanges between client and server, server and MSN, and client and MSN UDDI Directory for finding the MSN RMS services The XrML standard has not been ratified by Oasis, but has been approved by MPEG-21 and the Open eBook forum (OeBF). Oasis is expected to issue a decision about XrML v2 as a standard in 2004. XrML is licensed by ContentGuard, the licensing subsidiary of Xerox’s Palo Also Research Center (PARC) where it was developed. Microsoft RMS complies with XrML v1.2.

RMS-Enabled Applications RMS-enabled applications may implement RMS features such as pre-licensing, content access, certificate requests Applications can be based on the Server SDK (e.g. sample “RMS-enabled SPS server” from Server SDK) Applications can be based on the Client SDK (e.g. Office Word 2003, Office Outlook 2003, RMA) Applications need to have all RMS-enabled libraries and executables signed with an RMS code-signing private key The signature is included in a manifest (XML file) for the application The manifest is a signed XML file containing hashes of all listed files The manifest should include all files that call RMS Client APIs RMS Client APIs validate the hashes in the manifest against all listed files before unlocking rights-protected information RMA = Rights Management Add-on for Internet Explorer.

RMS Client Components & APIs Client Components & their APIs are the glue between RMS-enabled applications and the lockbox Msdrm.dll, Msdrmhid.dll, Msdrmctrl.dll All RMS-enabled applications perform their work through these APIs, and any applications can program to these APIs (Client SDK), e.g.: Requesting machine activation Finding RMS services Requesting, parsing licenses & certificates Managing licenses (enumerate, store) Creating offline publishing licenses Client components call the lockbox to perform the security operations Client components & APIs are same thing – lockbox does security ops

Scaling an RMS Deployment AD Scaling an RMS Deployment SQL Firewall RMS Balancer SSL

RMS at Microsoft FY05 Deployment Statistics 79,000 unique users 23,000 unique users per week 71,000 content licenses issued per week 10 RMS-related helpdesk calls per week Overall helpdesk volume is 11,000 calls per week 20% escalated to Tier 2 client support Median time to certify <1 second Over 1,000,000 use licenses served

RMS does not protect against analog attacks…

RMS Product Roadmap Today FY06 FY07 RMS Version Key Scenarios RMSv1 with SP1 RMSv1 with SP1 RMS for Windows Mobile RMSv2 (Longhorn) Key Scenarios Enterprise information policy expression and enforcement Intra-company content exchange Integration with server-based, centrally managed solutions Access protected content on Windows Mobile devices Broader external collaboration scenarios Increased security while maintaining ease of use Improved deployment and management Platform Enhancements Active Directory integration FIPS compliance Smartcard support Windows Mobile support Modified trust infrastructure Expanded authentication support RMS-enabled Microsoft Apps Office 2003: Outlook, Word, PowerPoint, Excel Pocket Inbox Additional client and server applications

Authoring Rights-Protected Information with RMS and Word 2003

Creating a Do-Not-Forward e-mail with RMS and Outlook 2003

Consuming Rights-Protected Information with RMS and Outlook 2003 and Excel 2003

Resources RMS Website: http://www.microsoft.com/rms RMS Blog: http://blogs.msdn.com/rms RMS TechNet Virtual Lab: http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Microsoft Security: http://www.microsoft.com/security Microsoft IT’s RMS deployment: http://www.microsoft.com/technet/itsolutions/msit/infowork/deprmswp.mspx RMS SDK on MSDN: http://msdn.microsoft.com/library/en-us/dnanchor/html/rm_sdks_overview.asp

Questions ?