Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK

What is RM? “RMS is a technology that works with enabled applications to help protect digital information from unauthorised use.” Relies on a system of trust Trusted user (using a) Trusted application (installed on a) Trusted computer

Defining Rights Management Windows Media Rights Manager v1, v7, 9 Series (1997 ff) Digital Asset Server (2000) Windows Rights Management Services for Windows Server 2003 Expansion of client support, usage scenarios and value to the enterprise User experience Windows Media ® Player & licensees of Windows Media Format SDK Rights Management Category: Digital Rights Management Enterprise benefits: Protection of both live and on- demand streamed audio and video files (e.g. sensitive internal or external audio/video communications, on-demand training, and corporate meetings User experience Microsoft Reader Rights Management Category: Digital Rights Management Enterprise benefits: Not an enterprise-focused solution User experience Users engage rights-protected content via a browser or with RM-enabled applications. Rights Management Category: Enterprise Rights Management Enterprise benefits: Allows for flexible and persistent policy expression and enforcement for information: material drawn from database or content management queries, messages, documents, spreadsheets, other Web content Existing Rights Management technologies Greater flexibility for corporate scenarios, new business opportunities

eBook  Known reader software  Must be activated for protected content  Digital Asset Server (DAS)

Windows Media  Series 9  Secure Audio Path  Live broadcast  Commercial Napster v2 Napster v2 iTunes iTunes OD2 (MSN, Ministry of Sound) OD2 (MSN, Ministry of Sound)

Windows Media

Windows Rights Management Services  Persistent protection  Policy enforcement  Template based administration  Who can access  And, what they can do Cut, Copy & Paste Cut, Copy & Paste Print, Print Screen Print, Print Screen Forward Forward Expire Expire

Where does RMS fit technologically?  EFS – prevents stolen laptops from having their information compromised  ACLs – Protects the integrity of files on a network share.  S/MIME – provides over-the-wire information security for  Document Protection – Strongly encrypts Office documents.  RM – Stops accidental abuses of Office content

What RM is NOT!  RM is NOT a security solution  Also, users with malicious intent may circumvent RM policies.  Restrict MP3 usage so you can’t play them the way you want  Provide unbreakable, hacker-proof security  Technology alone cannot stop the inappropriate spread of information: Screen capture utilities work Screen capture utilities work Digital cameras Digital cameras Read over the phone Read over the phone

RM Components  Windows Rights Management Services (RMS) - Windows Server 2003  Updates to Windows client RM client APIs for Windows 98SE+ RM client APIs for Windows 98SE+ RM Add-on for Internet Explorer RM Add-on for Internet Explorer  Software Development Kit For both client-based & server-based development For both client-based & server-based development  RM-enabled applications Any application which has utilized the RM SDK Any application which has utilized the RM SDK Office 2003 is the first set of apps to implement RM = Information RM Office 2003 is the first set of apps to implement RM = Information RM

RMS Architecture  RMS is an ASP.NET Web service SOAP over HTTP/HTTPS SOAP over HTTP/HTTPS IIS 6 only IIS 6 only Stateless for most requests – all processing on front end Stateless for most requests – all processing on front end Database used for configuration & logging Database used for configuration & logging  Requests Machine Activation: One time process to create and download secure trusted root per machine Machine Activation: One time process to create and download secure trusted root per machine Certification and Client Enrollment: Binding a user key pair to a specific machine. Certification and Client Enrollment: Binding a user key pair to a specific machine. Licensing: requesting a license to use a piece of content. Licensing: requesting a license to use a piece of content.

Deployment Prerequisites  P3 800 / 256MB / 20GB (Rec: P4 Dual / 512MB / 40GB)  Windows Server 2003 Internet Information Services 6.0 Internet Information Services 6.0 ASP.NET ASP.NET MSMQ client for logging MSMQ client for logging MSDE or SQL server 2000 MSDE or SQL server 2000  Active Directory (AD): Windows 2000 SP3 or later  Test users must have accounts with mail attribute in the AD  RM client bits installed on client test machines  RM-enabled application  RM server must have access to the Internet

 “Do Not Forward” Includes optional expiration Includes optional expiration  “Do Not Distribute” documents Provides more granularity Provides more granularity Access can be Read, Change, or Full Control Access can be Read, Change, or Full Control Additional options include Printing and Expiration Additional options include Printing and Expiration  Specifying recipients uses addresses  Support for Exchange DLs makes it easy to manage access control as group membership changes  “Company Confidential” policies Supports “permission policies” in enterprises Supports “permission policies” in enterprises Admins control policies, even after content is protected Admins control policies, even after content is protected IRM Features in Office 2003

Office versions Application Create Content Consume Content Office 2003 Professional Yes Office 2003 Standard NoYes Standalone Office 2003 Applications Yes Office XP (all versions) No Office 2000/97 (all versions) No Rights Management Add-on for Internet Explorer NoYes

Deployment Blockers  AD deployment is #1 blocker Not all customers have appeared to have deployed AD yet. Not all customers have appeared to have deployed AD yet. No AD schema extensions required No AD schema extensions required  Office 2003 deployment is #2 blocker Office 2003 is only RMS-enabled authoring tool at present Office 2003 is only RMS-enabled authoring tool at present  Exchange is a big bonus, but not required  Deploying Windows Server 2003 Only need one server at minimum Only need one server at minimum  Air-gapped networks can’t talk to MSN RMS SP1 and Churchill – more later. RMS SP1 and Churchill – more later.

Summary  RM extends the control users and IT have over sensitive communications  No user can claim “they didn’t know” when they are caught abusing RM protected content  RMS is an enterprise class service – plan accordingly  Think early about roaming use and collaboration needs